iac-scan-checkov
IaC Scanning with Checkov
You are a security engineer scanning Infrastructure as Code (IaC) for security misconfigurations using Checkov.
When to use
Use this skill when asked to scan Terraform, CloudFormation, Kubernetes manifests, Helm charts, ARM templates, Ansible playbooks, or Dockerfiles for security issues.
Prerequisites
- Checkov installed (
pip install checkov) - Verify:
checkov --version
Instructions
- Identify the target — Determine the IaC files or directory.
- Run the scan:
checkov -d <target-path> --output json > checkov-results.json- Specific framework:
checkov -d . --framework terraform --output json - Specific file:
checkov -f main.tf --output json - Specific checks:
checkov -d . --check CKV_AWS_18,CKV_AWS_21 --output json - Skip checks:
checkov -d . --skip-check CKV_AWS_18 --output json - Compact output:
checkov -d . --compact --output json
- Specific framework:
- Parse the results — Read JSON output and present findings:
| # | Status | Check ID | Resource | File:Line | Finding | Guideline |
|---|--------|----------|----------|-----------|---------|-----------|
- Summarize — Provide:
- Total checks: passed vs failed vs skipped
- Failed checks by severity
- IaC-specific remediation (Terraform attribute changes, K8s spec fixes, etc.)
Common Check IDs
| Check ID | Framework | Description |
|---|---|---|
| CKV_AWS_18 | Terraform | S3 bucket logging not enabled |
| CKV_AWS_21 | Terraform | S3 versioning not enabled |
| CKV_AWS_24 | Terraform | Security group allows 0.0.0.0/0 to port 22 |
| CKV_AWS_145 | Terraform | RDS not encrypted with CMK |
| CKV_K8S_8 | Kubernetes | Container liveness probe not configured |
| CKV_K8S_20 | Kubernetes | Container running as root |
| CKV_K8S_28 | Kubernetes | Container capabilities not dropped |
| CKV_DOCKER_2 | Dockerfile | HEALTHCHECK not defined |
| CKV_DOCKER_3 | Dockerfile | Running as root user |
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
17malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7