Automic VaultAutomic Vault

brew

使用 Homebrew, Nix 安装 checkov

查看 checkov 的安装路径、可执行文件、元数据以及面向 AI 代理工作流的安全说明。

代理安全

代理安全回答

checkov scans infrastructure code and may read sensitive templates and policy context.

凭据访问

Reads IaC files, environment variables, and optional platform tokens.

远程变更

Usually read-only, but integrations can report to remote services.

发布/制品风险

Can produce security reports that may include resource names and paths.

推荐控制

Gate token-backed uploads and scans over secret-bearing files.

代理使用指南

Allow local scans; require approval before uploading findings or scanning sensitive directories.

安装

其他安装命令

macOS

Homebrew已验证 · 100%
brew install checkov

local Homebrew formula metadata

Linux

Nix已验证 · 92%
nix profile install nixpkgs#checkov

nixpkgs package indexes · pkgs/by-name/ch/checkov/package.nix · 来源: api.github.com

概览

软件包摘要

Prevent cloud misconfigurations during build-time for IaC tools

命令和别名

  • checkov
  • checkov.cmd

历史

项目历史与用法

Checkov is an infrastructure-as-code static analysis tool created by Bridgecrew and maintained under Prisma Cloud. It became a major security package because it brought policy-as-code checks for Terraform, Kubernetes, CloudFormation, Dockerfiles, CI workflows, and related formats into a single installable CLI.

项目历史

The bridgecrewio/checkov repository was created in November 2019. The official README describes Checkov as a static code analysis tool for IaC and software composition analysis, maintained by Prisma Cloud and able to detect cloud misconfigurations and vulnerabilities during build time.

Checkov expanded from Terraform-oriented misconfiguration scanning into a broader scanner for Terraform plans, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfiles, Serverless, Bicep, ARM templates, OpenAPI, OpenTofu, CI pipelines, container images, and open source packages.

采用历史

Checkov was first uploaded to PyPI in December 2019 and was still publishing frequent 3.x releases in June 2026. The official README documents installation through pip, Homebrew, Docker, and upgrades through pip or brew.

Docker Hub metadata for bridgecrew/checkov showed more than 22 million pulls by June 2026, and the GitHub repository metadata showed thousands of stars, indicating adoption well beyond niche use. In 2021, Palo Alto Networks announced completion of its Bridgecrew acquisition, after which the README and docs positioned Checkov as part of Prisma Cloud Application Security.

使用方式

Typical CLI usage scans a directory, file, or Terraform plan JSON and emits findings with policy IDs, file paths, pass/fail status, and remediation links. Output formats include CLI, CycloneDX, JSON, JUnit XML, CSV, SARIF, and GitHub markdown.

Teams commonly run Checkov locally, in CI, or in pull request workflows to block insecure infrastructure definitions before deployment. With a Prisma Cloud API key, the CLI can also use severity thresholds and platform-backed policy metadata.

为什么软件包爱好者会关心

Checkov is package-nerd significant because it is a high-churn Python security CLI with multiple distribution channels, a large policy corpus, Docker images, Homebrew packaging, PyPI releases, and enterprise integration pressure. It shows how cloud-security tooling moved from SaaS dashboards into developer workstation and CI packages.

Its packaging story also reflects IaC's growth: a single command-line package became a front door for scanning Terraform, Kubernetes, Docker, CI configuration, secrets, and SCA inputs.

时间线

  • 2019: bridgecrewio/checkov repository created and first PyPI release uploaded.
  • 2021: Palo Alto Networks completed its acquisition of Bridgecrew.
  • 2026: Checkov 3.3.x releases published and Docker image updated.

Related projects

  • Prisma Cloud Application Security is the commercial platform integration documented by Checkov.
  • Terraform, OpenTofu, Kubernetes, CloudFormation, Helm, Docker, CycloneDX, and SARIF are major adjacent ecosystems and formats supported by Checkov.

安全态势

风险级别:orange

infrastructure mutation or orchestration signal.

风险分类器

orange 风险 · 中 置信度 · infrastructure

原因

  • infrastructure mutation or orchestration signal

信号

  • text:cloud

安装行为

  • formula 元数据中未记录 Homebrew post-install 钩子。
  • Homebrew bottle 元数据适用于 6 个平台目标。
  • 安装时包含 7 个运行时依赖。
  • 构建元数据列出 3 个构建依赖。

建议审查

在无人值守的代理使用前,请检查该工具是否读取明文凭据、写入远程状态、发布制品或调用插件。

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Credential files

Credential-bearing paths to review before unattended agent runs.

Unix
~/.bridgecrew/credentials

可执行文件

已安装的可执行文件

命令类型暴露范围备注
checkovcli全局可执行文件
checkov.cmdcli全局可执行文件

新鲜度

版本和新鲜度

这些信号区分页生成时间、软件包管理器活动和上游发布比较。只有存在证据 URL 和可比较版本时,才会提示版本落后。

页面生成时间2026-07-10
管理器版本3.3.0
管理器更新时间2026-06-11
本地数据OK
上游not checked
检测到的最新版本未检测到

https://www.checkov.io/

安装元数据

软件包元数据

软件包键brew:checkov
版本3.3.0
软件包管理器Homebrew
软件包管理器页面https://formulae.brew.sh/formula/checkov
主页https://www.checkov.io/
仓库https://github.com/bridgecrewio/checkov
上游文档https://www.checkov.io/
许可证Apache-2.0
源码归档https://files.pythonhosted.org/packages/9c/0a/03002542731935763af6bb5eb7473cc1e99818c818608d5fd54240c590e2/checkov-3.3.0.tar.gz
最后更新2026-06-11T07:52:35Z
Pulseupdated
依赖certifi, cffi, libyaml, numpy, pydantic, python@3.14, rpds-py
构建依赖cmake, maturin, rust
macOS 提供的库libffi
Bottle可用 (于 arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-install未定义
服务未声明

注册表事实

源数据库详情

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namecheckov
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

源数据库匹配

其他软件包管理器记录

匹配项来自外部软件包管理器索引,并与本地 Automic Vault 软件包链接分开显示。

Nix95%

checkov

nix profile install nixpkgs#checkov
  • normalized package name match
  • 匹配方式:Checkov
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ch/checkov/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

来源线索

由仓库数据生成

此页面由 av-webscripts/generate-pkg-sqlite.py 生成的私有软件包 SQLite 工件提供。

使用的来源

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated agent safety answer
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment