Test yourself
Checkov & IaC scanning
Final exam · 12 questions · answers explained as you pick
Beginner
4 questions
01IaC scanning (Checkov et al.) primarily finds…
Incorrect — that is detection/EDR, not static IaC scanning.
Correct — static analysis over Terraform/k8s/Docker etc.
Incorrect — no.
Incorrect — that is runtime, not IaC scanning.
02A clean Checkov scan means…
Incorrect — no — only that the rules that ran found nothing.
Incorrect — scanning does not see runtime.
Correct — defense in depth still needs policy, runtime, review.
Incorrect — it is useful, just not proof of security.
03Checkov exits non-zero when checks fail so that…
Correct — the non-zero exit blocks the pipeline on violations.
Incorrect — unrelated.
Incorrect — no.
Incorrect — no.
04Checkov covers…
Incorrect — it covers many frameworks.
Correct — consistent coverage across the IaC stack.
Incorrect — no.
Incorrect — that is image/runtime scanning.
4 questions · explanations appear as you answer
Intermediate
4 questions
01The best way to handle a false-positive or accepted-risk finding is…
Incorrect — that removes all protection.
Incorrect — too blunt — hides the check for genuinely-violating resources too.
Correct — visible in review, travels with the resource, answers “why is this safe here?”
Incorrect — undocumented risk.
02Custom Checkov policies…
Correct — a buggy custom check passes what it should fail — test against fixtures.
Incorrect — that is Terrascan/OPA; Checkov uses YAML/Python.
Incorrect — they can, via --external-checks-dir.
Incorrect — they very much do.
03Scanning a Terraform PLAN instead of only the source catches…
Incorrect — that is not the added value.
Correct — the plan JSON has fully-resolved values.
Incorrect — still static; no runtime.
Incorrect — it catches resolved-value risk.
04A baseline in Checkov lets you…
Incorrect — no.
Incorrect — no.
Correct — adopt scanning on a legacy repo without blocking day one — then burn it down.
Incorrect — unrelated.
4 questions · explanations appear as you answer
Advanced
4 questions
01Regarding the scanner family (Checkov, Trivy/tfsec, Terrascan, KICS), you should…
Incorrect — heavy overlap → noise, quadrupled suppressions, disabled gates.
Correct — consistency beats coverage-by-accumulation; Trivy also does images/secrets.
Incorrect — no.
Incorrect — that misses IaC misconfig.
02Secrets scanning should ideally run…
Correct — CI-only catches the secret after it is in Git history and must be rotated.
Incorrect — far too late.
Incorrect — no.
Incorrect — no.
03The biggest threat to an IaC scanning program is…
Incorrect — not a problem.
Incorrect — baselines help adoption when managed.
Correct — tune severity, baseline, make findings actionable; a respected gate beats a strict muted one.
Incorrect — not the core risk.
04Running scanning “as a program” means, beyond the tool…
Incorrect — more checks without governance = more noise.
Correct — governance is what turns caught misconfigs into fixed ones.
Incorrect — suppressions are needed — just documented.
Incorrect — no.
4 questions · explanations appear as you answer