{"id":13408075,"url":"https://github.com/bridgecrewio/checkov","last_synced_at":"2026-04-27T01:02:02.684Z","repository":{"id":37396927,"uuid":"224386599","full_name":"bridgecrewio/checkov","owner":"bridgecrewio","description":"Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.","archived":false,"fork":false,"pushed_at":"2026-04-20T23:13:35.000Z","size":95567,"stargazers_count":8647,"open_issues_count":153,"forks_count":1324,"subscribers_count":54,"default_branch":"main","last_synced_at":"2026-04-21T01:37:36.077Z","etag":null,"topics":["aws","aws-security","azure","cloudformation","compliance","devops","gcp","hacktoberfest","infrastructure-as-code","kubernetes","scans","static-analysis","terraform"],"latest_commit_sha":null,"homepage":"https://www.checkov.io/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bridgecrewio.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-11-27T08:55:14.000Z","updated_at":"2026-04-20T23:13:42.000Z","dependencies_parsed_at":"2022-07-13T15:59:44.117Z","dependency_job_id":"75e9d844-1085-4104-b7f0-0325db61cc38","html_url":"https://github.com/bridgecrewio/checkov","commit_stats":{"total_commits":15500,"total_committers":442,"mean_commits":"35.067873303167424","dds":0.8414838709677419,"last_synced_commit":"b3978dcfd136fe86e380f5c79562d3681146728a"},"previous_names":[],"tags_count":3867,"template":false,"template_full_name":null,"purl":"pkg:github/bridgecrewio/checkov","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bridgecrewio","download_url":"https://codeload.github.com/bridgecrewio/checkov/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov/sbom","scorecard":{"id":253625,"data":{"date":"2022-11-28","repo":{"name":"github.com/bridgecrewio/checkov","commit":"ab685b36445bb1f7a14366194659fb7869f0edc4"},"scorecard":{"version":"v4.8.0-79-gd8fefc9","commit":"d8fefc9b246db3600c777e9d60d441d7c386ce1d"},"score":7,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) out of 30 and 7 issue activity out of 30 found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#maintained"}},{"name":"Code-Review","score":3,"reason":"11 out of last 30 changesets reviewed before merge -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project requires code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#code-review"}},{"name":"Vulnerabilities","score":10,"reason":"no vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#vulnerabilities"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: in_progress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#cii-best-practices"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":["Warn: no GitHub releases found"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":6,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'force pushes' disabled on branch 'main'","Info: 'allow deletion' disabled on branch 'main'","Warn: no status checks found to merge onto branch 'main'","Info: number of required reviewers is 2 on branch 'main'","Warn: codeowner review is not required on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#branch-protection"}},{"name":"Token-Permissions","score":0,"reason":"non read-only tokens detected in GitHub workflows","details":["Warn: no topLevel permission defined: .github/workflows/build.yml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/build.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/codeql-analysis.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/codeql-analysis.yml/main?enable=permissions","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/codeql-analysis.yml/main?enable=permissions","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/codeql-analysis.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/coverage.yaml:8: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/coverage.yaml/main?enable=permissions","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/coverage.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/coverage.yaml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/nightly.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/nightly.yml/main?enable=permissions","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/nightly.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/nightly.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/pipenv-update.yml:7: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/pipenv-update.yml/main?enable=permissions","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/pipenv-update.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/pipenv-update.yml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/pr-test.yml:5: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/pr-test.yml/main?enable=permissions","Warn: no topLevel permission defined: .github/workflows/pr-title.yaml:1: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/pr-title.yaml/main?enable=permissions","Info: topLevel permissions set to 'read-all': .github/workflows/security.yaml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/security.yaml/main?enable=permissions"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: Found linked content in security policy: SECURITY.md","Info: Found text in security policy: SECURITY.md","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md","Info: security policy detected in current repo: SECURITY.md"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: : LICENSE:1"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#license"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: Dependabot detected: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#dependency-update-tool"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#dangerous-workflow"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":null,"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#fuzzing"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (11) are checked with a SAST tool","Info: SAST tool detected: CodeQL"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#sast"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":10,"reason":"publishing workflow detected","details":["Info: GitHub publishing workflow used in run https://api.github.com/repos/bridgecrewio/checkov/actions/runs/3572272552: .github/workflows/build.yml:246"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:298: update your workflow using https://app.stepsecurity.io/secureworkflow/bridgecrewio/checkov/build.yml/main?enable=pin","Warn: containerImage not pinned by hash: .gitpod.Dockerfile:1: pin your Docker image by updating gitpod/workspace-python to gitpod/workspace-python@sha256:25e14c240990d5f09ddb1176822bff0ec2d13982e84e684679e7354e9c417122","Warn: containerImage not pinned by hash: Dockerfile:1: pin your Docker image by updating python to python@sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d","Warn: containerImage not pinned by hash: Dockerfile.pyston:1: pin your Docker image by updating pyston/slim to pyston/slim@sha256:078eccc767f568d1a75c98aa2fd010ab17c032d611021015203497ea51f7f1e5","Warn: containerImage not pinned by hash: admissioncontroller/Dockerfile:2: pin your Docker image by updating python to python@sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d","Warn: containerImage not pinned by hash: docs/7.Scan Examples/Dockerfile.md:18: pin your Docker image by updating node to node@sha256:bff0e689cb433913ab411af7a58253d54c7fd8c3134ffeb25287cdf24d9a5972","Warn: containerImage not pinned by hash: kubernetes/Dockerfile:1: pin your Docker image by updating python to python@sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_AddExists/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_AliasIsUnique/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_AliasIsUnique/failure/Dockerfile:4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_AliasIsUnique/failure/Dockerfile:7","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_AliasIsUnique/success/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_AliasIsUnique/success/Dockerfile:4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ExposePort22/failure/Dockerfile:1: pin your Docker image by updating busybox to busybox@sha256:fcd85228d7a25feb59f101ac3a955d27c80df4ad824d65f5757a954831450185","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ExposePort22/failure_tcp/Dockerfile:1: pin your Docker image by updating busybox to busybox@sha256:fcd85228d7a25feb59f101ac3a955d27c80df4ad824d65f5757a954831450185","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ExposePort22/success/Dockerfile:1: pin your Docker image by updating busybox to busybox@sha256:fcd85228d7a25feb59f101ac3a955d27c80df4ad824d65f5757a954831450185","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_HealthcheckExists/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_HealthcheckExists/success/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_MaintainerExists/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/failure_default_version_tag/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/failure_latest_version_tag/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success_multi_stage/Dockerfile:1: pin your Docker image by updating alpine:3 to alpine:3@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success_multi_stage/Dockerfile:4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success_multi_stage_capital/Dockerfile:1: pin your Docker image by updating alpine:3 to alpine:3@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success_multi_stage_capital/Dockerfile:4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success_multi_stage_capital/Dockerfile:7","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_ReferenceLatestTag/success_multi_stage_scratch/Dockerfile:4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_RootUser/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_RootUser/success/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_RunUsingAPT/failure/Dockerfile:1: pin your Docker image by updating busybox to busybox@sha256:fcd85228d7a25feb59f101ac3a955d27c80df4ad824d65f5757a954831450185","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_RunUsingAPT/success/Dockerfile:1: pin your Docker image by updating busybox to busybox@sha256:fcd85228d7a25feb59f101ac3a955d27c80df4ad824d65f5757a954831450185","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_UpdateNotAlone/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_UpdateNotAlone/failure/Dockerfile.simple:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_UpdateNotAlone/success/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_UserExists/failure/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_UserExists/success/Dockerfile:1","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/failure/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/failure/Dockerfile.simple:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/success/Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/image_referencer/resources/Dockerfile.multi_platform:1: pin your Docker image by updating golang:alpine to golang:alpine@sha256:d171aa333fb386089206252503bc6ab545072670e0286e3d1bbc644362825c6e","Warn: containerImage not pinned by hash: tests/dockerfile/image_referencer/resources/Dockerfile.multi_platform:8: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/image_referencer/resources/Dockerfile.multi_stage:2: pin your Docker image by updating maven:3.8-openjdk-17-slim to maven:3.8-openjdk-17-slim@sha256:502e781d39f0b40fbd02eb23f5b7663618b76ba52034da218c64e92f6c5647be","Warn: containerImage not pinned by hash: tests/dockerfile/image_referencer/resources/Dockerfile.multi_stage:10: pin your Docker image by updating amazonlinux:2 to amazonlinux:2@sha256:a8e94ea6c17f7749b1beb0ac2c3245e0b99804190f31e05f68a0fabb5bea1787","Warn: containerImage not pinned by hash: tests/dockerfile/image_referencer/resources/Dockerfile.simple:1: pin your Docker image by updating php to php@sha256:77671163eeb253bea487bb745dc9185386d2e531e8c668acb3c255da6fde78fb","Warn: containerImage not pinned by hash: tests/dockerfile/resources/expose_port/fail/Dockerfile:1: pin your Docker image by updating node to node@sha256:bff0e689cb433913ab411af7a58253d54c7fd8c3134ffeb25287cdf24d9a5972","Warn: containerImage not pinned by hash: tests/dockerfile/resources/expose_port/pass/Dockerfile:1: pin your Docker image by updating gliderlabs/alpine to gliderlabs/alpine@sha256:23b993692b943f0799b3f36042d8a1331557103eb4ac2c0b8ab36cab9f399f8b","Warn: containerImage not pinned by hash: tests/dockerfile/resources/expose_port/skip/Dockerfile:1: pin your Docker image by updating gliderlabs/alpine to gliderlabs/alpine@sha256:23b993692b943f0799b3f36042d8a1331557103eb4ac2c0b8ab36cab9f399f8b","Warn: containerImage not pinned by hash: tests/dockerfile/resources/name_variations/.Dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/resources/name_variations/Dockerfile.prod:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/resources/name_variations/prod.dockerfile:1: pin your Docker image by updating alpine to alpine@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4","Warn: containerImage not pinned by hash: tests/dockerfile/resources/wildcard_skip/Dockerfile:1: pin your Docker image by updating python to python@sha256:10fc14aa6ae69f69e4c953cffd9b0964843d8c163950491d2138af891377bc1d","Warn: containerImage not pinned by hash: tests/sca_image/examples/dockerfile/Dockerfile:1: pin your Docker image by updating ubuntu to ubuntu@sha256:4b1d0c4a2d2aaf63b37111f34eb9fa89fa1bf53dd6e4ca954d47caebca4005c2","Warn: containerImage not pinned by hash: tests/secrets/custom_regex_detector/Dockerfile:1","Warn: containerImage not pinned by hash: tests/secrets/resources/file_type/Dockerfile:1","Warn: containerImage not pinned by hash: tests/secrets/resources/file_type/Dockerfile.simple:1","Warn: downloadThenRun not pinned by hash: .gitpod.Dockerfile:4-8","Warn: pipCommand not pinned by hash: Dockerfile:29","Warn: pipCommand not pinned by hash: Dockerfile.pyston:26-34","Warn: pipCommand not pinned by hash: admissioncontroller/Dockerfile:11","Warn: pipCommand not pinned by hash: admissioncontroller/Dockerfile:12","Warn: npmCommand not pinned by hash: docs/7.Scan Examples/Dockerfile.md:21","Warn: pipCommand not pinned by hash: kubernetes/Dockerfile:8","Warn: pipCommand not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/failure/Dockerfile:3","Warn: pipCommand not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/failure/Dockerfile:8","Warn: pipCommand not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/success/Dockerfile:3","Warn: pipCommand not pinned by hash: tests/dockerfile/checks/example_WorkdirIsAbsolute/success/Dockerfile:14","Warn: npmCommand not pinned by hash: tests/dockerfile/resources/expose_port/fail/Dockerfile:4","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:121","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:55","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:93","Warn: pipCommand not pinned by hash: .github/workflows/build.yml:154","Warn: pipCommand not pinned by hash: .github/workflows/codeql-analysis.yml:43","Warn: pipCommand not pinned by hash: .github/workflows/codeql-analysis.yml:54","Warn: pipCommand not pinned by hash: .github/workflows/coverage.yaml:33","Warn: pipCommand not pinned by hash: .github/workflows/pipenv-update.yml:31","Warn: pipCommand not pinned by hash: .github/workflows/pr-test.yml:27","Warn: pipCommand not pinned by hash: .github/workflows/pr-test.yml:41","Warn: pipCommand not pinned by hash: .github/workflows/pr-test.yml:66","Warn: pipCommand not pinned by hash: .github/workflows/pr-test.yml:98","Warn: pipCommand not pinned by hash: .github/workflows/pr-test.yml:146","Info: GitHub-owned GitHubActions are pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/d8fefc9b246db3600c777e9d60d441d7c386ce1d/docs/checks.md#pinned-dependencies"}}]},"last_synced_at":"2025-08-17T09:04:05.336Z","repository_id":37396927,"created_at":"2025-08-17T09:04:05.336Z","updated_at":"2025-08-17T09:04:05.336Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32318417,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"ssl_error","status_checked_at":"2026-04-26T23:26:25.802Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-security","azure","cloudformation","compliance","devops","gcp","hacktoberfest","infrastructure-as-code","kubernetes","scans","static-analysis","terraform"],"created_at":"2024-07-30T20:00:50.598Z","updated_at":"2026-04-27T01:02:02.662Z","avatar_url":"https://github.com/bridgecrewio.png","language":"Python","readme":"[![checkov](https://raw.githubusercontent.com/bridgecrewio/checkov/main/docs/web/images/checkov_blue_logo.png)](#)\n       \n[![Maintained by Prisma Cloud](https://img.shields.io/badge/maintained_by-Prisma_Cloud-blue)](https://prismacloud.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=checkov)\n[![build status](https://github.com/bridgecrewio/checkov/workflows/build/badge.svg)](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Abuild)\n[![security status](https://github.com/bridgecrewio/checkov/workflows/security/badge.svg)](https://github.com/bridgecrewio/checkov/actions?query=event%3Apush+branch%3Amaster+workflow%3Asecurity)\n[![code_coverage](https://raw.githubusercontent.com/bridgecrewio/checkov/main/coverage.svg?sanitize=true)](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Acoverage)\n[![docs](https://img.shields.io/badge/docs-passing-brightgreen)](https://www.checkov.io/1.Welcome/What%20is%20Checkov.html?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=checkov)\n[![PyPI](https://img.shields.io/pypi/v/checkov)](https://pypi.org/project/checkov/)\n[![Python Version](https://img.shields.io/pypi/pyversions/checkov)](#)\n[![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg)](#)\n[![Downloads](https://static.pepy.tech/badge/checkov)](https://pepy.tech/project/checkov)\n[![Docker Pulls](https://img.shields.io/docker/pulls/bridgecrew/checkov.svg)](https://hub.docker.com/r/bridgecrew/checkov)\n[![slack-community](https://img.shields.io/badge/Slack-4A154B?style=plastic\u0026logo=slack\u0026logoColor=white)](https://codifiedsecurity.slack.com/)\n\n\n**Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.\n\nIt scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md), [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md), or [OpenTofu](https://opentofu.org/) and detects security and compliance misconfigurations using graph-based scanning.\n\nIt performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).