# Install checkov with Homebrew, Nix

Prevent cloud misconfigurations during build-time for IaC tools. Version 3.3.0 via Homebrew; verified 2026-06-11.

## Install

```sh
sudo av install brew:checkov
```

## Agent safety answer

checkov scans infrastructure code and may read sensitive templates and policy context.

- **Credential access:** Reads IaC files, environment variables, and optional platform tokens.
- **Remote mutation:** Usually read-only, but integrations can report to remote services.
- **Publish/artifact risk:** Can produce security reports that may include resource names and paths.
- **Recommended control:** Gate token-backed uploads and scans over secret-bearing files.
- **Agent-use guidance:** Allow local scans; require approval before uploading findings or scanning sensitive directories.

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install checkov
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#checkov
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ch/checkov/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:checkov
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/checkov>
- **Version:** 3.3.0
- **Source summary:** Prevent cloud misconfigurations during build-time for IaC tools
- **Homepage:** <https://www.checkov.io/>
- **Repository:** <https://github.com/bridgecrewio/checkov>
- **Upstream docs:** <https://www.checkov.io/>
- **License:** Apache-2.0
- **Source archive:** <https://files.pythonhosted.org/packages/9c/0a/03002542731935763af6bb5eb7473cc1e99818c818608d5fd54240c590e2/checkov-3.3.0.tar.gz>
- **Last updated:** 2026-06-11T07:52:35Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- checkov (cli)
- checkov.cmd (cli)
- checkov (alias)
- checkov.cmd (alias)

## Dependencies

- certifi
- cffi
- libyaml
- numpy
- pydantic
- python@3.14
- rpds-py

## Build dependencies

- cmake
- maturin
- rust

## Uses from macOS

- libffi

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 3.3.0
- Package-manager updated: 2026-06-11
- Local data: ok
- Upstream repository: https://www.checkov.io/
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

Checkov is an infrastructure-as-code static analysis tool created by Bridgecrew and maintained under Prisma Cloud. It became a major security package because it brought policy-as-code checks for Terraform, Kubernetes, CloudFormation, Dockerfiles, CI workflows, and related formats into a single installable CLI.

### Project history

The bridgecrewio/checkov repository was created in November 2019. The official README describes Checkov as a static code analysis tool for IaC and software composition analysis, maintained by Prisma Cloud and able to detect cloud misconfigurations and vulnerabilities during build time.

Checkov expanded from Terraform-oriented misconfiguration scanning into a broader scanner for Terraform plans, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfiles, Serverless, Bicep, ARM templates, OpenAPI, OpenTofu, CI pipelines, container images, and open source packages.

### Adoption history

Checkov was first uploaded to PyPI in December 2019 and was still publishing frequent 3.x releases in June 2026. The official README documents installation through pip, Homebrew, Docker, and upgrades through pip or brew.

Docker Hub metadata for bridgecrew/checkov showed more than 22 million pulls by June 2026, and the GitHub repository metadata showed thousands of stars, indicating adoption well beyond niche use. In 2021, Palo Alto Networks announced completion of its Bridgecrew acquisition, after which the README and docs positioned Checkov as part of Prisma Cloud Application Security.

### How it is used

Typical CLI usage scans a directory, file, or Terraform plan JSON and emits findings with policy IDs, file paths, pass/fail status, and remediation links. Output formats include CLI, CycloneDX, JSON, JUnit XML, CSV, SARIF, and GitHub markdown.

Teams commonly run Checkov locally, in CI, or in pull request workflows to block insecure infrastructure definitions before deployment. With a Prisma Cloud API key, the CLI can also use severity thresholds and platform-backed policy metadata.

### Why package nerds care

Checkov is package-nerd significant because it is a high-churn Python security CLI with multiple distribution channels, a large policy corpus, Docker images, Homebrew packaging, PyPI releases, and enterprise integration pressure. It shows how cloud-security tooling moved from SaaS dashboards into developer workstation and CI packages.

Its packaging story also reflects IaC's growth: a single command-line package became a front door for scanning Terraform, Kubernetes, Docker, CI configuration, secrets, and SCA inputs.

### Timeline

- 2019: bridgecrewio/checkov repository created and first PyPI release uploaded.
- 2021: Palo Alto Networks completed its acquisition of Bridgecrew.
- 2026: Checkov 3.3.x releases published and Docker image updated.

### Related projects

- Prisma Cloud Application Security is the commercial platform integration documented by Checkov.
- Terraform, OpenTofu, Kubernetes, CloudFormation, Helm, Docker, CycloneDX, and SARIF are major adjacent ecosystems and formats supported by Checkov.

### Sources

- <https://github.com/bridgecrewio/checkov>
- <https://www.checkov.io/>
- <https://github.com/bridgecrewio/checkov/releases>
- <https://pypi.org/project/checkov/>
- <https://hub.docker.com/r/bridgecrew/checkov>
- <https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-completes-acquisition-of-bridgecrew>


## Security Notes

infrastructure mutation or orchestration signal.

- **Geiger risk:** orange / medium
- infrastructure mutation or orchestration signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Credential files

- Unix: ~/.bridgecrew/credentials
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** checkov
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Nix - checkov: normalized package name match | nixpkgs package indexes: pkgs/by-name/ch/checkov/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Developer build packages](https://www.automicvault.com/pkg/developer-build-tools/) - Matched build, compiler, generator, or developer workflow metadata.
- [cffi](https://www.automicvault.com/pkg/brew/cffi/) - Runtime dependency declared by Homebrew.
- [numpy](https://www.automicvault.com/pkg/brew/numpy/) - Runtime dependency declared by Homebrew.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [cmake](https://www.automicvault.com/pkg/brew/cmake/) - Build dependency declared by Homebrew.
- [maturin](https://www.automicvault.com/pkg/brew/maturin/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [terrascan](https://www.automicvault.com/pkg/brew/terrascan/) - Shares av.db curated category or tags: cli, compliance, infrastructure-as-code, kubernetes, security.
- [intercept](https://www.automicvault.com/pkg/brew/intercept/) - Shares av.db curated category or tags: cli, compliance, security, static-analysis.
- [kics](https://www.automicvault.com/pkg/brew/kics/) - Shares av.db curated category or tags: cli, compliance, infrastructure-as-code, security.
- [kube-bench](https://www.automicvault.com/pkg/brew/kube-bench/) - Shares av.db curated category or tags: cli, compliance, kubernetes, security.
- [kubescape](https://www.automicvault.com/pkg/brew/kubescape/) - Shares av.db curated category or tags: cli, compliance, kubernetes, security.
- [terraform-iam-policy-validator](https://www.automicvault.com/pkg/brew/terraform-iam-policy-validator/) - Shares av.db curated category or tags: cli, compliance, security, terraform.
- [tfsec](https://www.automicvault.com/pkg/brew/tfsec/) - Shares av.db curated category or tags: cli, security, static-analysis, terraform.
- [bandit](https://www.automicvault.com/pkg/brew/bandit/) - Shares av.db curated category or tags: cli, security, static-analysis.
- [cfripper](https://www.automicvault.com/pkg/brew/cfripper/) - Both packages touch the same language runtime or ecosystem. Shared terms: analysis, cli, cloud, libyaml, pydantic.
- [prowler](https://www.automicvault.com/pkg/brew/prowler/) - Both packages touch the same language runtime or ecosystem. Shared terms: certifi, cli, cloud, compliance, libyaml.

## Combined YAML source

View the package source record on GitHub. [combined/checkov.yml](https://github.com/automic-vault/db/blob/main/combined/checkov.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
- curated agent safety answer
