* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Announcing Checkov 2.0: D...

# Announcing Checkov 2.0: Deepening Open Source IaC Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcheckov-2-deepening-open-source-iac-security%2F)  
[](https://twitter.com/share?text=Announcing+Checkov+2.0%3A+Deepening+Open+Source+IaC+Security&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcheckov-2-deepening-open-source-iac-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcheckov-2-deepening-open-source-iac-security%2F&title=Announcing+Checkov+2.0%3A+Deepening+Open+Source+IaC+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/checkov-2-deepening-open-source-iac-security/&ts=markdown)  
\[\](mailto:?subject=Announcing Checkov 2.0: Deepening Open Source IaC Security)  
Link copied  
By [Matt Johnson](https://www.paloaltonetworks.com/blog/author/matt-johnson/?ts=markdown "Posts by Matt Johnson")  
Apr 08, 2021  
5 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Checkov](https://www.paloaltonetworks.com/blog/tag/checkov/?ts=markdown)  
[IaC](https://www.paloaltonetworks.com/blog/tag/iac/?ts=markdown)  
[Open Source](https://www.paloaltonetworks.com/blog/tag/open-source/?ts=markdown)

The Bridgecrew team is excited to announce the [release of Checkov 2.0](https://bridgecrew.io/blog/checkov-2-0-release), further enhancing one of the most popular open source IaC security scanners available. We've completely rebuilt the back end as a graph-based infrastructure as code (IaC) scanner, to help identify cloud misconfigurations in environments with complex dependencies across resources and modules.

This release also includes nearly 250 additional policies, ready to use out-of-the-box to improve compliance benchmark coverage and Dockerfile misconfiguration scanning capabilities.

[Checkov](https://github.com/bridgecrewio/checkov) is used by developers to scan IaC templates, such as Terraform files, to prevent misconfigurations that lead to security violations in cloud infrastructure. Since its launch in late 2019, Checkov has been downloaded over **1.2 million** times! This is a testament to the importance of securing cloud infrastructure prior to runtime, and the crucial part developers play in doing so.

[![Link to the YouTube announcement](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/Screen-Shot-2021-04-08-at-11.02.27-AM.png)](https://youtu.be/LKSUIPyytBQ) Click to view the announcement video on YouTube.

## Why Is IaC Security Important?

IaC is the process of using code to define the architecture of cloud infrastructure for applications. Instead of clicking through a cloud provider's UI or multiple disorganized CLI commands, IaC provides a code-based way to declare what infrastructure should look like. Tools like Terraform and CloudFormation then take that code and provision the infrastructure automatically.

IaC can also be checked into repositories, making it easier to audit who made changes, roll back any breaking changes and generally move faster for tasks like updating and duplicating environments. The problem is that many misconfigurations we see in cloud environments, like [open buckets in AWS Simple Storage Service (Amazon S3)](https://www.paloaltonetworks.com/blog/prisma-cloud/guide-protect-aws-s3/), also show up in IaC templates.

This is where open source [IaC security](https://bridgecrew.io/blog/infrastructure-as-code-security-101/?utm_source=panw-blog&utm_campaign=checkov2-launch) steps in. Developers leverage scanners like Checkov to find and fix bugs during the development process, and catch those misconfigurations before they ever hit production.

## Understanding Complex Dependencies in Cloud Computing

By design, IaC templates are not as straightforward as reading a book line by line. Due to their declarative nature, things can be provisioned out of order, and relationships are not always 1:1.

For example, in an IaC template, a virtual private cloud (VPC) can be defined after an Amazon Elastic Compute Cloud (EC2) instance, but in build time, that VPC must be provisioned first. Additionally, knowing that the VPC is just a dev or test environment changes the security requirements of the EC2 instance attached.

Standard static analysis can't understand that relationship, so you'd typically have to wait for runtime to know the full extent of your exposure.
![Graphic representation illustrating the complexity of declarative infrastructure as code mappings](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-16.png)
Depiction of the complexity of declarative infrastructure as code mappings

Now with Checkov 2.0's graph-based mapping, those complex dependencies can be fully mapped out and understood *prior* to the development process.

