Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
      • Structure
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 8.outputs
  • SARIF
Edit on GitHub

SARIF

SARIF (Static Analysis Results Interchange Format) is a standard format for the output of static analysis tools. It can be used to show alerts in your GitHub repository as a part of the code scanning experience.

A typical output looks like this

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Checkov",
          "version": "2.3.55",
          "informationUri": "https://www.checkov.io/",
          "rules": [
            {
              "id": "CKV_AWS_21",
              "name": "Ensure the S3 bucket has versioning enabled",
              "shortDescription": {
                "text": "Ensure the S3 bucket has versioning enabled"
              },
              "fullDescription": {
                "text": "Ensure the S3 bucket has versioning enabled"
              },
              "help": {
                "text": "Ensure the S3 bucket has versioning enabled\nResource: aws_s3_bucket.operations"
              },
              "helpUri": "https://docs.bridgecrew.io/docs/s3_16-enable-versioning",
              "defaultConfiguration": {
                "level": "error"
              }
            },
            {
              "id": "CKV_AWS_3",
              "name": "Ensure all data stored in the EBS is securely encrypted",
              "shortDescription": {
                "text": "Ensure all data stored in the EBS is securely encrypted"
              },
              "fullDescription": {
                "text": "Ensure all data stored in the EBS is securely encrypted"
              },
              "help": {
                "text": "Ensure all data stored in the EBS is securely encrypted\nResource: aws_ebs_volume.web_host_storage"
              },
              "helpUri": "https://docs.bridgecrew.io/docs/general_7",
              "defaultConfiguration": {
                "level": "error"
              }
            }
          ],
          "organization": "bridgecrew"
        }
      },
      "results": [
        {
          "ruleId": "CKV_AWS_21",
          "ruleIndex": 0,
          "level": "error",
          "attachments": [],
          "message": {
            "text": "Ensure the S3 bucket has versioning enabled"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "s3.tf"
                },
                "region": {
                  "startLine": 1,
                  "endLine": 3,
                  "snippet": {
                    "text": "resource aws_s3_bucket \"operations\" {\n  bucket = \"example\"\n}\n"
                  }
                }
              }
            }
          ]
        },
        {
          "ruleId": "CKV_AWS_3",
          "ruleIndex": 1,
          "level": "error",
          "attachments": [],
          "message": {
            "text": "Ensure all data stored in the EBS is securely encrypted"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "ec2.tf"
                },
                "region": {
                  "startLine": 5,
                  "endLine": 7,
                  "snippet": {
                    "text": "resource aws_ebs_volume \"web_host_storage\" {\n  availability_zone = \"us-west-2a\"\n}\n"
                  }
                }
              }
            }
          ]
        }
      ]
    }
  ]
},

The output can be created via the output flag

checkov -d . -o sarif

Structure

Further information on the different elements and attributes can be found here.

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy