Checkov

Checkov is a static code analysis tool for infrastructure-as-code (IaC), developed by Prisma Cloud (formerly Bridgecrew, acquired by Palo Alto Networks). Written in Python with over 7,400 stars as of 2026, Checkov scans Terraform, CloudFormation, Kubernetes, ARM Templates, Serverless Framework, Helm Charts, Dockerfiles, and OpenAPI specifications for security misconfigurations and compliance violations before they reach production. The tool ships with over 1,000 built-in policies organized by cloud provider (AWS, Azure, GCP, Alibaba Cloud, OCI) and framework, covering security best practices from CIS Benchmarks, PCI DSS, HIPAA, SOC 2, NIST 800-53, ISO 27001, and custom organizational standards. Key features include: multi-framework scanning (Terraform .tf files, Terraform Plan JSON, AWS CloudFormation YAML/JSON, Kubernetes YAML manifests, Helm charts, Dockerfile, ARM templates, Bicep, Serverless Framework, OpenAPI/Swagger, and Argon Workflow), policy categories including resource encryption (ensuring S3, EBS, RDS, and other resources have encryption enabled), network security (security group rules, public IP exposure, VPC flow logs), IAM (overly permissive policies, wildcard permissions, root account usage), logging and monitoring (CloudTrail, CloudWatch, audit log configuration), and compliance mapping (each check is tagged with relevant compliance framework controls). Checkov supports custom policies written in Python (via the Runner class) or YAML (using a declarative format with CEL or Rego expressions), enabling organization-specific security rules. Additional features include: output formats (CLI, JSON, JUnit XML, SARIF, GitHub PR comments), suppression of false positives via inline comments (# checkov:skip=CKV_AWS_20), baseline comparison for tracking new issues, external checks from Git repositories, scan graphs (building a resource dependency graph for multi-resource policy evaluation), and CI/CD integration with GitHub Actions, GitLab CI, and Jenkins.