🗂️ Navigation
📁 GitOps
📋 GitOps Security
🔧 Checkov

Checkov

Prevent cloud misconfigurations during build time for Terraform, CloudFormation, Kubernetes, Serverless framework and other infrastructure-as-code-languages.

Visit Website →

Overview

Checkov is an open-source static analysis tool for infrastructure as code. It scans cloud infrastructure provisioned by Terraform, CloudFormation, Kubernetes, ARM Templates, and other IaC frameworks to find security and compliance misconfigurations. It is a key component of the Bridgecrew (now Prisma Cloud) platform.

✨ Key Features

  • Scans Terraform, CloudFormation, Kubernetes, ARM, Serverless
  • Over 1000 built-in policies
  • Graph-based scanning for context-aware analysis
  • CI/CD integration
  • Custom policy support
  • Open source

🎯 Key Differentiators

  • Graph-based scanning provides deeper context
  • Broad support for many IaC formats
  • Backed by a major security vendor (Palo Alto Networks)

Unique Value: Provides a powerful, free, and open-source way to shift cloud security left, enabling teams to find and fix infrastructure misconfigurations before they reach production.

🎯 Use Cases (3)

Scanning IaC for security vulnerabilities before deployment. Enforcing compliance policies (CIS, PCI, HIPAA) on infrastructure. Integrating automated security checks into GitOps workflows.

✅ Best For

  • Preventing cloud misconfigurations by scanning Terraform files in CI/CD pipelines.
  • Auditing Kubernetes manifests for security best practice violations.

💡 Check With Vendor

Verify these considerations match your specific requirements:

  • Runtime security monitoring or application code scanning (SAST/DAST).

🏆 Alternatives

Terrascan KICS tfsec

Its graph-based approach can identify complex, multi-resource misconfigurations that simpler linters might miss.

💻 Platforms

CLI API

✅ Offline Mode Available

🔌 Integrations

GitHub Actions Jenkins CircleCI GitLab CI VS Code JetBrains IDEs

💰 Pricing

Contact for pricing
Free Tier Available

Free tier: The open-source tool is completely free.

Visit Checkov Website →

🔄 Similar Tools in GitOps Security

Snyk

A developer-first security platform for finding and fixing vulnerabilities in code, dependencies, co...

Contact

Trivy

An open-source security scanner for vulnerabilities in container images, filesystems, and Git reposi...

Contact

KICS

An open-source static analysis tool that finds security vulnerabilities, compliance issues, and infr...

Contact

Terrascan

An open-source static code analyzer for IaC that helps detect security and compliance issues....

Contact

Open Policy Agent (OPA)

An open-source, general-purpose policy engine that enables unified, context-aware policy enforcement...

Contact

Kyverno

A policy engine designed specifically for Kubernetes, allowing you to manage and enforce policies as...

Contact