Checkov

What is Checkov?

Checkov is a static code analysis tool designed for scanning infrastructure as code (IaC). It was developed by Bridgecrew and identifies misconfigurations in IaC files that could lead to security breaches or compliance issues. Checkov supports various IaC providers like Terraform, CloudFormation, Kubernetes, and more. Its strength lies in its ability to detect issues early in the development lifecycle. Checkov can manage multiple file types across different IaC frameworks including:

  • Terraform: .tf and .tfvars files.

  • CloudFormation: AWS CloudFormation in YAML and JSON formats.

  • Kubernetes: YAML configuration files.

  • Docker: Dockerfiles for container configuration.

Installing Checkov

With Trunk Check, you can automatically install and configure Checkov along with any relevant linters in a few straightforward steps. Here's how:

First, if you haven't already installed Trunk CLI, you can do so with the command below:

1curl https://get.trunk.io -fsSL | bash

Next, you can initialize Trunk from the root of your git repository:

1trunk init

This command will scan your repository and create a .trunk/trunk.yaml file that enables all linters, formatters, and security analyzers, recommended by Trunk Check. This includes Checkov if applicable to your project.

To see all available linters Trunk Check installed, simply run:

1trunk check list

If you find Checkov is not automatically enabled, you can do so by running:

1trunk check enable checkov

Alternatively, to disable Checkov run the command below. To disable other tooling applied by Trunk Check, simply replace checkov with the respective tool you're looking to disable.

1trunk check disable checkov

For more details on Trunk Check setup, see here.

Configuring Checkov

Most linters provide some mechanism to tweak their configuration, e.g. .eslintrc or Cargo.toml. Trunk is aware of all the ways individual tools are configured and supports them. This means linters you've already configured will continue to work exactly the same, just now supercharged by Trunk Check.

Like many linters with Trunk, Checkov works out of the box so there's no need to set up a custom configuration. For more advanced configuration like setting up customer policies, we recommend Checkov's official docs.

If you're interested in other tooling outside of Checkov, check out our open-source repository to see how we define and support 90+ linters.

Running Checkov

To check your code with Checkov, run the command below. This command executes Checkov, along with any other linters Trunk Check has enabled on files you've modified. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run Checkov and other tools.

1trunk check

If you prefer to check files you've modified with Checkov only, run the following:

1trunk check --filter=checkov

Although we'd recommend against it depending on the size of your repository, you can check all files with Checkov by running the command below.

1trunk check --all --filter=checkov

In most scenarios, you'll want to execute against modified files. Since Trunk is git-aware, it knows what you've changed, and by adding batched execution and caching, you end up with a much faster and smoother way to run Checkov and other tools.

Updating Trunk Check & Checkov

To upgrade the Trunk CLI along with all plugins and linters in your trunk.yaml simply run:

1trunk upgrade

We highly recommend running on the latest validated versions of tools as updates will frequently include important security fixes and additional valuable checks. Trunk only auto-suggests linter upgrades to versions that we have tested and support, so you may see a slight lag time when a new linter version is released.

Upgrade will also recommend new tools that have become applicable since the last time your repository was scanned. This can be a result of using new technologies in your repository or Trunk itself adding support for more tools. If you don't like a particular recommendation, you can always run trunk check disable <linter> to teach trunk not to recommend it.

Recommended Linters to Pair with Checkov

Pairing Checkov with linters enhances both code security and quality. Some recommended security linters to integrate alongside Checkov are:

  • osv-scanner: Scans vulnerabilities listed in the Open Source Vulnerabilities (OSV) database.

  • Trivy: A vulnerability scanner for container images, file systems, and configuration files.

  • Nancy: Checks against the Sonatype OSS Index, ensuring your Go projects remain secure against known vulnerabilities.

  • TruffleHog: Searches through git repositories for high-entropy strings and secrets, digging deep into commit history.

  • Gitleaks: Focuses on detecting hard-coded secrets like passwords, API keys, and tokens in your Git repositories.

We recommend pairing Checkov with either Gitleaks or Trufflehog as they serve similar purposes as security linters.