Awesome Open Source
Awesome Open Source
Checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Stars
4,339
License
apache-2.0
Open Issues
204
Most Recent Commit
2 hours ago
Programming Language
Python
Monthly Downloads
pypi checkov Downloads
Dependent Packages
3
Total Releases
1,977
Latest Release
June 16, 2022
Open Issues
204
Site
Repo

checkov

Maintained by Bridgecrew.io build status security status code_coverage docs PyPI Python Version Terraform Version Downloads Docker Pulls slack-community

Checkov is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.

It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

It performs Software Composition Analysis (SCA) scanning which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).

Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.

Table of contents

Features

  • Over 1000 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
  • Scans Terraform, Terraform Plan, CloudFormation, AWS SAM, Kubernetes, Dockerfile, Serverless framework, Bicep and ARM template files.
  • Scans Argo Workflows, BitBucket Pipelines, GitHub Actions and GitLab CI workflow files
  • Supports Context-awareness policies based on in-memory graph-based scanning.
  • Supports Python format for attribute policies and YAML format for both attribute and composite policies.
  • Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
  • Identifies secrets using regular expressions, keywords, and entropy based detection.
  • Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
  • Policies support evaluation of variables to their optional default value.
  • Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
  • Output currently available as CLI, CycloneDX, JSON, JUnit XML, SARIF and github markdown and link to remediation guides.

Screenshots

Scan results in CLI

scan-screenshot

Scheduled scan result in Jenkins

jenikins-screenshot

Getting started

Requirements

  • Python >= 3.7 (Data classes are available for Python 3.7+)
  • Terraform >= 0.12

Installation

pip3 install checkov

Installation on Alpine:

pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install checkov

Installation on Ubuntu 18.04 LTS:

Ubuntu 18.04 ships with Python 3.6. Install python 3.7 (from ppa repository)

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.7
sudo apt install python3-pip
sudo python3.7 -m pip install -U checkov #to install or upgrade checkov)

or using homebrew (macOS or Linux)

brew install checkov

or

brew upgrade checkov

Enabling bash autocomplete

source <(register-python-argcomplete checkov)

Upgrade

if you installed checkov with pip3

pip3 install -U checkov

Configure an input folder or file

checkov --directory /user/path/to/iac/code

Or a specific file or files

checkov --file /user/tf/example.tf

Or

checkov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml

Or a terraform plan file in json format

terraform init
terraform plan -out tf.plan
terraform show -json tf.plan  > tf.json 
checkov -f tf.json

Note: terraform show output file tf.json will be a single line. For that reason all findings will be reported line number 0 by checkov

check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.customer
	File: /tf/tf.json:0-0
	Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

If you have installed jq you can convert json file into multiple lines with the following command:

terraform show -json tf.plan | jq '.' > tf.json

Scan result would be much user friendly.

checkov -f tf.json
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.customer
	File: /tf/tf1.json:224-268
	Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

		225 |               "values": {
		226 |                 "acceleration_status": "",
		227 |                 "acl": "private",
		228 |                 "arn": "arn:aws:s3:::mybucket",

Alternatively, specify the repo root of the hcl files used to generate the plan file, using the --repo-root-for-plan-enrichment flag, to enrich the output with the appropriate file path, line numbers, and codeblock of the resource(s). An added benefit is that check suppressions will be handled accordingly.

checkov -f tf.json --repo-root-for-plan-enrichment /user/path/to/iac/code

Scan result sample (CLI)

Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name

Start using Checkov by reading the Getting Started page.

Using Docker

docker pull bridgecrew/checkov
docker run --tty --rm --volume /user/tf:/tf --workdir /tf bridgecrew/checkov --directory /tf

Note: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work and it will fail with ModuleNotFoundError: No module named 'dataclasses' error message. In this case, you can use the docker version instead.

Note that there are certain cases where redirecting docker run --tty output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the --tty flag.

The --workdir /tf flag is optional to change the working directory to the mounted volume. If you are using the SARIF output -o sarif this will output the results.sarif file to the mounted volume (/user/tf in the example above). If you do not include that flag, the working directory will be "/".

