Applying the SAST Tool Checkov to a Terraform IaC Project

Infrastructure as Code (IaC) is a powerful practice that allows developers to define and manage cloud infrastructure using code. However, just like application code, IaC can introduce security risks if not properly reviewed.

Static Application Security Testing (SAST) tools help detect vulnerabilities before infrastructure is deployed. In this article, we will use Checkov, a SAST tool designed for IaC, to scan a small Terraform project and identify security issues.

What is Checkov?

Checkov is an open-source SAST tool developed by Bridgecrew. It scans Terraform, Kubernetes, CloudFormation, and other IaC templates for misconfigurations and insecure code patterns.

Key features:

• Supports multiple IaC platforms
• Easy to install
• Detects real-world cloud security issues
• Works locally or in CI/CD pipelines

Installation

Installing Checkov is very simple. Just use pip:

pip install checkov

After installation, you can scan your project folder with:

checkov -d .

Terraform Example

Here is a basic Terraform configuration that creates a public S3 bucket:

# main.tf
provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-public-bucket-123"
  acl    = "public-read"
}

Although this configuration works, it has a security flaw: the bucket is publicly accessible, which may expose sensitive files.

Scanning with Checkov

When we run checkov -d . in the folder containing main.tf, Checkov scans the code and outputs a warning like:

Check: CKV_AWS_20
Message: S3 Bucket has an ACL defined which allows public access.
File: /main.tf:6-10
Severity: HIGH

This means Checkov successfully identified the risk of public access in the bucket.

Fixing the Issue

To fix this vulnerability, we can change the ACL to “private”:

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-public-bucket-123"
  acl    = "private"
}

After updating the code and scanning again, Checkov confirms that the issue is resolved.

Conclusion

Using a tool like Checkov helps prevent cloud misconfigurations before deployment. It’s easy to use, fast, and powerful — making it perfect for scanning Terraform and other IaC platforms.

By integrating Checkov into your workflow, you improve security and reduce risk in your infrastructure.