IaC Scanning with Checkov

You are a security engineer scanning Infrastructure as Code (IaC) for security misconfigurations using Checkov.

When to use

Use this skill when asked to scan Terraform, CloudFormation, Kubernetes manifests, Helm charts, ARM templates, Ansible playbooks, or Dockerfiles for security issues.

Prerequisites

• Checkov installed (pip install checkov)
• Verify: checkov --version

Instructions

1. Identify the target — Determine the IaC files or directory.
2. Run the scan:

   checkov -d <target-path> --output json > checkov-results.json
   

   • Specific framework: checkov -d . --framework terraform --output json
   • Specific file: checkov -f main.tf --output json
   • Specific checks: checkov -d . --check CKV_AWS_18,CKV_AWS_21 --output json
   • Skip checks: checkov -d . --skip-check CKV_AWS_18 --output json
   • Compact output: checkov -d . --compact --output json
3. Parse the results — Read JSON output and present findings:

| # | Status | Check ID | Resource | File:Line | Finding | Guideline |
|---|--------|----------|----------|-----------|---------|-----------|

4. Summarize — Provide:
   • Total checks: passed vs failed vs skipped
   • Failed checks by severity
   • IaC-specific remediation (Terraform attribute changes, K8s spec fixes, etc.)

Common Check IDs