Running or skipping checks

Using command line flags you can specify to run only named checks (allow list) or run all checks except those listed (deny list). If you are using the platform integration via API key, you can also specify a severity threshold to skip and / or include. See the docs for more detailed information on how these flags work together.

Examples

Allow only the two specified checks to run:

checkov --directory . --check CKV_AWS_20,CKV_AWS_57

Run all checks except the one specified:

checkov -d . --skip-check CKV_AWS_20

Run all checks except checks with specified patterns:

checkov -d . --skip-check CKV_AWS*

Run all checks that are MEDIUM severity or higher (requires API key):

checkov -d . --check MEDIUM --bc-api-key ...

Run all checks that are MEDIUM severity or higher, as well as check CKV_123 (assume this is a LOW severity check):

checkov -d . --check MEDIUM,CKV_123 --bc-api-key ...

Skip all checks that are MEDIUM severity or lower:

checkov -d . --skip-check MEDIUM --bc-api-key ...

Skip all checks that are MEDIUM severity or lower, as well as check CKV_789 (assume this is a high severity check):

checkov -d . --skip-check MEDIUM,CKV_789 --bc-api-key ...

Run all checks that are MEDIUM severity or higher, but skip check CKV_123 (assume this is a medium or higher severity check):

checkov -d . --check MEDIUM --skip-check CKV_123 --bc-api-key ...

Run check CKV_789, but skip it if it is a medium severity (the --check logic is always applied before --skip-check)

checkov -d . --skip-check MEDIUM --check CKV_789 --bc-api-key ...

For Kubernetes workloads, you can also use allow/deny namespaces. For example, do not report any results for the kube-system namespace:

checkov -d . --skip-check kube-system

Suppressing/Ignoring a check

Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, suppression can be inserted as a simple code annotation.

Suppression comment format

To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:

checkov:skip=<check_id>:<suppression_comment>

  • <check_id> is one of the [available check scanners](docs/5.Policy Index/all.md)
  • <suppression_comment> is an optional suppression reason to be included in the output

Example

The following comment skips the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

The output would now contain a SKIPPED check result entry:

...
...
Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource: aws_s3_bucket.foo-bucket
	Suppress comment: The bucket is a public static content host
	File: /example_skip_acl.tf:1-25
	
...

To skip multiple checks, add each as a new line.

  #checkov:skip=CKV2_AWS_6
  #checkov:skip=CKV_AWS_20:The bucket is a public static content host

To suppress checks in Kubernetes manifests, annotations are used with the following format: checkov.io/skip#: <check_id>=<suppression_comment>

For example:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...

Logging

For detailed logging to stdout set up the environment variable LOG_LEVEL to DEBUG.

Default is LOG_LEVEL=WARNING.

Skipping directories

To skip files or directories, use the argument --skip-path, which can be specified multiple times. This argument accepts regular expressions for paths relative to the current working directory. You can use it to skip entire directories and / or specific files.

By default, all directories named node_modules, .terraform, and .serverless will be skipped, in addition to any files or directories beginning with .. To cancel skipping directories beginning with . override IGNORE_HIDDEN_DIRECTORY_ENV environment variable export IGNORE_HIDDEN_DIRECTORY_ENV=false

You can override the default set of directories to skip by setting the environment variable CKV_IGNORED_DIRECTORIES. Note that if you want to preserve this list and add to it, you must include these values. For example, CKV_IGNORED_DIRECTORIES=mynewdir will skip only that directory, but not the others mentioned above. This variable is legacy functionality; we recommend using the --skip-file flag.

Console Output

The console output is in colour by default, to switch to a monochrome output, set the environment variable: ANSI_COLORS_DISABLED

VSCODE Extension

If you want to use checkov's within vscode, give a try to the vscode extension available at vscode

Configuration using a config file

Checkov can be configured using a YAML configuration file. By default, checkov looks for a .checkov.yaml or .checkov.yml file in the following places in order of precedence:

  • Directory against which checkov is run. (--directory)
  • Current working directory where checkov is called.
  • User's home directory.

