Install & first scan
checkov -d and reading results.
Checkov installs as a Python package (or runs as a container/pre-commit hook). The core usage is checkov -d <dir> to scan a directory, or -f <file> for one file; it auto-detects the IaC frameworks present and runs the matching policies. The output lists each check by ID, whether it passed or failed, the resource and file/line, and a link to a remediation guide.
$ pip install checkov$ checkov -d .Passed checks: 41, Failed checks: 3, Skipped checks: 0Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"FAILED for resource: aws_s3_bucket.logsFile: /main.tf:12-18Guide: https://docs.../CKV_AWS_18
Output formats and exit codes
Checkov exits non-zero when a check fails, which is what makes it a CI gate. It emits multiple formats — CLI (human), JSON (machine), SARIF (for GitHub code scanning), JUnit (for test dashboards) — so you can render results wherever your team looks. --compact trims output; --quiet shows only failures. Choosing SARIF, for example, surfaces findings directly in a pull request’s Security tab.
$ checkov -d . -o sarif --output-file-path results # for GitHub code scanning$ checkov -d . --compact --quiet # only failures, terse$ echo $?1 # non-zero because checks failed -> CI job fails