Chekov: Open-source static code analysis tool

Checkov is an open-source tool designed to help teams secure their cloud infrastructure and code. At its core, it’s a static code analysis tool for infrastructure as code (IaC), but it also goes a step further by providing software composition analysis (SCA) for container images and open source packages.

With Checkov, you can scan just about any cloud infrastructure setup, whether you’re using Terraform, CloudFormation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfiles, Serverless, Bicep, OpenAPI, ARM templates, or OpenTofu. It uses graph-based scanning to uncover security risks and compliance misconfigurations before they make their way into production.

On top of that, Checkov includes SCA capabilities to detect known vulnerabilities, or CVEs, in open source libraries and container images, giving you a clearer picture of your security posture.

Checkov offers over 1,000 built-in policies to help secure cloud environments across AWS, Azure, and Google Cloud. It scans a wide range of files, including Terraform, CloudFormation, Kubernetes, Dockerfiles, Serverless Framework, and CI/CD workflows like GitHub Actions and GitLab CI. Using graph-based scanning, Checkov provides context-aware policy checks and can detect secrets, exposed credentials, and misconfigurations before deployment. It also supports in-line suppression for false positives and outputs results in multiple formats such as JSON, CSV, SARIF, and GitHub Markdown, with links to remediation guides.

Chekov is available for free on GitHub.

Must read:

• 35 open-source security tools to power your red team, SOC, and cloud security
• GitHub CISO on security strategy and collaborating with the open-source community

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!