checkov


Namecheckov JSON
Version 1.0.824 PyPI version JSON
download
home_pagehttps://github.com/bridgecrewio/checkov
SummaryInfrastructure as code static analysis
upload_time2021-03-03 12:06:40
maintainer
docs_urlNone
authorbridgecrew
requires_python>=3.7
licenseApache License 2.0
keywords
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls.
            [![checkov](https://raw.githubusercontent.com/bridgecrewio/checkov/master/docs/web/images/checkov_by_bridgecrew.png)](#)

[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)
[![build status](https://github.com/bridgecrewio/checkov/workflows/build/badge.svg)](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Abuild)
[![security status](https://github.com/bridgecrewio/checkov/workflows/security/badge.svg)](https://github.com/bridgecrewio/checkov/actions?query=event%3Apush+branch%3Amaster+workflow%3Asecurity) 
[![code_coverage](https://raw.githubusercontent.com/bridgecrewio/checkov/master/coverage.svg?sanitize=true)](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Acoverage) 
[![docs](https://img.shields.io/badge/docs-passing-brightgreen)](https://www.checkov.io/documentation?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)
[![PyPI](https://img.shields.io/pypi/v/checkov)](https://pypi.org/project/checkov/)
[![Python Version](https://img.shields.io/github/pipenv/locked/python-version/bridgecrewio/checkov)](#)
[![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg)](#)
[![Downloads](https://pepy.tech/badge/checkov)](https://pepy.tech/project/checkov)
[![slack-community](https://slack.bridgecrew.io/badge.svg)](https://slack.bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)


**Checkov** is a static code analysis tool for infrastructure-as-code.

It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), Terraform plan, [Cloudformation](https://aws.amazon.com/cloudformation/), [Kubernetes](https://kubernetes.io/), [Serverless](https://www.serverless.com/) or [ARM Templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) and detects security and compliance misconfigurations.


Checkov also powers [**Bridgecrew**](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov), the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files. 

<a href="https://www.bridgecrew.cloud/login/signUp/?utm_campaign=checkov-github-repo&utm_source=github.com&utm_medium=get-started-button" title="Try_Bridgecrew">
    <img src="https://dabuttonfactory.com/button.png?t=Try+Bridgecrew&f=Open+Sans-Bold&ts=26&tc=fff&hp=45&vp=20&c=round&bgt=unicolored&bgc=662eff" align="right" width="120">
</a>


<a href="https://docs.bridgecrew.io?utm_campaign=checkov-github-repo&utm_source=github.com&utm_medium=read-docs-button" title="Docs">
    <img src="https://dabuttonfactory.com/button.png?t=Read+the+Docs&f=Open+Sans-Bold&ts=26&tc=fff&hp=45&vp=20&c=round&bgt=unicolored&bgc=662eff" align="right" width="120">
</a>

## **Table of contents**

- [Features](#features)
- [Screenshots](#screenshots)
- [Getting Started](#getting-started)
- [Disclaimer](#disclaimer)
- [Support](#support)

 ## Features

 * [Over 500 built-in policies](docs/3.Scans/resource-scans.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
 * Scans Terraform, Terraform Plan, CloudFormation, Kubernetes, Serverless framework and ARM template files.
 * Detects [AWS credentials](docs/3.Scans/Credentials%20Scans.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
 * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
 * Policies support evaluation of [variables](docs/2.Concepts/Evaluations.md) to their optional default value.
 * Supports in-line [suppression](docs/2.Concepts/Suppressions.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
* [Output](docs/1.Introduction/Results.md) currently available as CLI, JSON, JUnit XML and github markdown and link to remediation [guides](https://docs.bridgecrew.io/docs/aws-policy-index).

## Screenshots

Scan results in CLI

![scan-screenshot](https://raw.githubusercontent.com/bridgecrewio/checkov/master/docs/checkov-recording.gif)

Scheduled scan result in Jenkins

![jenikins-screenshot](https://raw.githubusercontent.com/bridgecrewio/checkov/master/docs/checkov-jenkins.png)

## Getting started

### Requrirements
 * Python >= 3.7 (Data classes are available for Python 3.7+)
 * Terraform >= 0.12

### Installation


```sh
pip3 install checkov
```

Installation on Alpine:
```sh
pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install checkov
```

Installation on Ubuntu 18.04 LTS:

Ubuntu 18.04 ships with Python 3.6. Install python 3.7 (from ppa repository)

```sh
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.7
sudo apt install python3-pip
sudo python3.7 -m pip install -U checkov #to install or upgrade checkov)
```

or using homebrew (MacOS only)

```sh
brew install checkov
```

or

```sh
brew upgrade checkov
```

### Upgrade

if you installed checkov with pip3
```sh
pip3 install -U checkov
```

### Configure an input folder or file

```sh
checkov --directory /user/path/to/iac/code
```

Or a specific file or files

```sh
checkov --file /user/tf/example.tf
```
Or
```sh
checkov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml
```

Or a terraform plan file in json format
```sh
terraform init
terraform plan -out tf.plan
terraform show -json tf.plan  > tf.json 
checkov -f tf.json
```
Note: `terraform show` output  file `tf.json` will be single line. 
For that reason all findings will be reported line number 0 by checkov
```sh
check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.customer
	File: /tf/tf.json:0-0
	Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning
  ```

If you have installed `jq` you can convert json file into multiple lines with the following command:
```sh
terraform show -json tf.plan | jq '.' > tf.json 
```
Scan result would be much user friendly.

```sh
checkov -f tf.json
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.customer
	File: /tf/tf1.json:224-268
	Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

		225 |               "values": {
		226 |                 "acceleration_status": "",
		227 |                 "acl": "private",
		228 |                 "arn": "arn:aws:s3:::mybucket",

```



### Scan result sample (CLI)

```sh
Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       
```

Start using Checkov by reading the [Getting Started](docs/1.Introduction/Getting%20Started.md) page.

### Using Docker


```sh
docker pull bridgecrew/checkov
docker run --tty --volume /user/tf:/tf bridgecrew/checkov --directory /tf
```
Note: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work and it will fail with `ModuleNotFoundError: No module named 'dataclasses'`  error message. In this case, you can use the docker version instead.

Note that there are certain cases where redirecting `docker run --tty` output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the `--tty` flag.

### Running or skipping checks 

Using command line flags you can specify to run only named checks (allow list) or run all checks except 
those listed (deny list).

List available checks:
```sh
checkov --list 
```

Allow only 2 checks to run: 
```sh
checkov --directory . --check CKV_AWS_20,CKV_AWS_57
```

Run all checks except 1 specified:
```sh
checkov -d . --skip-check CKV_AWS_52
```

Run all checks except checks with specified patterns:
```sh
checkov -d . --skip-check CKV_AWS*
```

For Kubernetes workloads, you can also use allow/deny namespaces.  For example, do not report any results for the 
kube-system namespace:
```sh
checkov -d . --skip-check kube-system
```

### Suppressing/Ignoring a check

Like any static-analysis tool it is limited by its analysis scope. 
For example, if a resource is managed manually, or using subsequent configuration management tooling, 
a suppression can be inserted as a simple code annotation.

#### Suppression comment format

To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:

`checkov:skip=<check_id>:<suppression_comment>`

* `<check_id>` is one of the [available check scanners](docs/3.Scans/resource-scans.md)
* `<suppression_comment>` is an optional suppression reason to be included in the output

#### Example

The following comment skip the `CKV_AWS_20` check on the resource identified by `foo-bucket`, where the scan checks if an AWS S3 bucket is private.
In the example, the bucket is configured with a public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.

```hcl-terraform
resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}
```

The output would now contain a ``SKIPPED`` check result entry:

```bash
...
...
Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource: aws_s3_bucket.foo-bucket
	Suppress comment: The bucket is a public static content host
	File: /example_skip_acl.tf:1-25

...
```

To suppress checks in Kubernetes manifests, annotations are used with the following format:
`checkov.io/skip#: <check_id>=<suppression_comment>`

For example: 

```bash
apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...
```

#### Logging

For detailed logging to stdout setup the environment variable `LOG_LEVEL` to `DEBUG`. 

Default is `LOG_LEVEL=WARNING`.

#### Skipping directories
To skip a whole directory, use the environment variable `CKV_IGNORED_DIRECTORIES`. 
Default is `CKV_IGNORED_DIRECTORIES=node_modules,.terraform,.serverless`

#### VSCODE Extension

If you want to use checkov's within vscode, give a try to the vscode extension availble at [vscode](https://marketplace.visualstudio.com/items?itemName=Bridgecrew.checkov)

## Alternatives

For Terraform compliance scanners check out [tfsec](https://github.com/liamg/tfsec) and [Terraform AWS Secure Baseline](https://github.com/nozaq/terraform-aws-secure-baseline) for secured basline.

For CloudFormation scanning check out [cfripper](https://github.com/Skyscanner/cfripper/) and [cfn_nag](https://github.com/stelligent/cfn_nag).

For Kubernetes scanning check out [kube-scan](https://github.com/octarinesec/kube-scan) and [Polaris](https://github.com/FairwindsOps/polaris).

## Contributing

Contribution is welcomed! 

Start by reviewing the [contribution guidelines](CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).

Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](docs/5.Contribution/New-Check.md).

## Disclaimer
`checkov` does not save, publish or share with anyone any identifiable customer information.  
No identifiable customer information is used to query Bridgecrew's publicly accessible guides.
`checkov` uses Bridgecrew's API to enrich the results with links to remediation guides.
To skip this API call use the flag `--no-guide`.

## Support

[Bridgecrew](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov) builds and maintains Checkov to make policy-as-code simple and accessible. 

Start with our [Documentation](https://bridgecrewio.github.io/checkov/) for quick tutorials and examples.

If you need direct support you can contact us at info@bridgecrew.io.



            

