← 返回命令列表

Linux command

checkov 命令

文件

复制后可按需替换文件名、目录或参数。

常用示例

Scan a directory for IaC misconfigurations

checkov -d [path/to/directory]

Scan a specific file

checkov -f [path/to/file.tf]

Scan with a specific framework

checkov -d [path/to/directory] --framework [terraform|kubernetes|cloudformation]

Run only specific checks

checkov -d [path/to/directory] --check [CKV_AWS_1,CKV_AWS_2]

Skip specific checks

checkov -d [path/to/directory] --skip-check [CKV_AWS_1]

Output results in JSON format

checkov -d [path/to/directory] --output json

Scan a Terraform plan file

checkov -f [tfplan.json] --framework terraform_plan

说明

Checkov is a static code analysis tool for infrastructure as code (IaC) that detects security and compliance misconfigurations. It supports Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, ARM templates, and other frameworks. The tool includes over 750 built-in policies covering industry standards like CIS Benchmarks, PCI, and HIPAA. It uses graph-based scanning to analyze resource dependencies and detect complex configuration issues. Checkov also performs software composition analysis (SCA) and secrets detection using regex, keywords, and entropy-based detection.

参数

-d, --directory _path_
Directory to scan
-f, --file _path_
Specific file to scan
--framework _framework_
IaC framework: terraform, cloudformation, kubernetes, helm, dockerfile, etc.
--check _ids_
Run only specific checks by ID
--skip-check _ids_
Skip specific checks by ID
--output _format_
Output format: cli, json, junitxml, sarif
--compact
Show only failed checks
--list
List all available checks

FAQ

What is the checkov command used for?

Checkov is a static code analysis tool for infrastructure as code (IaC) that detects security and compliance misconfigurations. It supports Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, ARM templates, and other frameworks. The tool includes over 750 built-in policies covering industry standards like CIS Benchmarks, PCI, and HIPAA. It uses graph-based scanning to analyze resource dependencies and detect complex configuration issues. Checkov also performs software composition analysis (SCA) and secrets detection using regex, keywords, and entropy-based detection.

How do I run a basic checkov example?

Run `checkov -d [path/to/directory]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does -d, --directory _path_ do in checkov?

Directory to scan