BlogIaC
Scanning Terraform with Checkov before you apply
Catch public buckets and open security groups in the plan — in CI, with suppressions that expire and a clean baseline.
Checkov reads your Terraform (and CloudFormation, Kubernetes, Dockerfiles) and flags misconfigurations against hundreds of built-in policies — public S3 buckets, unencrypted volumes, wide-open security groups. The value is running it in CI so the finding lands in the plan, not in prod.
checkov -d .FAILED CKV_AWS_20 S3 Bucket has an ACL defined which allows public accessFAILED CKV_AWS_23 Security group rule has no descriptionPassed checks: 48, Failed checks: 2, Skipped: 0Wire it into the pipeline
.gitlab-ci.yml
iac_scan:stage: testimage: bridgecrew/checkov:latestscript:- checkov -d . --compact --quietallow_failure: false
Suppress with an expiry, not forever
Real code needs exceptions. Skip a check inline with a reason — and put a date in it so review picks it up again.
main.tf
resource "aws_s3_bucket" "logs" {#checkov:skip=CKV_AWS_18:access logging N/A for this log sink (review 2026-09)bucket = "acme-app-logs"}
Blanket skips rot
A --skip-check list in CI config is invisible to reviewers. Prefer inline skips with a justification so every exception is in the diff.
Adopt on a legacy repo with a baseline
checkov -d . --create-baselineCreated .checkov.baselinecheckov -d . --baseline .checkov.baselinenow only NEW misconfigurations fail the build