Raw data

            {
    "_id": null,
    "home_page": "https://github.com/bridgecrewio/checkov",
    "name": "checkov",
    "maintainer": "",
    "docs_url": null,
    "requires_python": ">=3.7",
    "maintainer_email": "",
    "keywords": "",
    "author": "bridgecrew",
    "author_email": "meet@bridgecrew.io",
    "download_url": "https://files.pythonhosted.org/packages/c1/4d/d666e786ddd13064ea4c7c3fed390bf3d6724e1329a65fe4fd2a0035c69b/checkov-1.0.824.tar.gz",
    "platform": "",
    "description": "[![checkov](https://raw.githubusercontent.com/bridgecrewio/checkov/master/docs/web/images/checkov_by_bridgecrew.png)](#)\n\n[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)\n[![build status](https://github.com/bridgecrewio/checkov/workflows/build/badge.svg)](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Abuild)\n[![security status](https://github.com/bridgecrewio/checkov/workflows/security/badge.svg)](https://github.com/bridgecrewio/checkov/actions?query=event%3Apush+branch%3Amaster+workflow%3Asecurity) \n[![code_coverage](https://raw.githubusercontent.com/bridgecrewio/checkov/master/coverage.svg?sanitize=true)](https://github.com/bridgecrewio/checkov/actions?query=workflow%3Acoverage) \n[![docs](https://img.shields.io/badge/docs-passing-brightgreen)](https://www.checkov.io/documentation?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)\n[![PyPI](https://img.shields.io/pypi/v/checkov)](https://pypi.org/project/checkov/)\n[![Python Version](https://img.shields.io/github/pipenv/locked/python-version/bridgecrewio/checkov)](#)\n[![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg)](#)\n[![Downloads](https://pepy.tech/badge/checkov)](https://pepy.tech/project/checkov)\n[![slack-community](https://slack.bridgecrew.io/badge.svg)](https://slack.bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov)\n\n\n**Checkov** is a static code analysis tool for infrastructure-as-code.\n\nIt scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), Terraform plan, [Cloudformation](https://aws.amazon.com/cloudformation/), [Kubernetes](https://kubernetes.io/), [Serverless](https://www.serverless.com/) or [ARM Templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) and detects security and compliance misconfigurations.\n\n\nCheckov also powers [**Bridgecrew**](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov), the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files. \n\n<a href=\"https://www.bridgecrew.cloud/login/signUp/?utm_campaign=checkov-github-repo&utm_source=github.com&utm_medium=get-started-button\" title=\"Try_Bridgecrew\">\n    <img src=\"https://dabuttonfactory.com/button.png?t=Try+Bridgecrew&f=Open+Sans-Bold&ts=26&tc=fff&hp=45&vp=20&c=round&bgt=unicolored&bgc=662eff\" align=\"right\" width=\"120\">\n</a>\n\n\n<a href=\"https://docs.bridgecrew.io?utm_campaign=checkov-github-repo&utm_source=github.com&utm_medium=read-docs-button\" title=\"Docs\">\n    <img src=\"https://dabuttonfactory.com/button.png?t=Read+the+Docs&f=Open+Sans-Bold&ts=26&tc=fff&hp=45&vp=20&c=round&bgt=unicolored&bgc=662eff\" align=\"right\" width=\"120\">\n</a>\n\n## **Table of contents**\n\n- [Features](#features)\n- [Screenshots](#screenshots)\n- [Getting Started](#getting-started)\n- [Disclaimer](#disclaimer)\n- [Support](#support)\n\n ## Features\n\n * [Over 500 built-in policies](docs/3.Scans/resource-scans.md) cover security and compliance best practices for AWS, Azure and Google Cloud.\n * Scans Terraform, Terraform Plan, CloudFormation, Kubernetes, Serverless framework and ARM template files.\n * Detects [AWS credentials](docs/3.Scans/Credentials%20Scans.md) in EC2 Userdata, Lambda environment variables and Terraform providers.\n * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.\n * Policies support evaluation of [variables](docs/2.Concepts/Evaluations.md) to their optional default value.\n * Supports in-line [suppression](docs/2.Concepts/Suppressions.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.\n* [Output](docs/1.Introduction/Results.md) currently available as CLI, JSON, JUnit XML and github markdown and link to remediation [guides](https://docs.bridgecrew.io/docs/aws-policy-index).\n\n## Screenshots\n\nScan results in CLI\n\n![scan-screenshot](https://raw.githubusercontent.com/bridgecrewio/checkov/master/docs/checkov-recording.gif)\n\nScheduled scan result in Jenkins\n\n![jenikins-screenshot](https://raw.githubusercontent.com/bridgecrewio/checkov/master/docs/checkov-jenkins.png)\n\n## Getting started\n\n### Requrirements\n * Python >= 3.7 (Data classes are available for Python 3.7+)\n * Terraform >= 0.12\n\n### Installation\n\n\n```sh\npip3 install checkov\n```\n\nInstallation on Alpine:\n```sh\npip3 install --upgrade pip && pip3 install --upgrade setuptools\npip3 install checkov\n```\n\nInstallation on Ubuntu 18.04 LTS:\n\nUbuntu 18.04 ships with Python 3.6. Install python 3.7 (from ppa repository)\n\n```sh\nsudo apt update\nsudo apt install software-properties-common\nsudo add-apt-repository ppa:deadsnakes/ppa\nsudo apt install python3.7\nsudo apt install python3-pip\nsudo python3.7 -m pip install -U checkov #to install or upgrade checkov)\n```\n\nor using homebrew (MacOS only)\n\n```sh\nbrew install checkov\n```\n\nor\n\n```sh\nbrew upgrade checkov\n```\n\n### Upgrade\n\nif you installed checkov with pip3\n```sh\npip3 install -U checkov\n```\n\n### Configure an input folder or file\n\n```sh\ncheckov --directory /user/path/to/iac/code\n```\n\nOr a specific file or files\n\n```sh\ncheckov --file /user/tf/example.tf\n```\nOr\n```sh\ncheckov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml\n```\n\nOr a terraform plan file in json format\n```sh\nterraform init\nterraform plan -out tf.plan\nterraform show -json tf.plan  > tf.json \ncheckov -f tf.json\n```\nNote: `terraform show` output  file `tf.json` will be single line. \nFor that reason all findings will be reported line number 0 by checkov\n```sh\ncheck: CKV_AWS_21: \"Ensure all data stored in the S3 bucket have versioning enabled\"\n\tFAILED for resource: aws_s3_bucket.customer\n\tFile: /tf/tf.json:0-0\n\tGuide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning\n  ```\n\nIf you have installed `jq` you can convert json file into multiple lines with the following command:\n```sh\nterraform show -json tf.plan | jq '.' > tf.json \n```\nScan result would be much user friendly.\n\n```sh\ncheckov -f tf.json\nCheck: CKV_AWS_21: \"Ensure all data stored in the S3 bucket have versioning enabled\"\n\tFAILED for resource: aws_s3_bucket.customer\n\tFile: /tf/tf1.json:224-268\n\tGuide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning\n\n\t\t225 |               \"values\": {\n\t\t226 |                 \"acceleration_status\": \"\",\n\t\t227 |                 \"acl\": \"private\",\n\t\t228 |                 \"arn\": \"arn:aws:s3:::mybucket\",\n\n```\n\n\n\n### Scan result sample (CLI)\n\n```sh\nPassed Checks: 1, Failed Checks: 1, Suppressed Checks: 0\nCheck: \"Ensure all data stored in the S3 bucket is securely encrypted at rest\"\n/main.tf:\n\t Passed for resource: aws_s3_bucket.template_bucket \nCheck: \"Ensure all data stored in the S3 bucket is securely encrypted at rest\"\n/../regionStack/main.tf:\n\t Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       \n```\n\nStart using Checkov by reading the [Getting Started](docs/1.Introduction/Getting%20Started.md) page.\n\n### Using Docker\n\n\n```sh\ndocker pull bridgecrew/checkov\ndocker run --tty --volume /user/tf:/tf bridgecrew/checkov --directory /tf\n```\nNote: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work and it will fail with `ModuleNotFoundError: No module named 'dataclasses'`  error message. In this case, you can use the docker version instead.\n\nNote that there are certain cases where redirecting `docker run --tty` output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the `--tty` flag.\n\n### Running or skipping checks \n\nUsing command line flags you can specify to run only named checks (allow list) or run all checks except \nthose listed (deny list).\n\nList available checks:\n```sh\ncheckov --list \n```\n\nAllow only 2 checks to run: \n```sh\ncheckov --directory . --check CKV_AWS_20,CKV_AWS_57\n```\n\nRun all checks except 1 specified:\n```sh\ncheckov -d . --skip-check CKV_AWS_52\n```\n\nRun all checks except checks with specified patterns:\n```sh\ncheckov -d . --skip-check CKV_AWS*\n```\n\nFor Kubernetes workloads, you can also use allow/deny namespaces.  For example, do not report any results for the \nkube-system namespace:\n```sh\ncheckov -d . --skip-check kube-system\n```\n\n### Suppressing/Ignoring a check\n\nLike any static-analysis tool it is limited by its analysis scope. \nFor example, if a resource is managed manually, or using subsequent configuration management tooling, \na suppression can be inserted as a simple code annotation.\n\n#### Suppression comment format\n\nTo skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:\n\n`checkov:skip=<check_id>:<suppression_comment>`\n\n* `<check_id>` is one of the [available check scanners](docs/3.Scans/resource-scans.md)\n* `<suppression_comment>` is an optional suppression reason to be included in the output\n\n#### Example\n\nThe following comment skip the `CKV_AWS_20` check on the resource identified by `foo-bucket`, where the scan checks if an AWS S3 bucket is private.\nIn the example, the bucket is configured with a public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.