🧠 Summary

This article walks you through how to apply Static Application Security Testing (SAST) to your Infrastructure as Code (IaC) using Checkov, a powerful open-source tool by Bridgecrew. We’ll explore how to install Checkov, how it scans your .tf files for misconfigurations, and how to automate this process using GitHub Actions.

By the end, you’ll understand how to detect security issues in your Terraform configurations before deploying to the cloud — ensuring your infrastructure is secure from the start.

🚀 Introduction

Infrastructure as Code (IaC) enables fast and repeatable cloud deployments — but it also introduces new security risks. A single misconfigured Terraform file can expose sensitive resources, leave storage buckets publicly accessible, or open critical ports to the internet.

To address this, we need tools that help us shift security left, catching issues early in the development process. That's where Checkov comes in.

In this article, we'll explore:

  • What SAST is and how it applies to IaC
  • What Checkov does and how to use it
  • How to integrate Checkov into GitHub Actions for CI/CD
  • Tips to make security testing part of your development workflow

🔍 What is SAST and Why Apply It to IaC?

SAST (Static Application Security Testing) analyzes source code without executing it, helping you catch vulnerabilities early.

In the context of Terraform and other IaC tools, SAST can:

  • 🚫 Detect insecure default configurations
  • 🔐 Prevent exposed credentials or open ports
  • ⚠️ Identify non-compliant resources (e.g., unencrypted storage)

Because IaC code defines infrastructure, applying SAST here is essential. It’s like doing a security review of your cloud before it even exists.

🧰 What is Checkov?

Checkov is an open-source IaC static analysis tool created by Bridgecrew (by Prisma Cloud). It supports a wide variety of formats:

🛠️ Supported file types:

  • .tf (Terraform)
  • .yaml, .yml (Kubernetes, Helm, etc.)
  • .json, .template (CloudFormation)

🔐 What Checkov can detect:

  • Publicly accessible S3 buckets
  • Missing encryption on databases
  • Open security groups (firewall rules)
  • Missing logging or monitoring setups
  • IAM policies that are too permissive

Why it's great:

  • CLI-based and easy to integrate
  • Continuously updated with community-backed policies
  • Works locally and in CI/CD

🧪 Installing Checkov + Terraform Example

Here’s how to get started with Checkov on a sample Terraform project.

Step 1: Install Checkov

You’ll need Python installed. Then run:

pip install checkov

💡 Tip: You can also use it via Docker or download binaries from the Checkov GitHub repo.

Step 2: Create a Simple Terraform File

Create a file named main.tf:

resource "aws_s3_bucket" "example" {
  bucket = "my-test-bucket"
  acl    = "public-read"
}

This intentionally insecure configuration allows public access to an S3 bucket — perfect for testing.

Step 3: Run Checkov Locally

From the root of your project:

checkov -d .

You’ll get a report of any misconfigurations. In this case, Checkov should flag the S3 bucket’s ACL as insecure.

🤖 Automating with GitHub Actions

You can integrate Checkov into your CI/CD pipeline using GitHub Actions. This way, every time you push code, your infrastructure is automatically checked for security issues.

🧬 Why use GitHub Actions?

  • Fully integrated with GitHub repos
  • Allows automated security checks on pull requests
  • Keeps your IaC secure without relying on manual testing

Step 4: Add GitHub Actions Workflow

Create a file at .github/workflows/checkov.yml:

name: Checkov Terraform Scan

on:
  push:
    paths:
      - '**/*.tf'
  pull_request:
    paths:
      - '**/*.tf'

jobs:
  checkov_scan:
    runs-on: ubuntu-latest
    name: Run Checkov
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'

      - name: Install Checkov
        run: pip install checkov

      - name: Run Checkov
        run: checkov -d .

Once added, every commit or pull request that modifies .tf files will trigger a scan.

🔁 Bonus: You can fail builds if any high-severity issues are found by configuring policies with --soft-fail or --check.

✅ Pros and Cons of Using Checkov

✅ Pros

  • Easy to install and use
  • Supports multiple IaC formats
  • Produces detailed and clear output
  • Prevents critical cloud misconfigurations early
  • Integrates with GitHub, GitLab, Bitbucket, CircleCI, etc.

❌ Cons

  • Doesn’t catch logic/semantic bugs (it’s not a linter or validator)
  • Some default policies may be too strict (but can be customized)

🧾 Conclusion

Using Checkov with Terraform is a powerful way to add automated security checks to your infrastructure workflows. Whether you’re just starting out or managing complex cloud environments, it’s a must-have in your DevSecOps toolkit.

By integrating it into your GitHub Actions pipeline, you’ll ensure that every infrastructure change is reviewed for security — before reaching production.