This drastically improves the accuracy of scans and helps to provide better risk prioritization while reducing false positives. In addition to all of these benefits, the new architecture comes with a significant performance boost -- developers will receive feedback faster, with more accuracy, improving their productivity.
![A YAML file for a graph-based policy for Checkov](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-17.png)
A YAML file for a graph-based policy for Checkov

## Expanded Out-of-the-Box Policy Library

With the graph-based rewrite, there are nearly 250 new policies available out-of-the-box, including some that weren't possible before this new approach. These added policies mean that Checkov now covers more than 50% of configurations for most CIS Benchmarks, including more than 60% of the CIS Kubernetes Benchmark version 1.6.0. Security teams and developers can be more confident that they can meet compliance requirements before a single cloud asset is provisioned in production.
[![A gif showing examples of new policies available out-of-the-box.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/checkov_2.0_policies.gif)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/checkov_2.0_policies.gif) Some of the new policies that are available out-of-the-box.

We'll continue to source new policies from the community and with the combined power of Prisma Cloud threat research teams.

## New Dockerfile Misconfiguration Scanning Capabilities

Checkov scans for misconfigurations in [Terraform](https://bridgecrew.io/blog/terraform-plan-security-scanning-checkov/?utm_source=panw-blog&utm_campaign=checkov2-launch), [CloudFormation](https://bridgecrew.io/blog/announcing-cloudformation-support-in-checkov/?utm_source=panw-blog&utm_campaign=checkov2-launch), [Azure Resource Manager (ARM)](https://docs.bridgecrew.io/docs/azure-policy-index/?utm_source=panw-blog&utm_campaign=checkov2-launch), [Kubernetes](https://bridgecrew.io/blog/kubernetes-static-code-analysis-with-checkov/?utm_source=panw-blog&utm_campaign=checkov2-launch), [Helm](https://bridgecrew.io/blog/built-in-helm-chart-scanning-with-checkov/?utm_source=panw-blog&utm_campaign=checkov2-launch), and [Serverless Frameworks](https://docs.bridgecrew.io/docs/serverless-policies/?utm_source=panw-blog&utm_campaign=checkov2-launch). And Checkov 2.0 now supports Dockerfiles as well.

Docker containers are susceptible to misconfigurations such as open ports, running as root and containing secrets. Checkov will automatically discover resources and scan them to identify those misconfigurations early, including many of the other CIS benchmark requirements, helping developers patch their code before the container is built.
![Checkov Kubernetes manifest and Dockerfile scan results](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-18.png)
Checkov Kubernetes manifest and Dockerfile scan results

## Get Started with Checkov

We're excited to shift further left to secure more of the cloud native security stack. All of these features are available free and open sourced today. [Checkov](https://github.com/bridgecrewio/checkov) is available in many popular package managers, so you can try it for yourself. Everything included in this release is also available in the Bridgecrew product for both paid and free tier customers. You can [sign up for a free 14-day trial](https://www.bridgecrew.cloud/login/signUp/?utm_source=panw-blog&utm_campaign=checkov2-launch) to get started.

To learn more about this release and our vision for this space, tune in to our community [office hours](https://www.twitch.tv/bridgecrewio) hosted by the builders and maintainers behind Checkov, live on Thursday, April 8 at 10am PT/1pm ET or view the recording anytime after on Twitch.

*** ** * ** ***

## Related Blogs

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Shift Left Secrets Security: How to Prioritize Secrets Risks](https://www2.paloaltonetworks.com/blog/cloud-security/shift-left-secrets-security-risk-prioritization/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### 5 Tips for Securely Adopting Infrastructure as Code](https://www2.paloaltonetworks.com/blog/cloud-security/5-tips-for-securely-adopting-infrastructure-as-code/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Open Source License Detection and Expanded Git Repo Scanning](https://www2.paloaltonetworks.com/blog/cloud-security/open-source-license-detection-expanded-git-repo-scanning/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Prisma Cloud and Bridgecrew: Doubling Down on Developer-Led Security](https://www2.paloaltonetworks.com/blog/2021/03/bridgecrew-developer-led-security/)

### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Visibility and Security for Infrastructure-as-Code with Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/security-for-infrastructure-as-code/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### 3 Simple Techniques to Add Security Into the CI/CD Pipeline](https://www2.paloaltonetworks.com/blog/2020/10/cloud-add-security-cicd-pipeline/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language