{"id":14958001,"url":"https://github.com/bridgecrewio/checkov-action","last_synced_at":"2025-05-14T20:07:49.726Z","repository":{"id":37481224,"uuid":"256738016","full_name":"bridgecrewio/checkov-action","owner":"bridgecrewio","description":"This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.","archived":false,"fork":false,"pushed_at":"2025-03-27T10:15:40.000Z","size":906,"stargazers_count":263,"open_issues_count":34,"forks_count":106,"subscribers_count":25,"default_branch":"master","last_synced_at":"2025-03-30T11:02:07.564Z","etag":null,"topics":["bridgecrew","compliance","devsecops","hacktoberfest","marketplace","scanning","security","static-analysis","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bridgecrewio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-18T11:38:03.000Z","updated_at":"2025-03-27T10:15:41.000Z","dependencies_parsed_at":"2023-12-28T10:48:15.161Z","dependency_job_id":"d8a60031-821b-434a-ac86-e9520ab13a26","html_url":"https://github.com/bridgecrewio/checkov-action","commit_stats":{"total_commits":2997,"total_committers":41,"mean_commits":73.09756097560975,"dds":0.5739072405739072,"last_synced_commit":"d0e41abbcc8c1103c6ae7e451681d071f05e1c20"},"previous_names":[],"tags_count":3000,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bridgecrewio%2Fcheckov-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bridgecrewio","download_url":"https://codeload.github.com/bridgecrewio/checkov-action/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248751881,"owners_count":21155973,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bridgecrew","compliance","devsecops","hacktoberfest","marketplace","scanning","security","static-analysis","terraform"],"created_at":"2024-09-24T13:15:57.743Z","updated_at":"2025-04-13T17:27:53.655Z","avatar_url":"https://github.com/bridgecrewio.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridge.dev/2WBms5Q)\n[![slack-community](https://img.shields.io/badge/Slack-4A154B?style=plastic\u0026logo=slack\u0026logoColor=white)](https://slack.bridgecrew.io/)\n\n# Checkov GitHub action\n\nThis GitHub Action runs [Checkov](https://github.com/bridgecrewio/checkov) against infrastructure-as-code,\nopen source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.\n\n## Example usage for IaC and SCA\n\n```yaml\nname: checkov\n\n# Controls when the workflow will run\non:\n  # Triggers the workflow on push or pull request events but only for the \"main\" branch\n  push:\n    branches: [ \"main\", \"master\" ]\n  pull_request:\n    branches: [ \"main\", \"master\" ]\n\n  # Allows you to run this workflow manually from the Actions tab\n  workflow_dispatch:\n\n# A workflow run is made up of one or more jobs that can run sequentially or in parallel\njobs:\n  # This workflow contains a single job called \"scan\"\n  scan:\n    permissions:\n      contents: read # for actions/checkout to fetch code\n      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results\n      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status\n      \n    # The type of runner that the job will run on\n    runs-on: ubuntu-latest\n\n    # Steps represent a sequence of tasks that will be executed as part of the job\n    steps:\n      # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it\n      - uses: actions/checkout@v3\n\n      - name: Checkov GitHub Action\n        uses: bridgecrewio/checkov-action@v12\n        with:\n          # This will add both a CLI output to the console and create a results.sarif file\n          output_format: cli,sarif\n          output_file_path: console,results.sarif\n        \n      - name: Upload SARIF file\n        uses: github/codeql-action/upload-sarif@v2\n        \n        # Results are generated only on a success or failure\n        # this is required since GitHub by default won't run the next step\n        # when the previous one has failed. Security checks that do not pass will 'fail'.\n        # An alternative is to add `continue-on-error: true` to the previous step\n        # Or 'soft_fail: true' to checkov.\n        if: success() || failure()\n        with:\n          sarif_file: results.sarif\n```\n\n## Example usage for options/environment variables in 'with' block\n\n```yaml\non: [push]\njobs:\n  checkov-job:\n    runs-on: ubuntu-latest\n    name: checkov-action\n    steps:\n      - name: Checkout repo\n        uses: actions/checkout@master\n\n      - name: Run Checkov action\n        id: checkov\n        uses: bridgecrewio/checkov-action@master\n        with:\n          directory: example/\n          file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.\n          check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list\n          skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list\n          quiet: true # optional: display only failed checks\n          soft_fail: true # optional: do not return an error code if there are failed checks\n          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}\n          skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}\n          skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list\n          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif\n          output_file_path: reports/results.sarif # folder and name of results file\n          output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs\n          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry\n          repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`\n          var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.\n          log_level: DEBUG # optional: set log level. Default WARNING\n          config_file: path/this_file\n          baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.\n          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues\n          use_enforcement_rules: true # optional - use enforcement rule configs from the platform\n\n```\n\n## Example usage for container images\n\n```yaml\non: [push]\n\nenv:\n  IMAGE_NAME: ${{ github.repository }}:${{ github.sha }}\n  IMAGE_PATH: /path/\n\njobs:\n  checkov-image-scan:\n    runs-on: ubuntu-latest\n    name: checkov-image-scan\n    steps:\n      - name: Checkout repo\n        uses: actions/checkout@master\n\n      - name: Build the image\n        run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }}\n\n      - name: Run Checkov action\n        id: checkov\n        uses: bridgecrewio/checkov-action@master\n        with:\n          quiet: true # optional: display only failed checks\n          soft_fail: true # optional: do not return an error code if there are failed checks\n          log_level: DEBUG # optional: set log level. Default WARNING\n          docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan\n          dockerfile_path: ${{ format('{0}/Dockerfile', env.IMAGE_PATH) }} # path to the Dockerfile\n          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues\n          api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secret\n```\n\nNote that this example uses the latest version (`master`) but you could also use a static version (e.g. `v3`).\nAlso, the check ids specified for '--check' and '--skip-check' must be mutually exclusive.\n\n## Example usage for private Terraform modules\n\nTo give `checkov` the possibility to download private GitHub modules you need to pass a valid GitHub PAT with the needed permissions.\n\n```yaml\non: [push]\njobs:\n  checkov-job:\n    runs-on: ubuntu-latest\n    name: checkov-action\n    steps:\n      - name: Checkout repo\n        uses: actions/checkout@master\n\n      - name: Run Checkov action\n        id: checkov\n        uses: bridgecrewio/checkov-action@master\n        with:\n          directory: .\n          soft_fail: true\n          download_external_modules: true\n          github_pat: ${{ secrets.GH_PAT }}\n        env:\n          GITHUB_OVERRIDE_URL: true  # optional: this can be used to instruct the action to override the global GIT config to inject the PAT to the URL\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fcheckov-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbridgecrewio%2Fcheckov-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbridgecrewio%2Fcheckov-action/lists"}