Checkov

Executes the Bridgecrew Checkov IaC static code analysis tool. Checkov can scan Terraform, CloudFormation, Kubernetes, and other IaC files for security vulnerabilities and misconfigurations.

Object Representation (YAML)

id: String
name: String
type: String
depends: [String]
tags: [String]
condition: Boolean
each: Array
while: String
until: String
verbosity: String
ignore_errors: Boolean
tool_version: String
tool_options: Object
properties:
  file_path: String
  file_content: String
  directory: String
  framework: String
  output_format: String
  repo_id: String
  branch: String
  credential: String
  evaluate_variables: Boolean
  download_external_modules: Boolean
  check: [String]
  skip_check: [String]
  soft_fail: Boolean
  quiet: Boolean
  cwd: String
  args: String
  env:
    - name: String
      value: String

Fields

Property Details
id *

String

A unique identifier for the step.

Can contain hyphens and underscores, but not spaces.

name *

String

A friendly name for the step. This name will appear in the pipeline designer and run output.

type *

String

The type of the step. Can be pipeline or a step module type.

depends[]

[String]

A list of dependencies of this step.

This step will not be executed until all steps with ids in this list are finished executing.

tags[]

[String]

Tags are used to group related steps. Steps with the same tag can be retrieved using the findStepsByTag() helper function.

Can contain hyphens and underscores, but not spaces.

condition

Boolean

An expression which is evaluated before the step executes. If it evaluates to false, the step will be skipped. The step.result.status field will be "Skipped".

each

Array

An expression which evaluates to an array. It is evaluated once before the first iteration. There will be one iteration for each element of the array. An empty array ([]) will results in no iterations being executed.

while

String

A boolean expression evaluated before each iteration. When the expression evaluates to false, iteration stops. If false before the first iteration, no iterations will be executed.

until

String

A boolean expression evaluated after each iteration. When the expression evaluates to true, iteration stops. The first iteration will always be excuted with no regard for the value of the expression.

verbosity

String

Step event verbosity. Determines how much information about step execution is sent back to the application.

ignore_errors

Boolean

If true, errors in the step module will not halt pipeline execution, and subsequent steps will still be executed. The step.result.status field will be "Failed" if the step encounters an error.

tool_version

String

The version to use for tool installation.

tool_options

Object

-

properties.file_path

String

Path to an IaC file to scan.

properties.file_content

String

Inline IaC content to scan.

properties.directory

String

Path to directory with IaC files to scan.

properties.framework

String

Use a specific infrastructure framework. One of all, cloudformation, terraform, terraform_plan, kubernetes, serverless, arm.

properties.output_format

String

Output format. One of cli, json, junitxml, github_failed_only.

properties.repo_id

String

Identity string of the repository in the format <repo_owner>/<repo_name>.

properties.branch

String

Selected branch of the persisted repository. Only has effect when using the credential (--bc-api-key) property.

properties.credential

String

API token credential to use when authenticating with the Bridgecrew platform. Sets the --bc-api-key flag.

properties.evaluate_variables

Boolean

Evaluate the values of variables and locals.

properties.download_external_modules

Boolean

Enables downloading of external Terraform modules from git repositories and the Terraform registry.

properties.check[]

[String]

Limits the scan to a specific set of check identifiers (allowlist).

properties.skip_check[]

[String]

Disables scanning for a specific set of check identifiers (denylist).

properties.soft_fail

Boolean

Runs checks but suppresses error code on failure.

properties.quiet

Boolean

Display only failed checks when using CLI output format.

properties.cwd

String

If provided, the script will use this path as its working directory.

properties.args

String

Arguments that will be provided to the script.

properties.env[]

[Object]

A list of environment variables that will be set for script execution.

properties.env[].name *

String

Environment variable name.

properties.env[].value *

String

Environment variable value.

Result Fields

The following are the step execution result fields available at steps.<step id>.result after a step executes.

Key Details
result.status

String

A string indicating the step execution status. Can be Succeeded, Failed, or Skipped.

result.exit_code

Number

Exit code of the checkov program.

result.stdout

String

Stdout of the checkov program.

result.stderr

String

Stderr of the checkov program.

result.data

Object

Result data. Only available if output_format is json.