Integrate Checkov with Kubernetes


Checkov is built to scan static code and is typically used at build time. However, resources running in a Kubernetes cluster can be described in the same way as at build time. This allows Checkov to run in a cluster with read-only access and report on the same violations.


To run Checkov in your cluster you must have Kubernetes CLI access to the cluster.

To execute a job against your cluster, run the following manifest.

kubectl apply -f

Review the output of the job.

kubectl get jobs -n checkov
kubectl logs job/checkov -n checkov