Checkov 2026: Open-Source IaC Scanner, 1,000+ Policies

Name: Checkov
Availability: OnlineOnly

Checkov is a static analysis tool that scans infrastructure-as-code files for misconfigurations before deployment. It covers Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Bicep, Dockerfiles, Serverless framework, Ansible, Kustomize, and OpenTofu. Palo Alto Networks maintains it as part of Prisma Cloud, under the Apache 2.0 license. Over 80 million downloads since its 2019 launch.

Checkov supported platforms including AWS, Azure, Google Cloud, Terraform, Kubernetes, and Helm

The tool runs from the command line. Point it at a directory of IaC files and it returns passed and failed checks with file locations, line numbers, and code snippets for each failure. Non-zero exit codes on failures mean it slots into CI/CD gates without extra scripting.

What is Checkov?

Checkov started as a Terraform-focused scanner and grew into a multi-framework IaC security tool. Bridgecrew built the original version. Palo Alto Networks acquired Bridgecrew in 2021 and folded the project into Prisma Cloud. The open-source CLI stayed free.

Three things set Checkov apart from other IaC security tools:

1,000+ Built-in Policies

Attribute checks and graph-based checks covering AWS, Azure, GCP, and OCI. Compliance mappings for CIS Benchmarks, SOC 2, HIPAA, and PCI DSS included out of the box.

Graph-Based Analysis

Checks relationships between resources, not just individual attributes. Catches misconfigurations that single-resource scanners miss entirely.

Custom Policies in Python or YAML

Write your own checks using Python classes or declarative YAML syntax. Version 3.0 added 36 new operators and JSON path support.

Key features

Feature	Details
Built-in policies	1,000+ checks (attribute + graph-based)
Supported IaC frameworks	Terraform, CloudFormation, Kubernetes, Helm, ARM, Bicep, Ansible, Kustomize, OpenTofu, Serverless, AWS CDK, Dockerfile
Cloud providers	AWS, Azure, GCP, OCI
Compliance frameworks	CIS Benchmarks, SOC 2, HIPAA, PCI DSS, AWS Foundations Benchmark
Custom policy formats	Python and YAML
Output formats	CLI, JSON, JUnit XML, SARIF, CSV, CycloneDX, GitHub Markdown
CI/CD integrations	GitHub Actions, GitLab CI, Jenkins, Azure Pipelines, BitBucket Pipelines, CircleCI, Argo Workflows
Secrets detection	Known formats + entropy analysis + live API key verification
Python versions	3.9 through 3.12
License	Apache 2.0

Graph-based policies

Graph-based policies are the real differentiator. A standard attribute check verifies that an S3 bucket has encryption enabled. A graph-based check verifies that an EC2 instance connects to a network interface in a VPC-attached subnet. Single-resource checks miss that kind of misconfiguration entirely.

Checkov YAML graph-based policy definition checking EC2 instances belong to a VPC

Checkov 3.0 added 800 graph-based policies. It also introduced 36 new operators including a SUBSET operator that simplifies nested logic, and JSON path support via the jsonpath_ prefix for matching deep attribute structures.

Graph vs. attribute checks

Attribute checks inspect one resource at a time. Graph checks follow connections between resources. If your Terraform code has an EC2 instance, a network interface, and a subnet, a graph check verifies all three are wired together correctly. This is why Checkov catches misconfigurations that KICS or simpler attribute-only scanners can miss.

Custom policies

Custom policies come in two flavors. Python policies inherit from base check classes and define resource types, expected values, and check logic:

Checkov Python custom policy for S3 encryption check showing class-based structure

YAML policies use a declarative syntax with operators for attribute checks, connection checks, and filters. Easier to write for teams that don’t want Python in their policy pipeline.

metadata:
  id: "CKV2_CUSTOM_1"
  name: "Ensure S3 bucket has versioning"
  category: "GENERAL_SECURITY"
definition:
  cond_type: "attribute"
  resource_types:
    - "aws_s3_bucket"
  attribute: "versioning.enabled"
  operator: "equals"
  value: "true"

Secrets detection

Checkov also handles secrets detection. It recognizes known credential formats like AWS access keys, Azure storage keys, and GitHub tokens. It detects randomized secrets through entropy analysis and can verify keys against live APIs to cut down on false positives.

CI/CD integration

CI/CD integration works through native actions and Docker images. GitHub Actions uses the official bridgecrewio/checkov-action. GitLab CI runs the bridgecrew/checkov Docker image. Jenkins, Azure Pipelines, BitBucket Pipelines, CircleCI, and Argo Workflows are all supported.

Checkov integrations with CI/CD platforms including GitHub, GitLab, Jenkins, Bitbucket, and VS Code

CI/CD Platforms

GitHub Actions

GitLab CI

Jenkins

Azure Pipelines

Bitbucket Pipelines

CircleCI

Cloud Providers

AWS

Azure

GCP

OCI

Output formats: CLI text, JSON, JUnit XML, SARIF, CSV, CycloneDX, and GitHub Markdown. SARIF feeds directly into GitHub code scanning alerts. JUnit XML works with CI dashboards. CycloneDX produces software bill of materials data.

SARIF for GitHub

Run checkov -d . -o sarif and upload the results to GitHub code scanning. Failed checks show up as annotations on pull requests, right next to the code that triggered them.

Getting started

Install Checkov — Run pip install checkov, brew install checkov, or pull the Docker image bridgecrew/checkov:latest. Requires Python 3.9-3.12 for pip installs.

Scan a directory — Run checkov -d /path/to/terraform. Checkov auto-detects the framework and runs all applicable policies. Add --framework terraform to limit to a specific framework.

Review results — Each failed check shows the check ID, description, file path, line numbers, and the offending code snippet. Passed checks get a one-line summary.

Suppress false positives — Add #checkov:skip=CKV_AWS_19:Reason here as an inline comment, or use --skip-check CKV_AWS_19 on the command line. A .checkov.yaml config file works for persistent settings.

Add to CI/CD — Use bridgecrewio/checkov-action for GitHub Actions or the Docker image for other platforms. Non-zero exit codes block merges when checks fail. Use --soft-fail during rollout to log without blocking.

Prisma Cloud integration

Prisma Cloud integration adds centralized policy management, runtime scanning across five cloud providers, drift detection between IaC definitions and deployed resources, and automated pull request annotations. All optional. The standalone CLI works fine without any paid subscription.

When to use Checkov

Teams running Terraform, CloudFormation, or Kubernetes get the most from it. The policy count is one of the largest of any open-source IaC scanner. Graph-based checks give it depth that simpler attribute-only scanners don’t have. Works best as a pre-commit hook or CI/CD gate.

Good fit if you need:

The widest built-in policy coverage without writing custom rules
Cross-resource relationship checks (graph-based policies)
Compliance mappings for CIS, SOC 2, HIPAA, or PCI DSS
Secrets detection alongside IaC scanning
A tool that runs standalone without a paid platform

For a broader view of IaC security strategy, see our cloud infrastructure security guide. Consider Trivy if you want IaC, container, and dependency scanning in a single binary. Consider KICS if you prefer Rego-based policies or need broader file format coverage beyond IaC.

Note: Checkov 3.0 added 800+ graph-based policies, 36 new operators, Ansible/Bicep/Kustomize support, and improved secrets detection.

Frequently Asked Questions

What does Checkov scan for?

Checkov scans infrastructure-as-code files for misconfigurations and security issues before deployment. It supports Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles, ARM templates, Bicep, Ansible, Kustomize, and OpenTofu. It ships with over 1,000 built-in policies for AWS, Azure, GCP, and OCI.

Is Checkov free?

Yes. Checkov is free and open-source under the Apache 2.0 license. Palo Alto Networks maintains it as part of Prisma Cloud, but the standalone CLI works without any paid subscription.

How does Checkov compare to KICS and Trivy for IaC scanning?

All three are open-source. Checkov has the largest built-in policy set at 1,000+ checks and the deepest Terraform support, including graph-based cross-resource relationship checks. KICS uses Rego-based queries and covers more file formats. Trivy bundles IaC scanning alongside container and dependency scanning in one binary.

How do I add Checkov to a CI/CD pipeline?

Install via pip or use the Docker image, then run checkov -d against your IaC directory. Non-zero exit codes on failures gate pull requests automatically. GitHub Actions has the official bridgecrewio/checkov-action. Output formats include SARIF for GitHub code scanning and JUnit XML for CI dashboards.

What are Checkov's graph-based policies?

Graph-based policies check relationships between resources, not just individual attributes. For example, a graph check can verify that an EC2 instance connects to a network interface in a VPC-attached subnet. Checkov 3.0 added 800+ graph-based policies and 36 new operators for writing custom graph checks in YAML.