\n \nCheckov also powers [**Prisma Cloud Application Security**](https://www.prismacloud.io/prisma/cloud/cloud-code-security/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=checkov), the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Prisma Cloud identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files. \n\n\u003ca href=\"https://www.prismacloud.io/prisma/request-a-prisma-cloud-trial/?utm_campaign=checkov-github-repo\u0026utm_source=github.com\u0026utm_medium=get-started-button\" title=\"Try_Prisma_Cloud\"\u003e\n    \u003cimg src=\"https://dabuttonfactory.com/button.png?t=Try+Prisma+Cloud\u0026f=Open+Sans-Bold\u0026ts=26\u0026tc=fff\u0026hp=45\u0026vp=20\u0026c=round\u0026bgt=unicolored\u0026bgc=00c0e8\" align=\"right\" width=\"120\"\u003e\n\u003c/a\u003e\n\n\n\u003ca href=\"https://docs.prismacloud.io/en/enterprise-edition/use-cases/secure-the-source/secure-the-source\" title=\"Docs\"\u003e\n    \u003cimg src=\"https://dabuttonfactory.com/button.png?t=Read+the+Docs\u0026f=Open+Sans-Bold\u0026ts=26\u0026tc=fff\u0026hp=45\u0026vp=20\u0026c=round\u0026bgt=unicolored\u0026bgc=00c0e8\" align=\"right\" width=\"120\"\u003e\n\u003c/a\u003e\n\n## **Table of contents**\n\n- [Features](#features)\n- [Screenshots](#screenshots)\n- [Getting Started](#getting-started)\n- [Disclaimer](#disclaimer)\n- [Support](#support)\n- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md)\n\n ## Features\n\n * [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.\n * Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep, ARM, and OpenTofu template files.\n * Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files\n * Supports Context-awareness policies based on in-memory graph-based scanning.\n * Supports Python format for attribute policies and YAML format for both attribute and composite policies.\n * Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.\n * [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection.\n * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.\n * Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value.\n * Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.\n * [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).\n \n## Screenshots\n\nScan results in CLI\n\n![scan-screenshot](https://raw.githubusercontent.com/bridgecrewio/checkov/main/docs/checkov-recording.gif)\n\nScheduled scan result in Jenkins\n\n![jenikins-screenshot](https://raw.githubusercontent.com/bridgecrewio/checkov/main/docs/checkov-jenkins.png)\n\n## Getting started\n\n### Requirements\n * Python \u003e= 3.9, \u003c=3.12\n * Terraform \u003e= 0.12\n\n### Installation\n\nTo install pip follow the official [docs](https://pip.pypa.io/en/stable/cli/pip_install/)\n\n```sh\npip3 install checkov\n```\n\nor with [Homebrew](https://formulae.brew.sh/formula/checkov) (macOS or Linux)\n\n```sh\nbrew install checkov\n```\n\n### Enabling bash autocomplete\n```sh\nsource \u003c(register-python-argcomplete checkov)\n```\n### Upgrade\n\nif you installed checkov with pip3\n```sh\npip3 install -U checkov\n```\n\nor with Homebrew\n\n```sh\nbrew upgrade checkov\n```\n\n### Configure an input folder or file\n\n```sh\ncheckov --directory /user/path/to/iac/code\n```\n\nOr a specific file or files\n\n```sh\ncheckov --file /user/tf/example.tf\n```\nOr\n```sh\ncheckov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml\n```\n\nOr a terraform plan file in json format\n```sh\nterraform init\nterraform plan -out tf.plan\nterraform show -json tf.plan  \u003e tf.json\ncheckov -f tf.json\n```\n\nNote: `terraform show` output file `tf.json` will be a single line. \nFor that reason all findings will be reported line number 0 by Checkov\n\n\n```sh\ncheck: CKV_AWS_21: \"Ensure all data stored in the S3 bucket have versioning enabled\"\n\tFAILED for resource: aws_s3_bucket.customer\n\tFile: /tf/tf.json:0-0\n\tGuide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning\n  ```\n\nIf you have installed `jq` you can convert json file into multiple lines with the following command:\n```sh\nterraform show -json tf.plan | jq '.' \u003e tf.json\n```\nScan result would be much user friendly.\n```sh\ncheckov -f tf.json\nCheck: CKV_AWS_21: \"Ensure all data stored in the S3 bucket have versioning enabled\"\n\tFAILED for resource: aws_s3_bucket.customer\n\tFile: /tf/tf1.json:224-268\n\tGuide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning\n\n\t\t225 |               \"values\": {\n\t\t226 |                 \"acceleration_status\": \"\",\n\t\t227 |                 \"acl\": \"private\",\n\t\t228 |                 \"arn\": \"arn:aws:s3:::mybucket\",\n\n```\n\nAlternatively, specify the repo root of the hcl files used to generate the plan file, using the `--repo-root-for-plan-enrichment` flag, to enrich the output with the appropriate file path, line numbers, and codeblock of the resource(s). An added benefit is that check suppressions will be handled accordingly.