eliferjunior/checkov
.claude/skills/ts-checkov/SKILL.md
Expert guidance for Checkov, the static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and ARM templates for security misconfigurations and compliance violations. Helps developers integrate Checkov into CI/CD pipelines and write custom policies.
tools
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add eliferjunior/Claude checkovInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 1:26 AM14.1s1 file scanned
SKILL.md
- name:
- checkov
- description:
- Expert guidance for Checkov, the static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and ARM templates for security misconfigurations and compliance violations. Helps developers integrate Checkov into CI/CD pipelines and write custom policies.
- license:
- Apache-2.0
- compatibility:
- No special requirements
- author:
- terminal-skills
- version:
- 1.0.0
- category:
- devops
Checkov — Infrastructure as Code Security Scanner
Overview
Checkov, the static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and ARM templates for security misconfigurations and compliance violations. Helps developers integrate Checkov into CI/CD pipelines and write custom policies.
Instructions
Scanning
# Install
pip install checkov
# Scan Terraform files
checkov -d ./terraform/
# Scan Kubernetes manifests
checkov -d ./k8s/ --framework kubernetes
# Scan Dockerfiles
checkov -f Dockerfile --framework dockerfile
# Scan with specific checks
checkov -d . --check CKV_AWS_18,CKV_AWS_21 # Only specific checks
# Skip specific checks
checkov -d . --skip-check CKV_AWS_18 # Skip S3 logging check
# Output formats
checkov -d . -o json # JSON for CI/CD
checkov -d . -o sarif # SARIF for GitHub Security tab
checkov -d . -o junitxml # JUnit for test reports
What Checkov Catches
# Terraform — Checkov flags these misconfigurations:
# ❌ CKV_AWS_18: S3 bucket without access logging
resource "aws_s3_bucket" "data" {
bucket = "my-data-bucket"
# Missing: logging { target_bucket = "..." }
}
# ❌ CKV_AWS_145: RDS without encryption
resource "aws_db_instance" "main" {
engine = "postgres"
instance_class = "db.t3.medium"
# Missing: storage_encrypted = true
}
# ❌ CKV_AWS_24: Security group with 0.0.0.0/0 on SSH
resource "aws_security_group_rule" "ssh" {
type = "ingress"
from_port = 22
to_port = 22
cidr_blocks = ["0.0.0.0/0"] # Open SSH to the world
}
# ❌ CKV_AWS_79: EC2 without metadata service v2
resource "aws_instance" "web" {
ami = "ami-12345"
instance_type = "t3.micro"
# Missing: metadata_options { http_tokens = "required" }
}
# Kubernetes — Checkov flags these:
# ❌ CKV_K8S_1: Container running as root
# ❌ CKV_K8S_8: No liveness probe
# ❌ CKV_K8S_9: No readiness probe
# ❌ CKV_K8S_12: No memory limit
# ❌ CKV_K8S_13: No memory request
# ❌ CKV_K8S_20: Privileged container
# ❌ CKV_K8S_28: No CPU limit
# ❌ CKV_K8S_37: No capabilities drop
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: app
image: myapp:latest # ❌ CKV_K8S_14: Using 'latest' tag
# Missing: all security context, probes, and resource limits
Custom Policies
# custom_checks/s3_naming.py — Custom Checkov policy in Python
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class S3BucketNamingConvention(BaseResourceCheck):
def __init__(self):
name = "S3 bucket name must start with company prefix"
id = "CKV_CUSTOM_1"
supported_resources = ["aws_s3_bucket"]
categories = [CheckCategories.CONVENTION]
super().__init__(name=name, id=id, categories=categories,
supported_resources=supported_resources)
def scan_resource_conf(self, conf):
bucket_name = conf.get("bucket", [""])[0]
if bucket_name.startswith("mycompany-"):
return CheckResult.PASSED
return CheckResult.FAILED
check = S3BucketNamingConvention()
# custom_checks/require_tags.yaml — Custom policy in YAML (simpler)
metadata:
id: "CKV_CUSTOM_2"
name: "All resources must have 'team' and 'environment' tags"
category: "CONVENTION"
definition:
cond_type: "attribute"
resource_types:
- "aws_instance"
- "aws_s3_bucket"
- "aws_rds_cluster"
attribute: "tags.team"
operator: "exists"
CI/CD Integration
# .github/workflows/security.yml
- name: Checkov IaC Scan
uses: bridgecrewio/checkov-action@v12
with:
directory: terraform/
framework: terraform
output_format: sarif
output_file_path: checkov.sarif
soft_fail: false # Fail the pipeline on findings
skip_check: CKV_AWS_18 # Skip known exceptions
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov.sarif
Installation
pip install checkov
# Or via Docker
docker run -v $(pwd):/tf bridgecrew/checkov -d /tf
# Or via Homebrew
brew install checkov
Examples
Example 1: Setting up Checkov for a microservices project
User request:
I have a Node.js API and a React frontend running in Docker. Set up Checkov for monitoring/deployment.
