Checkov

Checkov is a security scanning CLI for infrastructure-as-code and adjacent delivery config such as CI pipelines, Dockerfiles, and Kubernetes manifests. It scans repos, directories, files, or Terraform plan JSON to flag misconfigurations, secrets, and policy violations before deploy.

• Scan Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles, GitHub Actions, GitLab CI, and other supported config files from a file, directory, or plan export.
• Emit JSON, SARIF, JUnit XML, CycloneDX, CSV, or console reports for CI gates, code-scanning uploads, and follow-up parsing.
• Tune or extend policy coverage with framework filters, skip or allow lists, baselines, custom policies, and external check packs from trusted local or Git sources.

• Non-interactive scan commands, real JSON output, and explicit pass or fail controls via --soft-fail, --soft-fail-on, and --hard-fail-on work well in automation.
• It fits inspect-edit-rerun loops cleanly: an agent can scope by file or framework, parse findings, change IaC, then rerun the same command for verification.
• Fit is weaker for some SCA and Prisma Cloud workflows because package or image scanning and platform metadata features can require API keys and network access.

• Scanning every framework in a large repo can be noisy or slow, so unattended use usually needs --framework, --check, or skip filters.
• External checks loaded from directories or Git repositories can execute Python code, so only trusted policy sources are safe.