Skip to content
Latchkey

Adding Checkov IaC Scanning to GitHub Actions

Catch insecure infrastructure-as-code with Checkov before it ships.

Checkov scans IaC (Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles) for misconfigurations against hundreds of built-in policies. The bridgecrewio/checkov-action runs it in CI, outputs SARIF for code scanning, and can fail the build on any failed check.

What you need

  • IaC files in the repo (Terraform, CloudFormation, k8s, etc.).
  • The bridgecrewio/checkov-action.
  • security-events: write to upload SARIF.

The workflow

Scan the directory and emit SARIF.

.github/workflows/ci.yml
- uses: bridgecrewio/checkov-action@v12
  with:
    directory: .
    framework: terraform
    output_format: sarif
    output_file_path: checkov.sarif

- uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: checkov.sarif

Common gotchas

  • Checkov is noisy out of the box - use a .checkov.yaml to skip checks that do not apply.
  • It fails the job on any failed check by default; set soft_fail while triaging.
  • Module-heavy Terraform needs download_external_modules: true to scan fully.

Key takeaways

  • Checkov scans Terraform, CloudFormation, k8s, and more.
  • Tune noise with a .checkov.yaml skip list.
  • Emit SARIF and use if: always() so findings upload.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →