
checkov
Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
The Lens
Checkov scans your infrastructure-as-code for security and compliance problems before you deploy it. Terraform, CloudFormation, Kubernetes manifests, Helm, ARM, and more get checked against thousands of built-in policies: open ports, missing encryption, over-broad IAM. It's open source and free, and it runs in seconds.
It's a Python tool you run locally or in CI, and it fails the build when a check trips. The policy library is huge out of the box, and you can write custom policies in Python or YAML. Because it catches misconfigurations at the code stage, you fix them in a pull request instead of discovering them live in production.
Checkov is free. Bridgecrew, now part of Palo Alto's Prisma Cloud, is the commercial platform built around it, adding a dashboard, drift detection, and org-wide policy management. Solo and small teams, the CLI in CI is the whole value. Larger orgs already on Prisma Cloud get Checkov folded into the paid platform.
The catch: thousands of policies means a real signal-to-noise problem on day one. A mature Terraform repo can light up with hundreds of findings, many of them things you've consciously accepted. Budget time to tune the ruleset and suppress what doesn't apply, or your team learns to ignore the whole thing.
Free vs Self-Hosted vs Paid
free self hosted paid cloudSelf-hosted (free): Checkov under Apache-2.0, a Python tool scanning Terraform, CloudFormation, Kubernetes, Helm, ARM, and more against thousands of built-in policies. Custom policies in Python or YAML. Runs locally or in CI.
Prisma Cloud (paid): Bridgecrew, now part of Palo Alto's Prisma Cloud, adds a dashboard, drift detection, and org-wide policy management.
The call: The CLI in CI is the whole value for most teams. The platform matters for orgs already standardized on Prisma Cloud.
Free and open source. Prisma Cloud (Palo Alto, formerly Bridgecrew) is the paid platform built around it.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
Similar Tools

Find secrets with Gitleaks 🔑

Open source secret management platform

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Deepsec is a security harness for finding vulnerabilities in your codebase powered by coding agents

Find, verify, and analyze leaked credentials

About
- Owner
- PANW AppSec (Organization)
- Stars
- 8,840
- Forks
- 1,359
Explore Further
More tools in the directory
openclaw
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
381.5k ★everything-claude-code
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
225.3k ★hermes-agent
The agent that grows with you
208.2k ★