Checkov

Checkov is a static analysis tool purpose-built for Infrastructure as Code security, developed by Bridgecrew (acquired by Palo Alto Networks in 2021) and released under the Apache 2.0 license. It scans IaC configuration files before deployment to detect security misconfigurations, compliance violations, and infrastructure anti-patterns that could lead to data exposure, privilege escalation, or service compromise in cloud environments.

The tool supports all major IaC frameworks: Terraform (both HCL source and JSON plan files), AWS CloudFormation, Azure ARM and Bicep templates, Kubernetes manifests, Helm charts, Serverless Framework configurations, and Dockerfiles. Checkov ships with over 2,500 built-in policies covering AWS, Azure, and GCP resource configurations. Its graph-based analysis engine is a key differentiator — rather than evaluating resources in isolation, Checkov builds a dependency graph that models relationships between resources, enabling checks like “this S3 bucket is referenced by a CloudFront distribution that lacks a WAF” or “this IAM role can assume a role in another account with admin privileges.”

Policies map to established compliance frameworks including CIS Benchmarks for AWS/Azure/GCP, PCI-DSS, HIPAA, SOC2, NIST 800-53, and GDPR, producing framework-aligned reports for audit teams. Custom policies can be authored in Python for complex logic or in a declarative YAML format for simpler attribute and connection checks. Checkov integrates into development workflows via pre-commit hooks, GitHub Actions, GitLab CI, and VS Code extension, with SARIF output for surfacing findings directly in GitHub Advanced Security. As part of the Palo Alto Prisma Cloud ecosystem, Checkov findings can feed into the broader cloud security posture management platform for centralised policy enforcement.