The agent creates the necessary configuration files based on patterns like # Install, sets up the integration with the existing Docker setup, configures appropriate defaults for a Node.js + React stack, and provides verification commands to confirm everything is working.
Example 2: Troubleshooting what checkov catches issues
User request:
Checkov is showing errors in our what checkov catches. Here are the logs: [error output]
The agent analyzes the error output, identifies the root cause by cross-referencing with common Checkov issues, applies the fix (updating configuration, adjusting resource limits, or correcting syntax), and verifies the resolution with appropriate health checks.
Guidelines
- Scan in CI/CD — Run Checkov on every PR; catch misconfigurations before they reach production
- Start permissive, tighten gradually — Begin with
--soft-failto see findings without blocking; gradually enable hard-fail as you fix issues - Skip with justification — When skipping checks, add inline comments explaining why:
#checkov:skip=CKV_AWS_18:Logging handled by org-level trail - Custom policies for your org — Write policies for naming conventions, tagging requirements, and organizational standards
- SARIF for GitHub — Output SARIF and upload to GitHub Security tab; findings appear inline on pull requests
- Baseline file — Use
--baselineto establish a baseline of existing findings; only flag new issues in PRs - Multiple frameworks — Scan Terraform, Kubernetes, Dockerfiles, and Helm charts in the same pipeline
- Bridgecrew platform — Use the Bridgecrew platform for centralized policy management and drift detection across teams
Related Skills
eliferjunior/fireworks-ai
development
VerifiedTrustedCommunity
Expert guidance for Fireworks AI, the platform for running open-source LLMs (Llama, Mixtral, Qwen, etc.) with enterprise-grade speed and reliability. Helps developers integrate Fireworks' inference API, fine-tune models, and deploy custom model endpoints with function calling and structured output support.
SKILL.mdUpdated Apr 17, 2026
eliferjunior/firecrawl
development
VerifiedTrustedCommunity
Convert any website into clean, structured data with Firecrawl — API-first web scraping service. Use when someone asks to "turn a website into markdown", "scrape website for LLM", "Firecrawl", "extract website content as clean text", "crawl and convert to structured data", or "scrape website for RAG". Covers single-page scraping, full-site crawling, structured extraction, and LLM-ready output.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/firebase
tools
VerifiedTrustedCommunity
Expert guidance for Firebase, Google's platform for building and scaling web and mobile applications. Helps developers set up authentication, Firestore/Realtime Database, Cloud Functions, hosting, storage, and analytics using Firebase's SDK and CLI.
SKILL.mdUpdated Apr 16, 2026
eliferjunior/file-upload-processor
development
VerifiedTrustedCommunity
When the user needs to build file upload functionality for a web application. Use when the user mentions "file upload," "image upload," "upload endpoint," "multipart upload," "presigned URL," "S3 upload," "file validation," "upload to cloud storage," or "accept user files." Handles upload endpoints, file validation (type, size, magic bytes), cloud storage integration, and upload status tracking. For image/video processing after upload, see media-transcoder.
SKILL.mdUpdated Apr 16, 2026