* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Code Security](https://www2.paloaltonetworks.com/blog/cloud-security/category/code-security/)
* Checkov 3.0: Upgraded Ope...

# Checkov 3.0: Upgraded Open-Source Infrastructure-as-Code Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcheckov-upgrade-iac-security%2F)  
[](https://twitter.com/share?text=Checkov+3.0%3A+Upgraded+Open-Source+Infrastructure-as-Code+Security&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcheckov-upgrade-iac-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcheckov-upgrade-iac-security%2F&title=Checkov+3.0%3A+Upgraded+Open-Source+Infrastructure-as-Code+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/checkov-upgrade-iac-security/&ts=markdown)  
\[\](mailto:?subject=Checkov 3.0: Upgraded Open-Source Infrastructure-as-Code Security)  
Link copied  
By [Matt Johnson](https://www.paloaltonetworks.com/blog/author/matt-johnson/?ts=markdown "Posts by Matt Johnson")  
Oct 25, 2023  
5 minutes  
[Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)  
[Checkov](https://www.paloaltonetworks.com/blog/tag/checkov/?ts=markdown)  
[Infrastructure as Code Security](https://www.paloaltonetworks.com/blog/tag/infrastructure-as-code-security/?ts=markdown)

Version 3.0 of Checkov --- Prisma Cloud's open-source infrastructure-as-code (IaC) security scanner --- is now available. Checkov 3.0 is a result of over 11 thousand new commits since we released [Checkov 2.0](https://www.paloaltonetworks.com/blog/prisma-cloud/checkov-2-deepening-open-source-iac-security/) and includes upgrades, such as improved graph policies, deeper Terraform scanning and support for new frameworks.

Checkov enables developers to identify and remediate misconfigurations in [infrastructure-as-code](https://www.paloaltonetworks.com/blog/prisma-cloud/what-is-infrastructure-as-code-the-best-way-to-fully-control-your-cloud-configuration/) files across platforms, such as Terraform, Kubernetes, CloudFormation and Ansible. Since its launch in late 2019, Checkov has been downloaded over 80 million times, making it one of the most popular open-source IaC security scanners.

Let's dive into the latest upgrades to [Checkov](https://www.checkov.io/).

## Expanded Graph Policies

Checkov was the first infrastructure-as-code security tool to introduce graph policies, emphasizing the importance of context between objects when considering security posture. Checkov 3.0 builds on that initial investment in a graph-based approach and includes over 800 new graph policies on top of the 1,000 policies we added 2 years ago.

Checkov now has over 3 thousand total policies customizable with [inline suppressions](https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html). You can also create [custom policies](https://www.checkov.io/3.Custom%20Policies/Custom%20Policies%20Overview.html) and leverage Checkov's new baseline feature, which enables you to set a baseline for a directory --- not an individual file --- so that future runs skip all existing misconfigurations.

To use the baseline feature, first use checkov -d path/to/directory --create-baseline to set a baseline file .checkov.baseline in the scanned directory. For later runs, use checkov -d path/to/directory --baseline path/to/directory/.checkov.baseline so that you're only checking for newly identified misconfigurations.

## Power to the Policy Definitions

Along with the new out-of-the-box policies, we've improved the power and usability of Checkov's policy language with new operators --- 36, in fact --- to make policies simpler to write. Let's look at a few of these operators in more detail.

*"SUBSET"* allows for a huge reduction in nested and logic. Additionally, all operators now support JSON paths by appending `jsonpath_` to the operator to get even more complex in your patterns.

Here's an example of a YAML-based [policy](https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/DMSEndpointHaveSSLConfigured.yaml) in Checkov:  
YAML  
metadata: id: "CKV2\_AWS\_49" name: "Ensure AWS Database Migration Service endpoints have SSL configured" category: "NETWORKING" definition: or: - and: - cond\_type: "attribute" resource\_types: - "aws\_dms\_endpoint" attribute: "endpoint\_type" operator: "equals" value: "source" - or: - cond\_type: "attribute" resource\_types: - "aws\_dms\_endpoint" attribute: "engine\_name" operator: "subset" value: - "s3" - "azuredb" - cond\_type: "attribute" resource\_types: - "aws\_dms\_endpoint" attribute: "ssl\_mode" operator: "not\_equals" value: "none"

|----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | metadata: id: "CKV2\_AWS\_49" name: "Ensure AWS Database Migration Service endpoints have SSL configured" category: "NETWORKING" definition: or: - and: - cond\_type: "attribute" resource\_types: - "aws\_dms\_endpoint" attribute: "endpoint\_type" operator: "equals" value: "source" - or: - cond\_type: "attribute" resource\_types: - "aws\_dms\_endpoint" attribute: "engine\_name" operator: "subset" value: - "s3" - "azuredb" - cond\_type: "attribute" resource\_types: - "aws\_dms\_endpoint" attribute: "ssl\_mode" operator: "not\_equals" value: "none" |

'Jsonpath\_' is powerful because the attributes can also be expressions that allow a single policy to cover the complexity of cloud environment objects. Let's look at an example [policy](https://github.com/bridgecrewio/checkov/blob/5a0231bef3bc686253cbea9be812da284dc23a6a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/CkSshPortOpenForAll.yaml#L13) that uses 'jsonpath\_':  
YAML

- cond\_type: "attribute" resource\_types: - "aws\_security\_group" attribute: "ingress\[?(@.to\_port == 443 \& @.from\_port == 443)\].cidr\_blocks\[?(@ == '8.0.4.19/92')\]" operator: "jsonpath\_equals" value: 8.0.4.19/92

|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 2 3 4 5 6 | - cond\_type: "attribute" resource\_types: - "aws\_security\_group" attribute: "ingress\[?(@.to\_port == 443 \& @.from\_port == 443)\].cidr\_blocks\[?(@ == '8.0.4.19/92')\]" operator: "jsonpath\_equals" value: 8.0.4.19/92 |

Read [Checkov's documentation](https://www.checkov.io/3.Custom%20Policies/YAML%20Custom%20Policies.html#policy-definition) to learn more about the new operators.

## Deep Terraform Scanning

Checkov started out as a Terraform security scanner, and while it now supports a wide range of infrastructure-as-code frameworks, we've continued to improve its Terraform security capabilities based on community feedback.

Checkov now provides the deepest level of Terraform security scanning available. With Checkov 3.0, you get:

* Terraform JSON scanning across all Terraform policies
* Deep analysis and resolution of Terraform for\_each and dynamic code blocks
* Fetching and scanning of dependent Terraform modules
* Terraform plan scanning

Checkov also has a new deep analysis mode that works with all the above features. With deep-analysis, you can use a plan file and the original Terraform to fully resolve any possible variable, block or complex configurations.

## Upgraded Secrets Scanning

Checkov helps you identify and remove exposed credentials --- such as API keys and access tokens --- early in the software development lifecycle.

With our upgrades to its secrets security capabilities, Checkov now supports a wider range of [known-format secrets](https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-security-across-files-repositories-pipelines/). Checkov also features improved "random secret" detection and includes valid key testing with an API key to ensure it only alerts on valid credentials.

## Expanded Support for IaC Frameworks

In this latest upgrade to Checkov, we also sought to extend support for a variety of infrastructure-as-code frameworks. This includes some you probably wouldn't even call infrastructure as code (we're looking at you, Ansible).

Checkov 3.0 now supports:

* [Continuous integration (CI) pipeline tools](https://www.checkov.io/1.Welcome/Feature%20Descriptions.html#integrating-with-cicd), such as Bitbucket Cloud Pipelines and Jenkins
* Bicep in Azure
* Kustomize
* Ansible
* [Kubernetes graph checks](https://www.paloaltonetworks.com/blog/prisma-cloud/kubernetes-security-with-checkov-graph-connections/)

## AI and Checkov

It's 2023, so we obviously had to upgrade Checkov with AI. When you use [Checkov and ChatGPT](https://www.paloaltonetworks.com/blog/prisma-cloud/chatgpt-checkov-iac-security/) --- via an API token --- Checkov provides detailed CLI output with suggested code fixes to help streamline your workflow.
![Checkov’s AI-generated CLI output](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/10/image4.png)
Figure 1: Checkov's AI-generated CLI output

## Getting Involved in the Community

We're excited to see how far Checkov has come since 2019, and we can't wait to see what the future of [infrastructure-as-code security](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security) will bring. As you explore Checkov, please join our [#CodifiedSecurity Slack channel](https://join.slack.com/t/codifiedsecurity/shared_invite/zt-25hk5bbg7-gq6cX0bP2GhHIp680dQ8GA) to ask questions, share ideas and connect with our awesome dev team.

And if you're looking for more information on how to adopt infrastructure-as-code security in your organization, download the step-by-step guide: [Operationalize Your Infrastructure-as-Code Security Program](https://start.paloaltonetworks.com/iac-security-operationalization-guide.html). In it, you'll learn how to get started with IaC security, roll out your program and iterate for success.

*** ** * ** ***

## Related Blogs

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Full-Stack Code Visibility With Prisma Cloud Software Bill of Materials (SBOM) Generation](https://www2.paloaltonetworks.com/blog/cloud-security/full-stack-visibility-with-software-bill-of-materials-generation/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### How to Embrace Kubernetes Security With Checkov's Graph Connections](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-security-with-checkov-graph-connections/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### It's Not All Bad! Using Cloud Drift for Teachable Moments](https://www2.paloaltonetworks.com/blog/cloud-security/using-cloud-drift-for-teachable-moments/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### The Key to DevSecOps Success: Cross-Team Knowledge Sharing](https://www2.paloaltonetworks.com/blog/cloud-security/the-key-to-devsecops-success-cross-team-knowledge-sharing/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### From Manifest to Workload: Embedding Kubernetes Security at Each Phase of the DevOps Lifecycle](https://www2.paloaltonetworks.com/blog/cloud-security/devops-lifecycle-embedding-kubernetes-security/)

### [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/category/devsecops/?ts=markdown)

[#### Exposed Credentials Across the DevSecOps Pipeline: 5 Places Secrets Hide in Plain Sight](https://www2.paloaltonetworks.com/blog/cloud-security/exposed-credentials-across-the-devsecops-pipeline/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language