Frameworks: Terraform, k8s, more

One tool, many IaC types.

Intermediate10 min · lesson 4 of 12

A major strength of Checkov is breadth: one tool scans Terraform (and Terraform plan), CloudFormation, Kubernetes manifests, Helm, Kustomize, Dockerfiles, Serverless, ARM/Bicep, and more, plus secrets detection. Each framework has its own check namespace (CKV_AWS_*, CKV_K8S_*, CKV_DOCKER_*), and Checkov auto-detects what is present. This means consistent security coverage across your whole IaC stack from a single tool and a single CI step.

terminal
$ checkov -d . --framework terraform,kubernetes,dockerfile
$ checkov -f Dockerfile
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added"
Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
FAILED — the image runs as root

One policy vocabulary across the stack

Because the same tool covers Terraform and Kubernetes and Dockerfiles, a rule like “encryption must be on” or “no root containers” is enforced consistently wherever it applies, and your team learns one findings format. You can scan selectively with --framework when a repo mixes types, or let auto-detection handle it. For Kubernetes and Helm specifically, Checkov can render and scan the effective manifests, catching issues in the deployed result.

Auto-detection can miss rendered output
Checkov scans source files, so for templated systems (Helm, Kustomize) the risky setting may only exist in the rendered output, not the templates. Point Checkov at rendered manifests (helm template / kustomize build piped or via its Helm/Kustomize support) as well as source, or a misconfiguration introduced by a values file or overlay slips past. Scan the thing that actually deploys.