CNAPP/CSPMOpen source · Apache-2.0
Checkov
An open-source static analysis tool for infrastructure-as-code, scanning Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Dockerfiles for misconfigurations before anything is deployed. Created by Bridgecrew, acquired by Palo Alto Networks in 2021, and still actively maintained under the Bridgecrew GitHub organization.
Verified Source: 1
- Product type
- Software
- Deployment
- CLI
- Organization size
- IndividualSMBMid-marketEnterprise
- Pricing tier
- Free
How Checkov measures up against the full Cloud-Native Application Protection / Posture Management taxonomy.
- Misconfiguration detection (CSPM) — supported
- Flags cloud configuration drift against benchmarks like CIS and provider best practices.
- Agentless workload scanning — not supported
- Scans workloads via cloud provider APIs or snapshots without deploying agents.
- Cloud entitlement management (CIEM) — not supported
- Identifies excessive or unused permissions across cloud identities.
- Attack path analysis — not supported
- Correlates findings across identity, network, and data exposure to surface exploitable attack paths.
- Infrastructure-as-code scanning — supported
- Catches misconfigurations in Terraform and CloudFormation before they're deployed.
- Vulnerability prioritization — not supported
- Finds and ranks OS and package CVEs across cloud workloads by real-world exploitability.
- Compliance benchmark mapping — not supported
- Continuously maps posture to frameworks like CIS, SOC 2, and PCI.
Alternatives
Other Cloud-Native Application Protection / Posture Management tools with overlapping capabilities, sized for similar teams.
Appears in stacks
Real-world stacks that include Checkov.