Checkov

Open source static analysis tool for Infrastructure as Code (IaC) security and compliance. Scans Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Bicep, Dockerfile, and GitHub Actions for misconfigurations and compliance violations against 1,000+ built-in policies covering CIS benchmarks, NIST, SOC2, PCI-DSS, and custom checks. Runs as a CLI tool or Python library — no REST API or central server required for the OSS version.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Security checkov iac-security terraform cloudformation kubernetes static-analysis open-source python cli
⚙ Agent Friendliness
70
/ 100
Can an agent use this?
🔒 Security
80
/ 100
Is it safe for agents?
⚡ Reliability
80
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
75
Auth Simplicity
85
Rate Limits
78

🔒 Security

TLS Enforcement
90
Auth Strength
75
Scope Granularity
68
Dep. Hygiene
88
Secret Handling
80

CLI tool, no auth for local use. Prisma Cloud integration requires API token. IaC security scanner — results contain vulnerability information. Open-source with Apache 2.0 license.

⚡ Reliability

Uptime/SLA
80
Version Stability
82
Breaking Changes
80
Error Recovery
78
AF Security Reliability

Best When

An agent needs to scan IaC files for misconfigurations as part of a CI/CD or code review workflow, especially when the scan must run locally without sending code to external APIs.

Avoid When

You need runtime cloud posture management, or your team lacks a CI/CD pipeline to integrate scan results.

Use Cases

  • Running IaC security scans in CI/CD pipelines before infrastructure deployment
  • Generating SARIF or JSON scan reports for security dashboards and ticketing
  • Enforcing security policies on Terraform plan files before apply
  • Scanning container Dockerfiles for known security anti-patterns
  • Custom policy authoring in Python or YAML for organization-specific controls

Not For

  • Runtime security monitoring — Checkov is pre-deployment static analysis only
  • Scanning cloud environments directly (use CSPM tools like Wiz or Lacework for runtime posture)
  • Network or endpoint security — IaC-only scope
  • Organizations needing a managed SaaS scanning service without DevOps toolchain integration

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

No authentication required for OSS CLI/library usage. Prisma Cloud (BC_API_KEY) integration requires a Bridgecrew/Prisma Cloud token for uploading results and accessing cloud-managed policies.

Pricing

Model: open-source
Free tier: Yes
Requires CC: No

Core tool is Apache 2.0 open source with no usage limits. The Bridgecrew SaaS platform (now Prisma Cloud) adds centralized policy management and reporting for a fee.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • CLI invocation requires subprocess management — agents must handle stdout/stderr capture and exit code interpretation
  • Scan time scales with repository size — large monorepos can take minutes, blocking agent workflows
  • JSON output structure differs between framework types (Terraform vs Kubernetes vs Dockerfile) — agents need format-aware parsing
  • Custom checks require Python or YAML files on disk — not easily injected at runtime by agents
  • False positive rate can be high for certain checks — agents should implement suppression/skip logic via inline comments or .checkov.yaml
  • Terraform plan file scanning requires a separate terraform plan step first — two-phase workflow needed
  • BC_API_KEY integration silently changes behavior to upload results to Prisma Cloud — agents should be aware of data egress

Alternatives

{'id': 'trivy-api', 'reason': 'Covers IaC scanning plus container/OS vulnerability scanning in a single tool — broader scope than Checkov alone'} {'id': 'snyk-api', 'reason': 'SaaS platform for IaC and dependency scanning with a REST API for programmatic result retrieval — better for centralized reporting'} {'id': 'tfsec-api', 'reason': 'Terraform-focused static analysis with simpler CLI interface, though less broad policy coverage than Checkov'}

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Checkov.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered