> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zenable.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Checkov

> Infrastructure-as-code static analysis

## Overview

Checkov scans IaC source files for misconfigurations before deployment. It supports Terraform, CloudFormation, Kubernetes YAML, Dockerfiles, and other IaC formats.

## Capabilities

* Static analysis of IaC files without requiring a build or deployment
* Supports Terraform, CloudFormation, ARM templates, K8s manifests, Dockerfiles, Helm charts
* Custom Python checks for organization-specific rules
* Graph-based analysis for cross-resource relationships within IaC

## Limitations

* Only applicable to IaC and config files -- check out [Semgrep](/integrations/guardrails/semgrep) or [CodeQL](/integrations/guardrails/codeql) for application source code
* Does not test runtime infrastructure state -- check out [InSpec](/integrations/guardrails/inspec) or [Goss](/integrations/guardrails/goss) for runtime validation

## Generated Format

* **Language:** Python
* **Structure:** Custom Checkov check classes extending `BaseCheck`
* **Execution:** `checkov --external-checks-dir <checks_directory> -d <iac_directory>`

## Example Guardrail

```python theme={null}
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories

class S3EncryptionCheck(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 bucket has server-side encryption"
        id = "CKV_CUSTOM_1"
        supported_resources = ["aws_s3_bucket"]
        categories = [CheckCategories.ENCRYPTION]
        super().__init__(name=name, id=id, categories=categories,
                         supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        if "server_side_encryption_configuration" in conf:
            return CheckResult.PASSED
        return CheckResult.FAILED

check = S3EncryptionCheck()
```

Learn more at [Checkov documentation](https://www.checkov.io/) and [custom Python policies](https://www.checkov.io/3.Custom%20Policies/Python%20Custom%20Policies.html).