Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.zenable.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Checkov scans IaC source files for misconfigurations before deployment. It supports Terraform, CloudFormation, Kubernetes YAML, Dockerfiles, and other IaC formats.

Capabilities

  • Static analysis of IaC files without requiring a build or deployment
  • Supports Terraform, CloudFormation, ARM templates, K8s manifests, Dockerfiles, Helm charts
  • Custom Python checks for organization-specific rules
  • Graph-based analysis for cross-resource relationships within IaC

Limitations

  • Only applicable to IaC and config files — check out Semgrep or CodeQL for application source code
  • Does not test runtime infrastructure state — check out InSpec or Goss for runtime validation

Generated Format

  • Language: Python
  • Structure: Custom Checkov check classes extending BaseCheck
  • Execution: checkov --external-checks-dir <checks_directory> -d <iac_directory>

Example Guardrail

from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories

class S3EncryptionCheck(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 bucket has server-side encryption"
        id = "CKV_CUSTOM_1"
        supported_resources = ["aws_s3_bucket"]
        categories = [CheckCategories.ENCRYPTION]
        super().__init__(name=name, id=id, categories=categories,
                         supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        if "server_side_encryption_configuration" in conf:
            return CheckResult.PASSED
        return CheckResult.FAILED

check = S3EncryptionCheck()
Learn more at Checkov documentation and custom Python policies.