Install Checkov with `pip install checkov` or use the Docker image `bridgecrew/checkov`; verify version with `checkov --version`.
Run `checkov -d . --output sarif --output-file-path results.sarif` to scan the current directory recursively for Terraform, Kubernetes, Dockerfile, and other IaC files.
In a GitHub Actions workflow, add an Upload step using `actions/upload-artifact` or `github/codeql-action/upload-sarif` pointing at `results.sarif` to populate GitHub Security tab findings.
Use `--check CKV_AWS_*` or `--skip-check CKV_AWS_123` flags to scope the scan to relevant check IDs; use `--compact` to suppress passed checks from stdout.
For Prisma Cloud integration, set `BC_API_KEY` to your Prisma Cloud API token and add `--bc-api-key $BC_API_KEY` to the Checkov command to ship findings centrally.
Add a `.checkov.yaml` file at the repo root to store default flags (skip-check, check, compact, output) so CLI invocations stay concise.
Known gotchas
tfsec is deprecated; Aqua Security migrated all tfsec checks into Trivy — do not add new tfsec rules and migrate existing pipelines to Trivy or Checkov.
Checkov's graph-based cross-resource checks (e.g., security group to EC2 relationships) require scanning an entire module directory, not individual files.
SARIF upload to GitHub requires the workflow to have `security-events: write` permission; missing this permission causes a silent upload failure.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp