Skip to content
Latchkey

checkov -d: Scan IaC for Misconfigurations

checkov -d scans a directory of infrastructure as code and reports policy violations like public S3 buckets or unencrypted volumes.

Checkov is a static analysis tool for IaC. It ships thousands of built-in policies (the CKV_* checks) for Terraform, CloudFormation, Kubernetes, Helm, and more, and runs without touching any cloud account.

What it does

checkov parses IaC files, evaluates each resource against its built-in and custom policies, and prints passed and failed checks with the check ID (for example CKV_AWS_18) and file location. It exits 1 when any check fails and 0 when all pass, unless you change that with soft-fail.

Common usage

Terminal
# scan a directory
checkov -d .
# scan a single file
checkov -f main.tf
# limit to one framework and compact output
checkov -d . --framework terraform --compact

Options

FlagWhat it does
-d <dir>Scan a directory tree
-f <file>Scan a single file
--framework <name>terraform, cloudformation, kubernetes, helm, etc.
-o <fmt>Output: cli, json, junitxml, sarif, github_failed_only
--compactHide the code block, show one line per finding
--quietShow only failed checks

In CI

checkov -d . exits 1 on any failed check, which fails the job by default. It is fully offline and needs no cloud credentials, so it runs early and fast. For Terraform, scanning the plan JSON (checkov -f tfplan.json) catches issues in resolved values that a raw HCL scan cannot see.

Common errors in CI

"Passed checks: 0, Failed checks: 0" usually means checkov found no parseable IaC; check -d points at the right path and --framework is not over-filtering. "ERROR ... while scanning" with a traceback often means malformed HCL or an unsupported syntax; fix the file or exclude it. A job failing with exit 1 is the intended result of a failed check, not a tool crash.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →