checkov

Checkov is a security scanning tool that reads your infrastructure configuration files before you deploy anything and flags settings that could expose your cloud environment to risk. Instead of finding problems after a breach, it catches them at the point where you write your infrastructure code. It is maintained by Prisma Cloud, a Palo Alto Networks product, and is available as a free open-source tool.

The tool understands a wide range of configuration formats used to describe cloud resources. It can scan Terraform files, CloudFormation templates, Kubernetes manifests, Helm charts, Dockerfiles, Ansible playbooks, and CI/CD pipeline definitions from GitHub Actions, GitLab, Bitbucket, and others. It includes over 1,000 built-in rules covering common security and compliance requirements for AWS, Azure, and Google Cloud. For example, it can detect an S3 bucket left open to the public, a database missing encryption, or a container running with more system privileges than it needs.

Beyond configuration checks, Checkov also scans open-source packages and container images for known security vulnerabilities, a process called software composition analysis. It can also detect secrets such as cloud API keys or passwords that were accidentally written into configuration files.

You install it with pip3 install checkov or Homebrew, then point it at a folder: checkov -d /path/to/code. Results appear in the terminal and can also be exported as JSON, CSV, SARIF (for uploading to GitHub's security dashboard), or JUnit XML for CI systems. Individual findings can be silenced inline with a comment if the risk is accepted, so the tool fits into automated pipelines without generating noise on known exceptions.