Adding Checkov IaC Scanning to GitHub Actions
Catch insecure infrastructure-as-code with Checkov before it ships.
Checkov scans IaC (Terraform, CloudFormation, Kubernetes, Helm, Dockerfiles) for misconfigurations against hundreds of built-in policies. The bridgecrewio/checkov-action runs it in CI, outputs SARIF for code scanning, and can fail the build on any failed check.
What you need
- IaC files in the repo (Terraform, CloudFormation, k8s, etc.).
- The bridgecrewio/checkov-action.
- security-events: write to upload SARIF.
The workflow
Scan the directory and emit SARIF.
.github/workflows/ci.yml
- uses: bridgecrewio/checkov-action@v12
with:
directory: .
framework: terraform
output_format: sarif
output_file_path: checkov.sarif
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: checkov.sarifCommon gotchas
- Checkov is noisy out of the box - use a .checkov.yaml to skip checks that do not apply.
- It fails the job on any failed check by default; set soft_fail while triaging.
- Module-heavy Terraform needs download_external_modules: true to scan fully.
Key takeaways
- Checkov scans Terraform, CloudFormation, k8s, and more.
- Tune noise with a .checkov.yaml skip list.
- Emit SARIF and use if: always() so findings upload.
Related guides
Adding tfsec to GitHub ActionsScan Terraform for security issues with tfsec in GitHub Actions, post inline PR comments, and emit SARIF for…
Adding Trivy Container Scanning to GitHub ActionsScan container images for vulnerabilities with Trivy in GitHub Actions, fail on critical CVEs, and upload SAR…
Adding OSV-Scanner to GitHub ActionsScan lockfiles against the OSV database with Google OSV-Scanner in GitHub Actions using the reusable workflow…