\n```sh\ncheckov -f tf.json --repo-root-for-plan-enrichment /user/path/to/iac/code\n```\n\n\n### Scan result sample (CLI)\n\n```sh\nPassed Checks: 1, Failed Checks: 1, Suppressed Checks: 0\nCheck: \"Ensure all data stored in the S3 bucket is securely encrypted at rest\"\n/main.tf:\n\t Passed for resource: aws_s3_bucket.template_bucket\nCheck: \"Ensure all data stored in the S3 bucket is securely encrypted at rest\"\n/../regionStack/main.tf:\n\t Failed for resource: aws_s3_bucket.sls_deployment_bucket_name\n```\n\nStart using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page.\n\n### Using Docker\n\n\n```sh\ndocker pull bridgecrew/checkov\ndocker run --tty --rm --volume /user/tf:/tf --workdir /tf bridgecrew/checkov --directory /tf\n```\nNote: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work, and it will fail with `ModuleNotFoundError: No module named 'dataclasses'`  error message. In this case, you can use the docker version instead.\n\nNote that there are certain cases where redirecting `docker run --tty` output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the `--tty` flag.\n\nThe `--workdir /tf` flag is optional to change the working directory to the mounted volume. If you are using the SARIF output `-o sarif` this will output the results.sarif file to the mounted volume (`/user/tf` in the example above). If you do not include that flag, the working directory will be \"/\".\n\n### Running or skipping checks\n\nBy using command line flags, you can specify to run only named checks (allow list) or run all checks except\nthose listed (deny list). If you are using the platform integration via API key, you can also specify a severity threshold to skip and / or include.\nMoreover, as json files can't contain comments, one can pass regex pattern to skip json file secret scan.\n\nSee the docs for more detailed information about how these flags work together.\n\n\n## Examples\n\nAllow only the two specified checks to run:\n```sh\ncheckov --directory . --check CKV_AWS_20,CKV_AWS_57\n```\n\nRun all checks except the one specified:\n```sh\ncheckov -d . --skip-check CKV_AWS_20\n```\n\nRun all checks except checks with specified patterns:\n```sh\ncheckov -d . --skip-check CKV_AWS*\n```\n\nRun all checks that are MEDIUM severity or higher (requires API key):\n```sh\ncheckov -d . --check MEDIUM --bc-api-key ...\n```\n\nRun all checks that are MEDIUM severity or higher, as well as check CKV_123 (assume this is a LOW severity check):\n```sh\ncheckov -d . --check MEDIUM,CKV_123 --bc-api-key ...\n```\n\nSkip all checks that are MEDIUM severity or lower:\n```sh\ncheckov -d . --skip-check MEDIUM --bc-api-key ...\n```\n\nSkip all checks that are MEDIUM severity or lower, as well as check CKV_789 (assume this is a high severity check):\n```sh\ncheckov -d . --skip-check MEDIUM,CKV_789 --bc-api-key ...\n```\n\nRun all checks that are MEDIUM severity or higher, but skip check CKV_123 (assume this is a medium or higher severity check):\n```sh\ncheckov -d . --check MEDIUM --skip-check CKV_123 --bc-api-key ...\n```\n\nRun check CKV_789, but skip it if it is a medium severity (the --check logic is always applied before --skip-check)\n```sh\ncheckov -d . --skip-check MEDIUM --check CKV_789 --bc-api-key ...\n```\n\nFor Kubernetes workloads, you can also use allow/deny namespaces.  For example, do not report any results for the\nkube-system namespace:\n```sh\ncheckov -d . --skip-check kube-system\n```\n\nRun a scan of a container image. First pull or build the image then refer to it by the hash, ID, or name:tag:\n```sh\ncheckov --framework sca_image --docker-image sha256:1234example --dockerfile-path /Users/path/to/Dockerfile --repo-id ... --bc-api-key ...\n\ncheckov --docker-image \u003cimage-name\u003e:tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...\n```\n\nYou can use --image flag also to scan container image instead of --docker-image for shortener:\n```sh\ncheckov --image \u003cimage-name\u003e:tag --dockerfile-path /User/path/to/Dockerfile --repo-id ... --bc-api-key ...\n```\n\nRun an SCA scan of packages in a repo:\n```sh\ncheckov -d . --framework sca_package --bc-api-key ... --repo-id \u003crepo_id(arbitrary)\u003e\n```\n\nRun a scan of a directory with environment variables removing buffering, adding debug level logs:\n```sh\nPYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG checkov -d .\n```\nOR enable the environment variables for multiple runs\n```sh\nexport PYTHONUNBUFFERED=1 LOG_LEVEL=DEBUG\ncheckov -d .\n```\n\nRun secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that their suffix is DontScan\n```sh\ncheckov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*DontScan.json$\n```\n\nRun secrets scanning on all files in MyDirectory. Skip CKV_SECRET_6 check on json files that contains \"skip_test\" in path\n```sh\ncheckov -d /MyDirectory --framework secrets --repo-id ... --bc-api-key ... --skip-check CKV_SECRET_6:.*skip_test.*json$\n```\n\nOne can mask values from scanning results by supplying a configuration file (using --config-file flag) with mask entry.\nThe masking can apply on resource \u0026 value (or multiple values, separated with a comma).\nExamples:\n```sh\nmask:\n- aws_instance:user_data\n- azurerm_key_vault_secret:admin_password,user_passwords\n```\nIn the example above, the following values will be masked:\n- user_data for aws_instance resource\n- both admin_password \u0026user_passwords for azurerm_key_vault_secret\n\n\n### Suppressing/Ignoring a check\n\nLike any static-analysis tool it is limited by its analysis scope.\nFor example, if a resource is managed manually, or using subsequent configuration management tooling,\nsuppression can be inserted as a simple code annotation.\n\n#### Suppression comment format\n\nTo skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:\n\n`checkov:skip=\u003ccheck_id\u003e:\u003csuppression_comment\u003e`\n\n* `\u003ccheck_id\u003e` is one of the [available check scanners](docs/5.Policy Index/all.md)\n* `\u003csuppression_comment\u003e` is an optional suppression reason to be included in the output\n\n#### Example\n\nThe following comment skips the `CKV_AWS_20` check on the resource identified by `foo-bucket`, where the scan checks if an AWS S3 bucket is private.\nIn the example, the bucket is configured with public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.\n\n```hcl-terraform\nresource \"aws_s3_bucket\" \"foo-bucket\" {\n  region        = var.region\n    #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n  bucket        = local.bucket_name\n  force_destroy = true\n  acl           = \"public-read\"\n}\n```\n\nThe output would now contain a ``SKIPPED`` check result entry:\n\n```bash\n...\n...\nCheck: \"S3 Bucket has an ACL defined which allows public access.\"\n\tSKIPPED for resource: aws_s3_bucket.foo-bucket\n\tSuppress comment: The bucket is a public static content host\n\tFile: /example_skip_acl.tf:1-25\n\n...\n```\nTo skip multiple checks, add each as a new line.\n\n```\n  #checkov:skip=CKV2_AWS_6\n  #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n```\n\nTo suppress checks in Kubernetes manifests, annotations are used with the following format:\n`checkov.io/skip#: \u003ccheck_id\u003e=\u003csuppression_comment\u003e`\n\nFor example:\n\n```bash\napiVersion: v1\nkind: Pod\nmetadata:\n  name: mypod\n  annotations:\n    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O\n    checkov.io/skip2: CKV_K8S_14\n    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS\nspec:\n  containers:\n...\n```\n\n#### Logging\n\nFor detailed logging to stdout set up the environment variable `LOG_LEVEL` to `DEBUG`.\n\nDefault is `LOG_LEVEL=WARNING`.\n\n#### Skipping directories\nTo skip files or directories, use the argument `--skip-path`, which can be specified multiple times. This argument accepts regular expressions for paths relative to the current working directory. You can use it to skip entire directories and / or specific files.\n\nBy default, all directories named `node_modules`, `.terraform`, and `.serverless` will be skipped, in addition to any files or directories beginning with `.`.\nTo cancel skipping directories beginning with `.` override `CKV_IGNORE_HIDDEN_DIRECTORIES` environment variable `export CKV_IGNORE_HIDDEN_DIRECTORIES=false`\n\nYou can override the default set of directories to skip by setting the environment variable `CKV_IGNORED_DIRECTORIES`.\n Note that if you want to preserve this list and add to it, you must include these values. For example, `CKV_IGNORED_DIRECTORIES=mynewdir` will skip only that directory, but not the others mentioned above. This variable is legacy functionality; we recommend using the `--skip-file` flag.\n\n#### Console Output\n\nThe console output is in colour by default, to switch to a monochrome output, set the environment variable:\n`ANSI_COLORS_DISABLED`\n\n#### VS Code Extension\n\nIf you want to use Checkov within VS Code, give the [Prisma Cloud extension](https://marketplace.visualstudio.com/items?itemName=PrismaCloud.prisma-cloud) a try.\n\n### Configuration using a config file\n\nCheckov can be configured using a YAML configuration file. By default, checkov looks for a `.checkov.yaml` or `.checkov.yml` file in the following places in order of precedence:\n* Directory against which checkov is run. (`--directory`)\n* Current working directory where checkov is called.\n* User's home directory.\n\n**Attention**: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.\n\nUsers can also pass in the path to a config file via the command line. In this case, the other config files will be ignored. For example:\n```sh\ncheckov --config-file path/to/config.yaml\n```\nUsers can also create a config file using the `--create-config` command, which takes the current command line args and writes them out to a given path. For example:\n```sh\ncheckov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --quiet --repo-id prisma-cloud/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-framework dockerfile secrets --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml\n```\nWill create a `config.yaml` file which looks like this:\n```yaml\nbranch: develop\ncheck:\n  - CKV_DOCKER_1\ncompact: true\ndirectory:\n  - test-dir\ndocker-image: sample-image\ndockerfile-path: Dockerfile\ndownload-external-modules: true\nevaluate-variables: true\nexternal-checks-dir:\n  - sample-dir\nexternal-modules-download-path: .external_modules\nframework:\n  - all \noutput: cli \nquiet: true \nrepo-id: prisma-cloud/sample-repo \nskip-check: \n  - CKV_DOCKER_3 \n  - CKV_DOCKER_2 \nskip-framework:\n  - dockerfile\n  - secrets\nsoft-fail: true\n```\n\nUsers can also use the `--show-config` flag to view all the args and settings and where they came from i.e. commandline, config file, environment variable or default. For example:\n```sh\ncheckov --show-config\n```\nWill display:\n```sh\nCommand Line Args:   --show-config\nEnvironment Variables:\n  BC_API_KEY:        your-api-key\nConfig File (/Users/sample/.checkov.yml):\n  soft-fail:         False\n  branch:            master\n  skip-check:        ['CKV_DOCKER_3', 'CKV_DOCKER_2']\nDefaults:\n  --output:          cli\n  --framework:       ['all']\n  --download-external-modules:False\n  --external-modules-download-path:.external_modules\n  --evaluate-variables:True\n```\n\n## Contributing\n\nContribution is welcomed!\n\nStart by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).\n\nYou can even start this with one-click dev in your browser through Gitpod at the following link:\n\n[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/bridgecrewio/checkov)\n\nLooking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md).\n\n## Disclaimer\n`checkov` does not save, publish or share with anyone any identifiable customer information.  \nNo identifiable customer information is used to query Prisma Cloud's publicly accessible guides.\n`checkov` uses Prisma Cloud's API to enrich the results with links to remediation guides.\nTo skip this API call use the flag `--skip-download`.\n\n## Support\n\n[Prisma Cloud](https://www.prismacloud.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=checkov) builds and maintains Checkov to make policy-as-code simple and accessible. \n\nStart with our [Documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html) for quick tutorials and examples.\n\n## Python Version Support\nWe follow the official support cycle of Python, and we use automated tests for supported versions of Python. This means we currently support Python 3.9 - 3.13, inclusive. Note that Python 3.8 reached EOL on October 2024 and Python 3.9 will reach EOL in October 2025. If you run into any issues with any non-EOL Python version, please open an Issue.\n","funding_links":[],"categories":["Security Scanners","Container Operations","Security","Python","Tools","Infrastructure as code security","DevSecOps","Projects by main language","Uncategorized","Infrastructure","Infrastructure as Code","Other Awesome Lists","Infrastructure as Code Secure","📚 Learning Resources","蓝队工具","Инструменты","Testing Tools","azure","terraform","devops","Open Source Repos","Climbing","语音识别与合成_其他","🔍 Static Analysis \u0026 Linters","Mobile","Configuration Management","Platform Engineering 平台工程","Infrastructure as Code Security","Security Scanning"],"sub_categories":["Checkov","Security","Infrastructure as Code Analysis","python","Uncategorized","Terraform Tooling","Terraform","Infrastructure as Code Security","IAC(Infrastructure-as-Code)扫描","IAC Security","Chess :chess_pawn:","资源传输下载","Cloud","Professional Security","Infrastructure as Code(IaC)","Others","Kubernetes Audit","Infrastructure as Code","Language Specific"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fcheckov","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbridgecrewio%2Fcheckov","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fcheckov/lists"}