BlogIaC

Scanning Terraform with Checkov before you apply

Catch public buckets and open security groups in the plan — in CI, with suppressions that expire and a clean baseline.

Feb 12, 2026·8 min readIntermediate

Checkov reads your Terraform (and CloudFormation, Kubernetes, Dockerfiles) and flags misconfigurations against hundreds of built-in policies — public S3 buckets, unencrypted volumes, wide-open security groups. The value is running it in CI so the finding lands in the plan, not in prod.

bash — a first scanlive
checkov -d .
FAILED CKV_AWS_20 S3 Bucket has an ACL defined which allows public access
FAILED CKV_AWS_23 Security group rule has no description
Passed checks: 48, Failed checks: 2, Skipped: 0

Wire it into the pipeline

.gitlab-ci.yml
iac_scan:
stage: test
image: bridgecrew/checkov:latest
script:
- checkov -d . --compact --quiet
allow_failure: false

Suppress with an expiry, not forever

Real code needs exceptions. Skip a check inline with a reason — and put a date in it so review picks it up again.

main.tf
resource "aws_s3_bucket" "logs" {
#checkov:skip=CKV_AWS_18:access logging N/A for this log sink (review 2026-09)
bucket = "acme-app-logs"
}
Blanket skips rot
A --skip-check list in CI config is invisible to reviewers. Prefer inline skips with a justification so every exception is in the diff.

Adopt on a legacy repo with a baseline

bash — grandfather existing findingslive
checkov -d . --create-baseline
Created .checkov.baseline
checkov -d . --baseline .checkov.baseline
now only NEW misconfigurations fail the build
Go deeper in a courseCheckov & IaC scanningStatic analysis for IaC — catch misconfig before it ships.View course

Related posts