Checkov

Overview

Checkov is a code analysis tool that scans Terraform deployments for vulnerabilities and compliance violations. If Checkov is enabled, Scalr will insert the Checkov step before the Terraform init phase runs. Checkov will evaluate the code that is being pulled in, and if any errors are found, the run in Scalr will stop. Runs that are stopped during the Checkov step are not billed for.

To enable Checkov, go to the integrations page at the administrative scope. Users need the integrations:read and integrations:manage permissions to set up and manage this integration.:

Click on Checkov and then "Add connection", where you will be prompted to name the integration and provide the Checkov version(i.e. 3.2.288) that you want to run. Do not use the "sha..." tag that is also provided in the Docker hub list of versions:

Environment enforcement

Environment enforcement of the Checkov integration in Scalr gives administrators control over the security and compliance posture of Opentofu/Terraform runs within an environment. Scalr supports two types of enforcement in environments:

• Enforce in all current and future environments—This option automates the enforcement of Checkov in all environments and does not require manual interventions when new ones are created.
• Manual mode —This option limits the environments where Checkov checks must be performed. However, manual intervention is required when new environments are created, and Checkov integration is required.

Once enforced, Checkov will execute on ALL workspaces within the selected environments: