checkov
Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed
Options
| Name | Description |
|---|---|
--help, -h | Show help for checkov |
--version, -v | Show the version of checkov |
--quiet | CLI output, display only failed checks |
--compact | CLI output, do not display code blocks |
--list, -l | List checks |
--no-guide | Do not fetch Bridgecrew platform IDs and guidelines for the checkov output report. Note: this prevents Bridgecrew platform check IDs from being used anywhere in the CLI |
--output-bc-ids | Print Bridgecrew platform IDs (BC...) instead of Checkov IDs (CKV...), if the check exists in the platform |
--directory, -d <Directory> | IaC root directory (can not be used together with --file) |
--output, -o <FORMAT> |
|
--framework <FRAMEWORKS...> | IaC frameworks to include checks for |
--skip-framework <FRAMEWORKS...> | IaC frameworks to exclude checks for |
--add-check | Generate a new check via CLI prompt |
--file, -f <FILE> | IaC file(can not be used together with --directory) |
--skip-path <SKIP_PATH> |
|
--check, -c <CHECKS> | Filter scan to run only on a specific check identifier (allowlist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_CHECK |
--skip-check <CHECKS> | Filter scan to run all check except a specific check identifier (denylist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_SKIP_CHECK |
--run-all-external-checks | Run all external checks (loaded via --external-checks options) even if the checks are not present in the --check list. This allows you to always ensure that new checks present in the external source are used. If an external check is included in --skip-check, it will still be skipped |
--external-checks-dir <EXTERNAL_CHECKS_DIR> |
|
--bc-api-key <BC_API_KEY> | Bridgecrew API key. You may also use the environment variable: BC_API_KEY |
--docker-image <DOCKER_IMAGE> | Scan docker images by name or ID. Only works with --bc-api-key flag |
--dockerfile-path <DOCKERFILE_PATH> | Path to the Dockerfile of the scanned docker image |
--repo-id <REPO_ID> | Identity string of the repository, with form <repo_owner>/<repo_name> |
--branch, -b <BRANCH> | Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag |
--skip-fixes | Do not download fixed resource templates from Bridgecrew. Only has an effect when using the --bc-api-key flag |
--skip-suppressions | Do not download preconfigured suppressions from the Bridgecrew platform. Code comment suppressions will still be honored. Only has an effect when using the --bc-api-key flag |
--skip-policy-download | Do not download custom policies configured in the Bridgecrew platform. Only has an effect when using the --bc-api-key flag |
--download-external-modules <DOWNLOAD_EXTERNAL_MODULES> | Download external terraform modules from public git repositories and terraform registry. You may also use the environment variable: DOWNLOAD_EXTERNAL_MODULES] |
--var-file <VAR_FILE> | Variable files to load in addition to the default files (see https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files). Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, NOT --file |
--external-modules-download-path <EXTERNAL_MODULES_DIR> | Set the path for the download external terraform modules. You may also use the environment variable: EXTERNAL_MODULES_DIR |
--evaluate-variables <EVALUATE_VARIABLES> | Evaluate the values of variables and locals |
--ca-certificate, -ca <CA_CERTIFICATE> | Custom CA (bundle) fila. You may also use the environment variablee: CA_CERTIFICATE |
--repo-root-for-plan-enrichment <REPO_ROOT_FOR_PLAN_ENRICHMENT> | Directory containing the hcl code used to generate a given plan file. Use with -f FILE |
--config-file <CONFIG_FILE> | Path to the Checkov configuration YAML file |
--create-config <CONFIG_FILE> | Takes the current command line args and writes them out to a config file at the given path |
--show-config | Prints all arguments and config settings and where they came from (eg. commandline, config file, environment variable or default) |
--create-baseline | Save all current results to a '.checkov.baseline' file so future runs will only flag new findings. Works only with `--directory` flag |
--baseline <BASELINE> | Use a '.checkov.baseline' file to compare current results with a known baseline. Report will include only failed checks that are newwith respect to the provided baseline. See --create-baseline |
--soft-fail, -s | Runs checks but suppresses the error code |
--soft-fail-on <CHECKS> | Exits with a 0 exit code for specified checks. You can specify multiple checks separated by comma delimiter |
--hard-fail-on <CHECKS> | Exits with a non-zero exit code for specified checks. You can specify multiple checks separated by comma delimiter |
--min-cve-severity <MIN_SEVERITY> | Set minimum severity to return a non-zero exit code |
--skip-cve-package <SKIP_CVE_PACKAGE> |
|
--use-enforcement-rules <USE_ENFORCEMENT_RULES> | Use the Enforcement rules configured in the platform for hard / soft fail logic |
--support <SUPPORT> | Enable debug logs and upload the logs to the server |
--summary-position <SUMMARY_POSITION> | Chose whether the summary will be appended on top or on bottom |
--skip-resources-without-violations <SKIP_RESOURCES_WITHOUT_VIOLATIONS> | Exclude extra resources (resources without violations) |
--skip-download <SKIP_DOWNLOAD> | Do not download any data from Prisma Cloud |
--secrets-history-timeout <SECRETS_HISTORY_TIMEOUT> | Maximum time to run the history scan |
--scan-secrets-history <SCAN_SECRETS_HISTORY> | Will scan the history of commits for secrets |
--prisma-api-url <PRISMA_API_URL> | The Prisma Cloud API URL |
--policy-metadata-filter <POLICY_METADATA_FILTER> | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata |
--output-file-path <OUTPUT_FILE_PATH> | Name of the output folder to save the chosen output formats |
--output-baseline-as-skipped <OUTPUT_BASELINE_AS_SKIPPED> | Output checks that are skipped due to baseline file presence |
--openai-api-key <OPENAI_API_KEY> | Add an OpenAI API key to enhance finding guidelines. This will send Code to OpenAI |
--no-fail-on-crash <NO_FAIL_ON_CRASH> | Return exit code 0 instead of 2 |
--mask <MASK> | Each entry in the list will be used for masking the desired attribute |
--include-all-checkov-policies <INCLUDE_ALL_CHECKOV_POLICIES> | When running with an API key, Checkov will omit any policies that do not exist in the Bridgecrew or Prisma Cloud platform |
--external-checks-git <EXTERNAL_CHECKS_GIT> | GitHub URL of external checks to be added |
--enable-secret-scan-all-files <ENABLE_SECRET_SCAN_ALL_FILES> | Enable secret scan for all files |
--deep-analysis <DEEP_ANALYSIS> | Enable combine TF graph and TF Plan graph |
--block-list-secret-scan <BLOCK_LIST_SECRET_SCAN> | List of files to filter out from the secret scanner |