Q: How to suppress false positives in Checkov?

Use inline comments like `checkov:skip= : ` in IaC files or annotations in Kubernetes manifests. This allows specific checks to be ignored while keeping the suppression documented in the codebase.

Question 1

How does Checkov compare to Terrascan for Terraform security?

Accepted Answer

Checkov offers graph-based analysis for better context detection and supports more frameworks beyond Terraform, but Terrascan is lighter and Go-based, which may suit simpler setups. Checkov's larger policy library is a key advantage for comprehensive scans.

Question 2

How to suppress false positives in Checkov?

Accepted Answer

Use inline comments like `checkov:skip=:` in IaC files or annotations in Kubernetes manifests. This allows specific checks to be ignored while keeping the suppression documented in the codebase.

Question 3

Does Checkov work with Azure Pipelines?

Accepted Answer

Yes, Checkov can scan Azure Pipelines workflow files for misconfigurations, as listed in its supported CI/CD frameworks. Integration typically involves adding a step to run Checkov and output results in formats like JUnit XML.

Question 4

Can Checkov scan Docker images for vulnerabilities?

Accepted Answer

Yes, Checkov performs software composition analysis (SCA) on container images using the `--framework sca_image` flag, detecting known CVEs in dependencies and base images, though it requires Docker or image hashes for scanning.

Question 5

How to integrate Checkov with GitHub Actions?

Accepted Answer

Checkov integrates seamlessly by adding a step in your workflow YAML that runs `checkov --directory .` and outputs results in GitHub Markdown format. The README shows examples of scheduled scans and output formats.

Question 6

What's the difference between Checkov and Prisma Cloud?

Accepted Answer

Checkov is the open-source static analysis tool, while Prisma Cloud is a commercial platform that builds on Checkov for enhanced features like real-time monitoring and centralized policy management. Checkov can be used standalone, but some integrations benefit from Prisma Cloud.

Checkov

What is Checkov?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions