How to prevent Terraform misconfiguration with Checkov

How to prevent Terraform misconfiguration with Checkov

Policy as a Code

As more and more organizations are adopting Terraform, it is increasingly important to ensure that the configuration is correct. This is especially true for large organizations that have hundreds of thousands of resources getting deployed to the cloud. Checkov is a command-line tool that analyzes your Infrastructure as Code (IaC) configuration across various platforms like Terraform, CloudFormation, Kubernetes, and serverless frameworks. Checkov contains a set of policies against which you can configure your IaC configuration. It can also be embedded into your continuous integration pipeline such as GitHub Actions, Jenkins, CircleCI, Gitlab CI, etc.

Install Checkov

We can install checkov from pip using the following command:

pip install checkov

Once installed, we can verify that it is working by running the following command:

checkov -v

Configure Checkov

There are many ways to configure Checkov. We can configure it to run against a specific file or directory using the options --file and --directory respectively. We can also specify multiple files using the -f option.

We will see how to use Checkov to scan Terraform plan file in the following section.

When we write a Terraform code, we first need to initialize the Terraform configuration. This is done by running the following command:

terraform init

Next, we need to generate the Terraform plan. This is done by running the following command:

terraform plan -out my-tf.plan

So, terraform plan will be stored in the file my-tf.plan.

For checkov to scan, we can convert the Terraform plan file to JSON using the following command:

terraform show -json my-tf.plan | jq '.' > my-tf.json

We used jq to convert the JSON to a multi-line format to make it easier to read and scan the result.

Once, we have a JSON file, we can run the following command to scan the JSON file to verify our Terraform configuration:

checkov -f my-tf.json

Checkov Policy

Checkov has a set of predefined policies which are used to scan our Terraform configuration. The policies are provided for various providers like AWS, GCP, Azure, etc. The policies which it checks depend on which provider we are using and which resources are being used. For example, if we are using AWS, there is a policy CKV_AWS_41 which ensures that no hardcoded credentials such as AWS access key ID and secret access key are used. If we use checkov in the continuous integration pipeline, we can scan the Terraform plan file for such configurations, and revert the changes made to terraform configuration if any of the policies are violated.

The checkov has many policies and if we do not want checkov to scan for all the policies, we can specify the policies to be skipped using the option --skip-check. For example, if we do not want checkov to scan for the policy CKV_AWS_41, we can use the following command:

checkov -f my-tf.json --skip-check CKV_AWS_41

If we want to skip a certain part of Terraform definition block, we can add the comment inside our terraform file, so checkov can ignore the block. For example, if we want to skip the block resource "aws_s3_bucket" "my-bucket", we can add the following comment in the terraform file:

resource "aws_s3_bucket" "my-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name


As we saw in this article, we can use checkov to scan various configuration files and policies. We have also seen how to use checkov to scan Terraform plan files. We can skip some policies, and we can skip certain parts of terraform configuration. If you are interested to learn more about checkov policies, do check out the Checkov Policies and do check the checkov website for more information.

Did you find this article valuable?

Support Rahul Lokurte by becoming a sponsor. Any amount is appreciated!