Infrastructure as code static analysis
Project description
Checkov
Table of contents
Description
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.
Checkov is written in Python and provides a simple method to write and manage policies. It follows the CIS Foundations benchmarks where applicable.
Features
- 50+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
- Policies support variable scanning by building a dynamic code dependency graph (coming soon).
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures.
- Output currently available as CLI, JSON or JUnit XML.
Screenshots
Scan results in CLI
Scheduled scan result in Jenkins
Getting started
Installation
pip install checkov
Configure an input folder
checkov -d /user/tf
Or a specific file
checkov -f /user/tf/example.tf
Scan result sample (CLI)
Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
Passed for resource: aws_s3_bucket.template_bucket
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
Start using Checkov by reading the Getting Started page.
Using Docker
docker pull bridgecrew/checkov
docker run bridgecrew/checkov -i -v /user/tf:/tf -d /tf
Alternatives
For Terraform compliance scanners check out tfsec, Terrascan and Terraform AWS Secure Baseline.
For CloudFormation scanning check out cfripper and cfn_nag.
Contributing
Contribution is welcomed!
Start by reviewing the contribution guidelines. After that, take a look at a good first issue.
Looking to contribute new checks? Learn how to write a new check (AKA policy) here
Support
Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.
Start with our Documentation for quick tutorials and examples.
If you need direct support you can contact us at info@bridgecrew.io or open a ticket.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for checkov-1.0.141-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f16200963db09f9d57f1579a4f4f08ecff8b97d8c4276aaaef120e94a6e2d522 |
|
MD5 | 60bca214c464caa9f2f6a54942323a17 |
|
BLAKE2b-256 | 9351c2d8ef5bc4b84b35866b792df7c20382e8ef08360969edc38b626327c167 |