Running it as a program
Policy, exceptions, metrics.
Beyond the CLI, running IaC scanning as a program means the organizational scaffolding: a central, versioned policy set (built-in checks plus your custom pack) distributed to every repo, a documented exception process (how a suppression gets approved, by whom, with an expiry), and metrics that show whether posture is improving. The tool is easy; making it stick across many teams without becoming shelf-ware is the real work.
Exceptions, ownership, and metrics
Three practices keep it healthy. Exceptions are tracked, justified, and time-boxed — an accepted risk gets a ticket and a review date, not a silent forever-skip. Ownership is clear — findings route to the team that owns the resource, not a central queue nobody drains. And metrics are visible — findings by severity over time, baseline burn-down, mean time to remediate — so leadership can see the program working and teams get credit for improving. Without these, scanning decays into ignored noise.
# distribute one org policy pack + custom checks to every repo’s CI$ checkov -d . --external-checks-dir ./org-policies --config-file .checkov.yaml# .checkov.yaml pins the frameworks, severities to gate, and the baseline centrally