Install & first scan

checkov -d and reading results.

Intermediate10 min · lesson 2 of 12

Checkov installs as a Python package (or runs as a container/pre-commit hook). The core usage is checkov -d <dir> to scan a directory, or -f <file> for one file; it auto-detects the IaC frameworks present and runs the matching policies. The output lists each check by ID, whether it passed or failed, the resource and file/line, and a link to a remediation guide.

terminal
$ pip install checkov
$ checkov -d .
Passed checks: 41, Failed checks: 3, Skipped checks: 0
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: aws_s3_bucket.logs
File: /main.tf:12-18
Guide: https://docs.../CKV_AWS_18

Output formats and exit codes

Checkov exits non-zero when a check fails, which is what makes it a CI gate. It emits multiple formats — CLI (human), JSON (machine), SARIF (for GitHub code scanning), JUnit (for test dashboards) — so you can render results wherever your team looks. --compact trims output; --quiet shows only failures. Choosing SARIF, for example, surfaces findings directly in a pull request’s Security tab.

terminal
$ checkov -d . -o sarif --output-file-path results # for GitHub code scanning
$ checkov -d . --compact --quiet # only failures, terse
$ echo $?
1 # non-zero because checks failed -> CI job fails
Scan what actually gets deployed
Checkov scans the files you point it at, so a scan scoped to the wrong directory (missing a module, skipping the overlay that adds the risky setting) gives false confidence. Point it at the real root of your IaC, include modules and generated/rendered output where relevant, and — for Terraform — also scan the plan (later lesson) so values resolved from variables and modules are covered.