checkov
Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed
Options
| Name | Description |
|---|---|
--help, -h | Show help for checkov |
--version, -v | Show the version of checkov |
--quiet | CLI output, display only failed checks |
--compact | CLI output, do not display code blocks |
--list, -l | List checks |
--no-guide | Do not fetch Bridgecrew platform IDs and guidelines for the checkov output report. Note: this prevents Bridgecrew platform check IDs from being used anywhere in the CLI |
--output-bc-ids | Print Bridgecrew platform IDs (BC...) instead of Checkov IDs (CKV...), if the check exists in the platform |
--directory, -d <Directory> | IaC root directory (can not be used together with --file) |
--output, -o <FORMAT> |
|
--framework <FRAMEWORKS...> | IaC frameworks to include checks for |
--skip-framework <FRAMEWORKS...> | IaC frameworks to exclude checks for |
--add-check | Generate a new check via CLI prompt |
--file, -f <FILE> | IaC file(can not be used together with --directory) |
--skip-path <SKIP_PATH> |
|
--check, -c <CHECKS> | Filter scan to run only on a specific check identifier (allowlist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_CHECK |
--skip-check <CHECKS> | Filter scan to run all check except a specific check identifier (denylist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_SKIP_CHECK |
--run-all-external-checks | Run all external checks (loaded via --external-checks options) even if the checks are not present in the --check list. This allows you to always ensure that new checks present in the external source are used. If an external check is included in --skip-check, it will still be skipped |
--external-checks-dir <EXTERNAL_CHECKS_DIR> |
|
--bc-api-key <BC_API_KEY> | Bridgecrew API key. You may also use the environment variable: BC_API_KEY |
--docker-image <DOCKER_IMAGE> | Scan docker images by name or ID. Only works with --bc-api-key flag |
--dockerfile-path <DOCKERFILE_PATH> | Path to the Dockerfile of the scanned docker image |
--repo-id <REPO_ID> | Identity string of the repository, with form <repo_owner>/<repo_name> |
--branch, -b <BRANCH> | Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag |
--skip-fixes | Do not download fixed resource templates from Bridgecrew. Only has an effect when using the --bc-api-key flag |
--skip-suppressions | Do not download preconfigured suppressions from the Bridgecrew platform. Code comment suppressions will still be honored. Only has an effect when using the --bc-api-key flag |
--skip-policy-download | Do not download custom policies configured in the Bridgecrew platform. Only has an effect when using the --bc-api-key flag |
--download-external-modules <DOWNLOAD_EXTERNAL_MODULES> | Download external terraform modules from public git repositories and terraform registry. You may also use the environment variable: DOWNLOAD_EXTERNAL_MODULES] |
--var-file <VAR_FILE> | Variable files to load in addition to the default files (see https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files). Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, NOT --file |
--external-modules-download-path <EXTERNAL_MODULES_DIR> | Set the path for the download external terraform modules. You may also use the environment variable: EXTERNAL_MODULES_DIR |
--evaluate-variables <EVALUATE_VARIABLES> | Evaluate the values of variables and locals |
--ca-certificate, -ca <CA_CERTIFICATE> | Custom CA (bundle) fila. You may also use the environment variablee: CA_CERTIFICATE |
--repo-root-for-plan-enrichment <REPO_ROOT_FOR_PLAN_ENRICHMENT> | Directory containing the hcl code used to generate a given plan file. Use with -f FILE |
--config-file <CONFIG_FILE> | Path to the Checkov configuration YAML file |
--create-config <CONFIG_FILE> | Takes the current command line args and writes them out to a config file at the given path |
--show-config | Prints all arguments and config settings and where they came from (eg. commandline, config file, environment variable or default) |
--create-baseline | Save all current results to a '.checkov.baseline' file so future runs will only flag new findings. Works only with `--directory` flag |
--baseline <BASELINE> | Use a '.checkov.baseline' file to compare current results with a known baseline. Report will include only failed checks that are newwith respect to the provided baseline. See --create-baseline |
--soft-fail, -s | Runs checks but suppresses the error code |
--soft-fail-on <CHECKS> | Exits with a 0 exit code for specified checks. You can specify multiple checks separated by comma delimiter |
--hard-fail-on <CHECKS> | Exits with a non-zero exit code for specified checks. You can specify multiple checks separated by comma delimiter |
--min-cve-severity <MIN_SEVERITY> | Set minimum severity to return a non-zero exit code |
--skip-cve-package <SKIP_CVE_PACKAGE> |
|