checkov

Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed

Options

NameDescription
--help, -hShow help for checkov
--version, -vShow the version of checkov
--quietCLI output, display only failed checks
--compactCLI output, do not display code blocks
--list, -lList checks
--no-guideDo not fetch Bridgecrew platform IDs and guidelines for the checkov output report. Note: this prevents Bridgecrew platform check IDs from being used anywhere in the CLI
--output-bc-idsPrint Bridgecrew platform IDs (BC...) instead of Checkov IDs (CKV...), if the check exists in the platform
--directory, -d <Directory>IaC root directory (can not be used together with --file)
--output, -o <FORMAT>
  • Repeatable ♾
--framework <FRAMEWORKS...>IaC frameworks to include checks for
--skip-framework <FRAMEWORKS...>IaC frameworks to exclude checks for
--add-checkGenerate a new check via CLI prompt
--file, -f <FILE>IaC file(can not be used together with --directory)
--skip-path <SKIP_PATH>
  • Repeatable ♾
--check, -c <CHECKS>Filter scan to run only on a specific check identifier (allowlist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_CHECK
--skip-check <CHECKS>Filter scan to run all check except a specific check identifier (denylist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_SKIP_CHECK
--run-all-external-checksRun all external checks (loaded via --external-checks options) even if the checks are not present in the --check list. This allows you to always ensure that new checks present in the external source are used. If an external check is included in --skip-check, it will still be skipped
--external-checks-dir <EXTERNAL_CHECKS_DIR>
  • Repeatable ♾
--bc-api-key <BC_API_KEY>Bridgecrew API key. You may also use the environment variable: BC_API_KEY
--docker-image <DOCKER_IMAGE>Scan docker images by name or ID. Only works with --bc-api-key flag
--dockerfile-path <DOCKERFILE_PATH>Path to the Dockerfile of the scanned docker image
--repo-id <REPO_ID>Identity string of the repository, with form <repo_owner>/<repo_name>
--branch, -b <BRANCH>Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag
--skip-fixesDo not download fixed resource templates from Bridgecrew. Only has an effect when using the --bc-api-key flag
--skip-suppressionsDo not download preconfigured suppressions from the Bridgecrew platform. Code comment suppressions will still be honored. Only has an effect when using the --bc-api-key flag
--skip-policy-downloadDo not download custom policies configured in the Bridgecrew platform. Only has an effect when using the --bc-api-key flag
--download-external-modules <DOWNLOAD_EXTERNAL_MODULES>Download external terraform modules from public git repositories and terraform registry. You may also use the environment variable: DOWNLOAD_EXTERNAL_MODULES]
--var-file <VAR_FILE>Variable files to load in addition to the default files (see https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files). Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, NOT --file
--external-modules-download-path <EXTERNAL_MODULES_DIR>Set the path for the download external terraform modules. You may also use the environment variable: EXTERNAL_MODULES_DIR
--evaluate-variables <EVALUATE_VARIABLES>Evaluate the values of variables and locals
--ca-certificate, -ca <CA_CERTIFICATE>Custom CA (bundle) fila. You may also use the environment variablee: CA_CERTIFICATE
--repo-root-for-plan-enrichment <REPO_ROOT_FOR_PLAN_ENRICHMENT>Directory containing the hcl code used to generate a given plan file. Use with -f FILE
--config-file <CONFIG_FILE>Path to the Checkov configuration YAML file
--create-config <CONFIG_FILE>Takes the current command line args and writes them out to a config file at the given path
--show-configPrints all arguments and config settings and where they came from (eg. commandline, config file, environment variable or default)
--create-baselineSave all current results to a '.checkov.baseline' file so future runs will only flag new findings. Works only with `--directory` flag
--baseline <BASELINE>Use a '.checkov.baseline' file to compare current results with a known baseline. Report will include only failed checks that are newwith respect to the provided baseline. See --create-baseline
--soft-fail, -sRuns checks but suppresses the error code
--soft-fail-on <CHECKS>Exits with a 0 exit code for specified checks. You can specify multiple checks separated by comma delimiter
--hard-fail-on <CHECKS>Exits with a non-zero exit code for specified checks. You can specify multiple checks separated by comma delimiter
--min-cve-severity <MIN_SEVERITY>Set minimum severity to return a non-zero exit code
--skip-cve-package <SKIP_CVE_PACKAGE>
  • Repeatable ♾
--use-enforcement-rules <USE_ENFORCEMENT_RULES>Use the Enforcement rules configured in the platform for hard / soft fail logic
--support <SUPPORT>Enable debug logs and upload the logs to the server
--summary-position <SUMMARY_POSITION>Chose whether the summary will be appended on top or on bottom
--skip-resources-without-violations <SKIP_RESOURCES_WITHOUT_VIOLATIONS>Exclude extra resources (resources without violations)
--skip-download <SKIP_DOWNLOAD>Do not download any data from Prisma Cloud
--secrets-history-timeout <SECRETS_HISTORY_TIMEOUT>Maximum time to run the history scan
--scan-secrets-history <SCAN_SECRETS_HISTORY>Will scan the history of commits for secrets
--prisma-api-url <PRISMA_API_URL>The Prisma Cloud API URL
--policy-metadata-filter <POLICY_METADATA_FILTER>Comma separated key:value string to filter policies based on Prisma Cloud policy metadata
--output-file-path <OUTPUT_FILE_PATH>Name of the output folder to save the chosen output formats
--output-baseline-as-skipped <OUTPUT_BASELINE_AS_SKIPPED>Output checks that are skipped due to baseline file presence
--openai-api-key <OPENAI_API_KEY>Add an OpenAI API key to enhance finding guidelines. This will send Code to OpenAI
--no-fail-on-crash <NO_FAIL_ON_CRASH>Return exit code 0 instead of 2
--mask <MASK>Each entry in the list will be used for masking the desired attribute
--include-all-checkov-policies <INCLUDE_ALL_CHECKOV_POLICIES>When running with an API key, Checkov will omit any policies that do not exist in the Bridgecrew or Prisma Cloud platform
--external-checks-git <EXTERNAL_CHECKS_GIT>GitHub URL of external checks to be added
--enable-secret-scan-all-files <ENABLE_SECRET_SCAN_ALL_FILES>Enable secret scan for all files
--deep-analysis <DEEP_ANALYSIS>Enable combine TF graph and TF Plan graph
--block-list-secret-scan <BLOCK_LIST_SECRET_SCAN>List of files to filter out from the secret scanner