Stage 4 · Provision
Validation, Policy & Secrets
Checkov & Static Analysis
Misconfiguration scanning, suppressions, SARIF reports, and baseline management — catching security issues before deploy.
What Is Checkov?
Checkov is a static analysis tool by Bridgecrew that scans Terraform, CloudFormation, Bicep, Kubernetes, and other IaC formats for security misconfigurations. It has 1000+ built-in policies covering security best practices.
$ checkov -d .
$ checkov -f main.tf
$ checkov -d . --output json > checkov.json
$ checkov -d . --output sarif > checkov.sarif
$ checkov -d . --output junitxml > checkov.xmlCheckov scans files or directories for misconfigurations. Output formats include JSON for programmatic use, SARIF for GitHub code scanning, and JUnitXML for CI test reports.
Scanning Terraform
$ checkov -d . # Scan all files
$ checkov -d . --framework terraform # Terraform only
$ checkov -d . --check CKV_AWS_18 # Specific check
$ checkov -d . --check CHECK_1001 # CIS benchmark
$ checkov -d . --skip-check CKV_AWS_18 # Skip specific check
$ checkov -d . --compact # Compact output
$ checkov -d . --quiet # Only failuresCheckov supports filtering by framework, check ID, and severity. The --check flag runs only specific checks. The --skip-check flag ignores specific checks. Combine these for targeted scanning.
Suppressions
resource "aws_s3_bucket" "data" {
bucket = "my-data-bucket"
#checkov:skip=CKV_AWS_18:Encryption managed by S3 bucket policy
#checkov:skip=CKV_AWS_14:Access logging configured separately
}Inline suppressions add a comment with the check ID and reason. The reason is required for audit purposes. Use suppressions sparingly — only for justified exceptions.
# .checkov.yml
baseline: checkov.baseline
skip-check:
- CKV_AWS_18
- CKV_AWS_14
check:
- CKV_AWS_18
- CKV_AWS_14
framework:
- terraform
compact: trueThe .checkov.yml file configures Checkov for the project. The baseline file tracks existing violations. New violations fail the build. Existing violations are suppressed until fixed.
SARIF Reports
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: .
output_format: sarif
output_file_path: checkov-results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: checkov-results.sarifSARIF output integrates with GitHub Code Scanning. Checkov findings appear in the Security tab. This provides a centralized view of security issues across all repositories.
Baseline Management
$ checkov -d . --output json > checkov.json
$ checkov -d . --create-baseline checkov.baseline
# Subsequent runs compare against baseline
$ checkov -d . --baseline checkov.baseline
# Update baseline when violations are fixed
$ checkov -d . --update-baseline checkov.baselineThe baseline captures existing violations. Subsequent runs only report new violations. This allows incremental improvement — fix violations over time without blocking all changes.
CI Integration
name: Security Scan
on: [pull_request]
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: .
output_format: sarif,cli
output_file_path: checkov-results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: checkov-results.sarifThe Checkov action scans on every PR. SARIF output integrates with GitHub Code Scanning. CLI output provides immediate feedback in the job log.
Start with critical security checks — encryption, logging, and access control. Add more checks over time as the team builds familiarity.
Every suppression must have a documented reason. Track suppressions in the baseline file. Review suppressions periodically to ensure they are still justified.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.