checkov

Checkov scans cloud infrastructure configurations to find misconfigurations before they're deployed

Options

NameDescription
--help,-hShow help for checkov
--version,-vShow the version of checkov
--quietCLI output, display only failed checks
--compactCLI output, do not display code blocks
--list,-lList checks
--no-guideDo not fetch Bridgecrew platform IDs and guidelines for the checkov output report. Note: this prevents Bridgecrew platform check IDs from being used anywhere in the CLI
--output-bc-idsPrint Bridgecrew platform IDs (BC...) instead of Checkov IDs (CKV...), if the check exists in the platform
--directory,-d <command>IaC root directory (can not be used together with --file)
--output,-o <command>
  • Repeatable ♾
--framework <command...>IaC frameworks to include checks for
--skip-framework <command...>IaC frameworks to exclude checks for
--add-checkGenerate a new check via CLI prompt
--file,-f <command>IaC file(can not be used together with --directory)
--skip-path <command>
  • Repeatable ♾
--check,-c <command>Filter scan to run only on a specific check identifier (allowlist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_CHECK
--skip-check <command>Filter scan to run all check except a specific check identifier (denylist). You can specify multiple checks separated by comma delimiter. You may also use the environment variable: CKV_SKIP_CHECK
--run-all-external-checksRun all external checks (loaded via --external-checks options) even if the checks are not present in the --check list. This allows you to always ensure that new checks present in the external source are used. If an external check is included in --skip-check, it will still be skipped
--external-checks-dir <command>
  • Repeatable ♾
--bc-api-key <command>Bridgecrew API key. You may also use the environment variable: BC_API_KEY
--docker-image <command>Scan docker images by name or ID. Only works with --bc-api-key flag
--dockerfile-path <command>Path to the Dockerfile of the scanned docker image
--repo-id <command>Identity string of the repository, with form <repo_owner>/<repo_name>
--branch,-b <command>Selected branch of the persisted repository. Only has effect when using the --bc-api-key flag
--skip-fixesDo not download fixed resource templates from Bridgecrew. Only has an effect when using the --bc-api-key flag
--skip-suppressionsDo not download preconfigured suppressions from the Bridgecrew platform. Code comment suppressions will still be honored. Only has an effect when using the --bc-api-key flag
--skip-policy-downloadDo not download custom policies configured in the Bridgecrew platform. Only has an effect when using the --bc-api-key flag
--download-external-modules <command>Download external terraform modules from public git repositories and terraform registry. You may also use the environment variable: DOWNLOAD_EXTERNAL_MODULES]
--var-file <command>Variable files to load in addition to the default files (see https://www.terraform.io/docs/language/values/variables.html#variable-definitions-tfvars-files). Currently only supported for source Terraform (.tf file), and Helm chart scans. Requires using --directory, NOT --file
--external-modules-download-path <command>Set the path for the download external terraform modules. You may also use the environment variable: EXTERNAL_MODULES_DIR
--evaluate-variables <command>Evaluate the values of variables and locals
--ca-certificate,-ca <command>Custom CA (bundle) fila. You may also use the environment variablee: CA_CERTIFICATE
--repo-root-for-plan-enrichment <command>Directory containing the hcl code used to generate a given plan file. Use with -f FILE
--config-file <command>Path to the Checkov configuration YAML file
--create-config <command>Takes the current command line args and writes them out to a config file at the given path
--show-configPrints all arguments and config settings and where they came from (eg. commandline, config file, environment variable or default)
--create-baselineSave all current results to a '.checkov.baseline' file so future runs will only flag new findings. Works only with `--directory` flag
--baseline <command>Use a '.checkov.baseline' file to compare current results with a known baseline. Report will include only failed checks that are newwith respect to the provided baseline. See --create-baseline
--soft-fail,-sRuns checks but suppresses the error code
--soft-fail-on <command>Exits with a 0 exit code for specified checks. You can specify multiple checks separated by comma delimiter
--hard-fail-on <command>Exits with a non-zero exit code for specified checks. You can specify multiple checks separated by comma delimiter
--min-cve-severity <command>Set minimum severity to return a non-zero exit code
--skip-cve-package <command>
  • Repeatable ♾