checkov
Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed
Options
| Name | Description |
|---|---|
--help,-h | Show help for checkov |
--version,-v | Show the version of checkov |
--quiet | CLI output, display only failed checks |
--compact | CLI output, do not display code blocks |
--list,-l | List checks |
--no-guide | Do not fetch Bridgecrew platform IDs and guidelines for the checkov output report. Note: this prevents Bridgecrew platform check IDs from being used anywhere in the CLI |
--output-bc-ids | Print Bridgecrew platform IDs (BC...) instead of Checkov IDs (CKV...), if the check exists in the platform |
--directory,-d <command> | IaC root directory (can not be used together with --file) |
--output,-o <command> |
|
--framework <command...> | IaC frameworks to include checks for |
--skip-framework <command...> | IaC frameworks to exclude checks for |
--add-check | Generate a new check via CLI prompt |
--file,-f <command> | IaC file(can not be used together with --directory) |
--skip-path <command> |
|
--check,-c <command> | Filter scan to run only on a specific check identifier (allowlist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_CHECK |
--skip-check <command> | Filter scan to run all check except a specific check identifier (denylist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_SKIP_CHECK |
--run-all-external-checks | Run all external checks (loaded via --external-checks options) even if the checks are not present in the --check list. This allows you to always ensure that new checks present in the external source are used. If an external check is included in --skip-check, it will still be skipped |
--external-checks-dir <command> |
|
--bc-api-key <command> | Bridgecrew API key. You may also use the environment variable: BC_API_KEY |
--docker-image <command> | Scan docker images by name or ID. Only works with --bc-api-key flag |
--dockerfile-path <command> | Path to the Dockerfile of the scanned docker image |
--repo-id <command> | Identity string of the repository, with form <repo_owner>/<repo_name> |
--branch,-b <command> | Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag |
--skip-fixes | Do not download fixed resource templates from Bridgecrew. Only has an effect when using the --bc-api-key flag |
--skip-suppressions | Do not download preconfigured suppressions from the Bridgecrew platform. Code comment suppressions will still be honored. Only has an effect when using the --bc-api-key flag |
--skip-policy-download | Do not download custom policies configured in the Bridgecrew platform. Only has an effect when using the --bc-api-key flag |
--download-external-modules <command> | Download external terraform modules from public git repositories and terraform registry. You may also use the environment variable: DOWNLOAD_EXTERNAL_MODULES] |
--var-file <command> | Variable files to load in addition to the default files (see https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files). Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, NOT --file |
--external-modules-download-path <command> | Set the path for the download external terraform modules. You may also use the environment variable: EXTERNAL_MODULES_DIR |
--evaluate-variables <command> | Evaluate the values of variables and locals |
--ca-certificate,-ca <command> | Custom CA (bundle) fila. You may also use the environment variablee: CA_CERTIFICATE |
--repo-root-for-plan-enrichment <command> | Directory containing the hcl code used to generate a given plan file. Use with -f FILE |
--config-file <command> | Path to the Checkov configuration YAML file |
--create-config <command> | Takes the current command line args and writes them out to a config file at the given path |
--show-config | Prints all arguments and config settings and where they came from (eg. commandline, config file, environment variable or default) |
--create-baseline | Save all current results to a '.checkov.baseline' file so future runs will only flag new findings. Works only with `--directory` flag |
--baseline <command> | Use a '.checkov.baseline' file to compare current results with a known baseline. Report will include only failed checks that are newwith respect to the provided baseline. See --create-baseline |
--soft-fail,-s | Runs checks but suppresses the error code |
--soft-fail-on <command> | Exits with a 0 exit code for specified checks. You can specify multiple checks separated by comma delimiter |
--hard-fail-on <command> | Exits with a non-zero exit code for specified checks. You can specify multiple checks separated by comma delimiter |
--min-cve-severity <command> | Set minimum severity to return a non-zero exit code |
--skip-cve-package <command> |
|