Checkov is a static code analysis tool for infrastructure-as-code (IaC) that scans cloud infrastructure provisioned using Terraform, CloudFormation, Kubernetes, Helm, ARM Templates and Serverless framework.
Installation
Using pip
pip install checkov
Using Homebrew
brew install checkov
Using Docker
docker pull bridgecrew/checkov
Basic Usage
Scan a Directory
checkov -d /path/to/terraform/code
Scan a Specific File
checkov -f /path/to/terraform/file.tf
Output Formats
# Output as JSON
checkov -d . --output json
# Output as JUnit XML
checkov -d . --output junitxml
# Output as SARIF
checkov -d . --output sarif
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
class MyCustomCheck(BaseResourceCheck):
def __init__(self):
name = "Ensure custom tag exists"
id = "CKV_CUSTOM_1"
supported_resources = ['aws_instance']
categories = [CheckCategories.CONVENTION]
super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
def scan_resource_conf(self, conf):
if 'tags' in conf.keys():
if 'CustomTag' in conf['tags'][0]:
return CheckResult.PASSED
return CheckResult.FAILED