🗂️ Navigation
📁 GitOps
📋 GitOps Security
🔧 Checkov

Checkov

Prevent cloud misconfigurations during build time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages.

Visit Website →

Overview

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, CloudFormation, Kubernetes, ARM Templates, and other IaC languages and detects security and compliance misconfigurations. Checkov is maintained by Bridgecrew, which was acquired by Palo Alto Networks.

✨ Key Features

  • Scans Terraform, CloudFormation, Kubernetes, ARM, and Serverless frameworks
  • Over 750 built-in policies
  • Support for custom policies in Python
  • Graph-based scanning for context-aware analysis
  • Integration with CI/CD pipelines
  • VS Code extension for real-time feedback

🎯 Key Differentiators

  • Graph-based scanning provides context
  • Broad support for many IaC formats
  • Part of the broader Prisma Cloud platform

Unique Value: Provides a powerful, free, and open-source way to shift cloud security left, enabling teams to find and fix infrastructure misconfigurations before they reach production.

🎯 Use Cases (3)

Scanning IaC for security vulnerabilities before deployment. Enforcing compliance policies (CIS, PCI, HIPAA) on infrastructure. Integrating automated security checks into GitOps workflows.

✅ Best For

  • Preventing cloud misconfigurations by scanning Terraform files in CI/CD pipelines.
  • Auditing Kubernetes manifests for security best practice violations.

💡 Check With Vendor

Verify these considerations match your specific requirements:

  • Runtime security monitoring or application code scanning (SAST/DAST).

🏆 Alternatives

tfsec Terrascan KICS

Its graph-based approach can identify complex, multi-resource misconfigurations that simpler linters might miss.

💻 Platforms

CLI API

✅ Offline Mode Available

🔌 Integrations

GitHub Actions Jenkins CircleCI GitLab CI VS Code Bridgecrew

💰 Pricing

Contact for pricing
Free Tier Available

Free tier: The open-source tool is completely free.

Visit Checkov Website →

🔄 Similar Tools in GitOps Security

Snyk

A developer-first security platform for securing code, dependencies, containers, and Infrastructure ...

Contact

Trivy

A simple and comprehensive vulnerability scanner for containers, IaC, and more....

Contact

KICS

An open-source solution for static analysis of IaC, finding security vulnerabilities, compliance iss...

Contact

Terrascan

An open-source static code analyzer for Infrastructure as Code, scanning for security vulnerabilitie...

Contact

Open Policy Agent (OPA)

An open source, general-purpose policy engine that enables unified, context-aware policy enforcement...

Contact

Kyverno

A policy engine designed for Kubernetes that can validate, mutate, and generate configurations using...

Contact