\n\n```hcl-terraform\nresource \"aws_s3_bucket\" \"foo-bucket\" {\n  region        = var.region\n    #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n  bucket        = local.bucket_name\n  force_destroy = true\n  acl           = \"public-read\"\n}\n```\n\nThe output would now contain a ``SKIPPED`` check result entry:\n\n```bash\n...\n...\nCheck: \"S3 Bucket has an ACL defined which allows public access.\"\n\tSKIPPED for resource: aws_s3_bucket.foo-bucket\n\tSuppress comment: The bucket is a public static content host\n\tFile: /example_skip_acl.tf:1-25\n\n...\n```\n\nTo suppress checks in Kubernetes manifests, annotations are used with the following format:\n`checkov.io/skip#: <check_id>=<suppression_comment>`\n\nFor example: \n\n```bash\napiVersion: v1\nkind: Pod\nmetadata:\n  name: mypod\n  annotations:\n    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O\n    checkov.io/skip2: CKV_K8S_14\n    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS\nspec:\n  containers:\n...\n```\n\n#### Logging\n\nFor detailed logging to stdout setup the environment variable `LOG_LEVEL` to `DEBUG`. \n\nDefault is `LOG_LEVEL=WARNING`.\n\n#### Skipping directories\nTo skip a whole directory, use the environment variable `CKV_IGNORED_DIRECTORIES`. \nDefault is `CKV_IGNORED_DIRECTORIES=node_modules,.terraform,.serverless`\n\n#### VSCODE Extension\n\nIf you want to use checkov's within vscode, give a try to the vscode extension availble at [vscode](https://marketplace.visualstudio.com/items?itemName=Bridgecrew.checkov)\n\n## Alternatives\n\nFor Terraform compliance scanners check out [tfsec](https://github.com/liamg/tfsec) and [Terraform AWS Secure Baseline](https://github.com/nozaq/terraform-aws-secure-baseline) for secured basline.\n\nFor CloudFormation scanning check out [cfripper](https://github.com/Skyscanner/cfripper/) and [cfn_nag](https://github.com/stelligent/cfn_nag).\n\nFor Kubernetes scanning check out [kube-scan](https://github.com/octarinesec/kube-scan) and [Polaris](https://github.com/FairwindsOps/polaris).\n\n## Contributing\n\nContribution is welcomed! \n\nStart by reviewing the [contribution guidelines](CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).\n\nLooking to contribute new checks? Learn how to write a new check (AKA policy) [here](docs/5.Contribution/New-Check.md).\n\n## Disclaimer\n`checkov` does not save, publish or share with anyone any identifiable customer information.  \nNo identifiable customer information is used to query Bridgecrew's publicly accessible guides.\n`checkov` uses Bridgecrew's API to enrich the results with links to remediation guides.\nTo skip this API call use the flag `--no-guide`.\n\n## Support\n\n[Bridgecrew](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov) builds and maintains Checkov to make policy-as-code simple and accessible. \n\nStart with our [Documentation](https://bridgecrewio.github.io/checkov/) for quick tutorials and examples.\n\nIf you need direct support you can contact us at info@bridgecrew.io.\n\n\n",
    "bugtrack_url": null,
    "license": "Apache License 2.0",
    "summary": "Infrastructure as code static analysis",
    "version": "1.0.824",
    "split_keywords": [],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "57301a817a7df29a3ab76771259f14b7",
                "sha256": "f1146a63d6e9b0aab2802945d7b223c35913a5f3b245258085c955ec22b91a64"
            },
            "downloads": -1,
            "filename": "checkov-1.0.824-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "57301a817a7df29a3ab76771259f14b7",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.7",
            "size": 449487,
            "upload_time": "2021-03-03T12:06:38",
            "upload_time_iso_8601": "2021-03-03T12:06:38.689771Z",
            "url": "https://files.pythonhosted.org/packages/21/7a/64cf38dee0034184005135e24fcbfc2147e209f86ec300809aa16aefcada/checkov-1.0.824-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "md5": "59c48a19f5486d49b64d3f6984071a46",
                "sha256": "1f7a99380d2b8fa3b165036abcb31d883f258159efb29b3ab6838e4e1173ecda"
            },
            "downloads": -1,
            "filename": "checkov-1.0.824.tar.gz",
            "has_sig": false,
            "md5_digest": "59c48a19f5486d49b64d3f6984071a46",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.7",
            "size": 179766,
            "upload_time": "2021-03-03T12:06:40",
            "upload_time_iso_8601": "2021-03-03T12:06:40.258908Z",
            "url": "https://files.pythonhosted.org/packages/c1/4d/d666e786ddd13064ea4c7c3fed390bf3d6724e1329a65fe4fd2a0035c69b/checkov-1.0.824.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2021-03-03 12:06:40",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "github_user": null,
    "github_project": "bridgecrewio",
    "error": "Could not fetch GitHub repository",
    "lcname": "checkov"
}
        
Elapsed time: 0.28335s