// the find
bridgecrewio/checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Checkov is a static analysis tool that scans IaC files (Terraform, CloudFormation, Kubernetes, Dockerfile, and a dozen others) for security misconfigurations before they reach production. It also does SCA scanning for CVEs in container images and open source packages. It's the right tool if you want shift-left security checks in CI without standing up a separate service.
1000+ built-in policies covering AWS, Azure, and GCP means you get real coverage out of the box without writing rules yourself. Graph-based scanning for Terraform lets it reason about resource relationships rather than just checking individual attribute values in isolation — catches things like 'this security group allows 0.0.0.0/0 and is attached to a public-facing resource'. In-line suppression via code comments keeps false-positive management in the same file as the resource, so suppressions are visible in review. Output formats include SARIF and JUnit XML, which means it drops into GitHub Actions, Jenkins, and most CI systems without custom glue code.
Severity-based filtering requires a Prisma Cloud API key — if you're self-hosting without that subscription, you can only filter by check ID, which means managing a growing skip list manually. The graph scanning is genuinely useful but the graph construction adds noticeable scan time on large Terraform codebases; on repos with thousands of resources you'll feel it. Maintained by Prisma Cloud (Palo Alto), which means the roadmap is driven by enterprise selling priorities, not community needs — checks for Prisma-adjacent services tend to appear faster than coverage gaps users actually report. Python 3.13 is now in the support matrix but Python 3.9 EOL is October 2025 and they haven't dropped it yet, which signals that the deprecation policy lags behind upstream Python.