Checkov

Executes the Bridgecrew Checkov IaC static code analysis tool. Checkov can scan Terraform, CloudFormation, Kubernetes, and other IaC files for security vulnerabilities and misconfigurations.

Object Representation (YAML)

id: String
name: String
depends: [String]
tags: [String]
condition: String
ignore_errors: Boolean
properties:
  file_path: String
  file_content: String
  directory: String
  framework: String
  output_format: String
  repo_id: String
  branch: String
  credential: String
  evaluate_variables: String
  download_external_modules: String
  check: String
  skip_check: String
  soft_fail: Boolean
  quiet: Boolean
  args: String
  cwd: String
  env:
    - name: String
      value: String

Fields

PropertyDetails
id *

String

A unique identifier for the step.

Can contain hyphens and underscores, but not spaces.

name *

String

A friendly name for the step. This name will appear in the pipeline designer and run output.

depends[]

[String]

A list of dependencies of this step.

This step will not be executed until all steps with ids in this list are finished executing.

tags[]

[String]

Tags are used to group related steps. Steps with the same tag can be retrieved using the findStepsByTag() helper function.

Can contain hyphens and underscores, but not spaces.

condition

String

An expression which is evaluated before the step executes. If it evaluates to false, the step will be skipped. The step.result.status field will be "Skipped".

ignore_errors

Boolean

If true, errors in the step module will not halt pipeline execution, and subsequent steps will still be executed. The step.result.status field will be "Failed" if the step encounters an error.

properties.file_path

String

Path to an IaC file to scan.

properties.file_content

String

Inline IaC content to scan.

properties.directory

String

Path to directory with IaC files to scan.

properties.framework

String

Use a specific infrastructure framework. One of cloudformation, terraform, terraform_plan, kubernetes, serverless, arm, all.

properties.output_format

String

Output format. One of cli, json, junitxml, github_failed_only.

properties.repo_id

String

Identity string of the repository in the format <repo_owner>/<repo_name>.

properties.branch

String

Selected branch of the persisted repository. Only has effect when using the credential (--bc-api-key) property.

properties.credential

String

API token credential to use when authenticating with the Bridgecrew platform. Sets the --bc-api-key flag.

properties.evaluate_variables

String

Evaluate the values of variables and locals.

properties.download_external_modules

String

Enables downloading of external Terraform modules from git repositories and the Terraform registry.

properties.check[]

String

Limits the scan to a specific set of check identifiers (allowlist).

properties.skip_check[]

String

Disables scanning for a specific set of check identifiers (denylist).

properties.soft_fail

Boolean

Runs checks but suppresses error code on failure.

properties.quiet

Boolean

Display only failed checks when using CLI output format.

properties.args

String

Arguments that will be provided to the script.

properties.cwd

String

If provided, the script will use this path as its working directory.

properties.env[]

[Object]

A list of environment variables that will be set for script execution.

properties.env[].name *

String

Environment variable name.

properties.env[].value *

String

Environment variable value.

Result Fields

The following are the step execution result fields available at step.result after a step executes.

KeyDetails
result.status

String

A string indicating the step execution status. Can be Succeeded, Failed, or Skipped.

result.exit_code

Number

Exit code of the checkov program.

result.stdout

String

Stdout of the checkov program.

result.stderr

String

Stderr of the checkov program.

result.data

Object

Result data. Only available if output_format is json.