Attention: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.

Users can also pass in the path to a config file via the command line. In this case, the other config files will be ignored. For example:

checkov --config-file path/to/config.yaml

Users can also create a config file using the --create-config command, which takes the current command line args and writes them out to a given path. For example:

checkov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --no-guide --quiet --repo-id bridgecrew/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-fixes --skip-framework dockerfile secrets --skip-suppressions --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml

Will create a config.yaml file which looks like this:

branch: develop
check:
  - CKV_DOCKER_1
compact: true
directory:
  - test-dir
docker-image: sample-image
dockerfile-path: Dockerfile
download-external-modules: true 
evaluate-variables: true 
external-checks-dir: 
  - sample-dir 
external-modules-download-path: .external_modules 
framework:
  - all 
no-guide: true 
output: cli 
quiet: true 
repo-id: bridgecrew/sample-repo 
skip-check: 
  - CKV_DOCKER_3 
  - CKV_DOCKER_2 
skip-fixes: true 
skip-framework:
  - dockerfile
  - secrets
skip-suppressions: true 
soft-fail: true

Users can also use the --show-config flag to view all the args and settings and where they came from i.e. commandline, config file, environment variable or default. For example:

checkov --show-config

Will display:

Command Line Args:   --show-config
Environment Variables:
  BC_API_KEY:        your-api-key
Config File (/Users/sample/.checkov.yml):
  soft-fail:         False
  branch:            master
  skip-check:        ['CKV_DOCKER_3', 'CKV_DOCKER_2']
Defaults:
  --output:          cli
  --framework:       ['all']
  --download-external-modules:False
  --external-modules-download-path:.external_modules
  --evaluate-variables:True

Contributing

Contribution is welcomed!

Start by reviewing the contribution guidelines. After that, take a look at a good first issue.

You can even start this with one-click dev in your browser through Gitpod at the following link:

Open in Gitpod

Looking to contribute new checks? Learn how to write a new check (AKA policy) here.

Disclaimer

checkov does not save, publish or share with anyone any identifiable customer information.
No identifiable customer information is used to query Bridgecrew's publicly accessible guides. checkov uses Bridgecrew's API to enrich the results with links to remediation guides. To skip this API call use the flag --no-guide.

Support

Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.

Start with our Documentation for quick tutorials and examples.

If you need direct support you can contact us at [email protected].

