Frameworks: Terraform, k8s, more
One tool, many IaC types.
A major strength of Checkov is breadth: one tool scans Terraform (and Terraform plan), CloudFormation, Kubernetes manifests, Helm, Kustomize, Dockerfiles, Serverless, ARM/Bicep, and more, plus secrets detection. Each framework has its own check namespace (CKV_AWS_*, CKV_K8S_*, CKV_DOCKER_*), and Checkov auto-detects what is present. This means consistent security coverage across your whole IaC stack from a single tool and a single CI step.
$ checkov -d . --framework terraform,kubernetes,dockerfile$ checkov -f DockerfileCheck: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added"Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"FAILED — the image runs as root
One policy vocabulary across the stack
Because the same tool covers Terraform and Kubernetes and Dockerfiles, a rule like “encryption must be on” or “no root containers” is enforced consistently wherever it applies, and your team learns one findings format. You can scan selectively with --framework when a repo mixes types, or let auto-detection handle it. For Kubernetes and Helm specifically, Checkov can render and scan the effective manifests, catching issues in the deployed result.