0
0
TerraformHow-ToBeginner · 3 min read

How to Use Checkov with Terraform for Infrastructure Security

To use checkov with terraform, first install Checkov using pip install checkov. Then run checkov -d path/to/terraform/code to scan your Terraform files for security and compliance issues.
📐

Syntax

The basic command to scan Terraform code with Checkov is:

checkov -d <directory_path>

Here:

  • checkov is the tool command.
  • -d specifies the directory containing Terraform files.
  • <directory_path> is the path to your Terraform code folder.

You can add options like --quiet to reduce output or --output json to get results in JSON format.

bash
checkov -d ./terraform
💻

Example

This example shows scanning a Terraform folder named terraform with Checkov installed via pip.

It demonstrates how Checkov reports security issues found in the Terraform code.

bash
pip install checkov
checkov -d ./terraform
Output
Checkov scanning directory: ./terraform Passed checks: 5, Failed checks: 2, Skipped checks: 0 Check: CKV_AWS_20: Ensure S3 bucket has versioning enabled File: ./terraform/s3.tf:3 Result: FAIL Check: CKV_AWS_52: Ensure security groups do not allow ingress from 0.0.0.0/0 File: ./terraform/security_group.tf:10 Result: FAIL
⚠️

Common Pitfalls

Common mistakes when using Checkov with Terraform include:

  • Running Checkov in the wrong directory without Terraform files.
  • Not installing Checkov before running the command.
  • Ignoring the output and missing critical security warnings.
  • Using outdated Checkov versions missing latest checks.

Always ensure your Terraform code is in the specified directory and Checkov is up to date.

bash
Wrong:
checkov -d ./wrong_folder

Right:
checkov -d ./terraform
📊

Quick Reference

CommandDescription
pip install checkovInstall Checkov tool
checkov -d ./terraformScan Terraform code in ./terraform folder
checkov -d ./terraform --quietScan with minimal output
checkov -d ./terraform --output jsonGet scan results in JSON format
checkov --versionShow Checkov version

Key Takeaways

Install Checkov with pip before scanning Terraform code.
Use 'checkov -d ' to scan Terraform files in that folder.
Review Checkov output carefully to fix security issues.
Keep Checkov updated to get latest security checks.
Run Checkov in the correct directory containing Terraform files.

Related by keyword

What is Infrastructure as Code in Terraform: Simple ExplanationGetting StartedHow to Create a Security Group in Terraform: Simple GuideAWS ResourcesTerraform Cloud vs Terraform Enterprise: Key Differences and Usage GuideTerraform CloudWhat Is Terraform Used For: Infrastructure as Code ExplainedGetting StartedHow to Use terraform fmt: Format Terraform Configuration FilesCore Workflow

Up next

Sentinel Policy in Terraform: What It Is and How It WorksWhat is Terraform Cloud: Overview and Usage GuideHow to Fix Backend Initialization Error in TerraformHow to Fix Cycle Error in Terraform: Simple Steps

More in Best Practices

How to Handle Secrets in Terraform Securely and EffectivelyHow to Manage Multiple Environments in Terraform EasilyHow to Organize Terraform Files for Clean Infrastructure CodeHow to Structure a Terraform Project: Best Practices and Example