Related Awesome Lists
Python Projects (805,863)
Amazon Web Services Projects (38,245)
Kubernetes Projects (24,686)
Azure Projects (17,769)
Scanner Projects (13,985)
Terraform Projects (11,729)
Serverless Projects (9,825)
Check Projects (9,094)
Google Cloud Platform Projects (5,329)
Cloudformation Projects (3,510)
Compliance Projects (1,425)
Static Analysis Projects (1,340)
Serverless Framework Projects (1,258)
Infrastructure As Code Projects (673)
Devsecops Projects (475)
Bicep Projects (260)
Aws Security Projects (95)
Policy As Code Projects (69)
Kubernetes Security Projects (54)
Azure Security Projects (18)
Gcp Security Projects (14)
Terraform Security Projects (4)
Python Amazon Web Services Projects (7,633)
Amazon Web Services Terraform Projects (4,141)
Amazon Web Services Serverless Projects (3,856)
Amazon Web Services Cloudformation Projects (2,384)
Python Scanner Projects (2,247)
Python Kubernetes Projects (2,062)
Python Check Projects (1,607)
Python Azure Projects (1,573)
Python Serverless Projects (1,403)
Amazon Web Services Kubernetes Projects (1,255)
Kubernetes Terraform Projects (1,215)
Kubernetes Azure Projects (918)
Azure Terraform Projects (912)
Python Cloudformation Projects (874)
Python Terraform Projects (748)
Amazon Web Services Azure Projects (674)
Python Google Cloud Platform Projects (671)
Kubernetes Helm Charts Projects (662)
Top Programming Languages
Javascript  (1,058,464)
Python  (805,863)
Java  (388,117)
Php  (285,829)
Typescript  (245,379)
C Plus Plus  (238,464)
Ruby  (221,810)
C  (181,812)
Shell  (170,989)
C Sharp  (163,903)
Golang  (158,002)
Swift  (65,160)
R  (57,839)
Rust  (57,372)
Objective C  (57,184)
Dart  (52,469)
Kotlin  (46,352)
Lua  (33,816)
Matlab  (31,115)
Perl  (30,530)
Language  (30,062)
Scala  (28,651)
Haskell  (20,356)
Clojure  (19,128)
Powershell  (18,986)
Bash  (18,669)
Coffeescript  (17,295)
Elixir  (16,648)
Assembly  (14,670)
Processing  (13,302)
Julia  (12,711)
Basic  (10,741)
Flow  (10,537)
Emacs Lisp  (10,418)
Erlang  (9,062)
Groovy  (8,446)
Scheme  (8,440)
Solidity  (7,918)
Ocaml  (6,702)
Pascal  (6,440)
Hack  (6,389)
Lisp  (6,338)
Fortran  (5,532)
Elm  (5,483)
Common Lisp  (5,296)
Dlang  (4,746)
Shell Script  (4,645)
Python Library  (4,454)
Crystal  (4,385)
Scripting  (4,207)
Top Projects
Freecodecamp ⭐ 347,949
996.icu ⭐ 262,461
Free Programming Books ⭐ 236,335
Coding Interview University ⭐ 221,740
Awesome ⭐ 206,109
Developer Roadmap ⭐ 197,732
Public Apis ⭐ 197,207
Vue ⭐ 197,113
React ⭐ 190,390
System Design Primer ⭐ 184,236
Tensorflow ⭐ 165,955
Bootstrap ⭐ 158,140
You Dont Know Js ⭐ 153,649
Cs Notes ⭐ 151,618
Ohmyzsh ⭐ 146,833
Build Your Own X ⭐ 145,201
Javascript Algorithms ⭐ 143,802
Flutter ⭐ 142,161
Python ⭐ 139,107
Gitignore ⭐ 134,533
Linux ⭐ 133,702
Vscode ⭐ 133,323
Awesome Python ⭐ 131,255
Javascript ⭐ 124,014
Javaguide ⭐ 123,752
Python 100 Days ⭐ 120,066
Computer Science ⭐ 117,635
Youtube Dl ⭐ 111,038
Fucking Algorithm ⭐ 107,431
The Art Of Command Line ⭐ 106,741
React Native ⭐ 103,434
Electron ⭐ 102,260
D3 ⭐ 101,616
Go ⭐ 100,986
30 Seconds Of Code ⭐ 96,728
Create React App ⭐ 95,671
Axios ⭐ 94,143
Free Programming Books Zh_cn ⭐ 93,295
Awesome Selfhosted ⭐ 92,577
Kubernetes ⭐ 89,580
Next.js ⭐ 88,551
Node ⭐ 88,406
Terminal ⭐ 83,763
Deno ⭐ 83,213
Three.js ⭐ 83,056
Awesome Go ⭐ 82,790
Angular ⭐ 82,169
Typescript ⭐ 81,742
Ant Design ⭐ 80,837
Material Ui ⭐ 79,307

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Python (805,863
Amazon Web Services (38,245
Kubernetes (24,686
Azure (17,769
Scanner (13,985
Terraform (11,729
Serverless (9,825
Check (9,094
Google Cloud Platform (5,329
Cloudformation (3,510
Compliance (1,425
Static Analysis (1,340
Serverless Framework (1,258
Infrastructure As Code (673
Devsecops (475
Bicep (260
Aws Security (95
Policy As Code (69
Kubernetes Security (54
Azure Security (18
Gcp Security (14
Terraform Security (4
Privacy | About | Terms | Follow Us On Twitter

Downloads, Dependent Repos, Dependent Packages, Total Releases, Latest Releases data powered by Libraries.io.

Copyright 2018-2022 Awesome Open Source.  All rights reserved.