Connect to Bridgecrew CLI


In addition to the automatic scans run periodically by Bridgecrew, you can run scans from a command line. This allows you to:

  • Skip particular checks on Terraform Definition Blocks you choose
  • Skip particular checks on all resources
  • Run only specific checks


## Standard installation
pip install bridgecrew

## Installation on Linux / Mac distros where `python` references python2
## (this is usually the case - run `python --version` to verify)
pip3 install bridgecrew

## Installation on Alpine
pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install bridgecrew

## Installation using homebrew (MacOS only)
brew tap bridgecrewio/bridgecrew
brew update
brew install bridgecrew

## Installation on Windows (ensure you add the cmd file to your path)
pip install bridgecrew
echo %PATH%
cd C:\\Users\\<my_username>\\AppData\\Local\\Microsoft\\WindowsApps
curl -o bridgecrew.cmd

Running Scans by CLI

After you get a Bridgecrew API Token, run Bridgecrew as follows:

bridgecrew -d <directory> --bc-api-key <key> --repo-id <repo_id> --branch <branch>

Or by using the -f file flag:

bridgecrew -f <file_1> <file_2> ... <file_n> --bc-api-key <key> --repo-id <repo_id> --branch <branch>


  • <key> - Bridgecrew issued API key (for more details, see Get API Token)
  • <repo_id> - Identifying string of the scanned repository, following the standard Git repository naming scheme: <owner>/<name>
  • <branch> - Branch name to be persisted on platform, defaults to the master branch.



The scanned directory (supplied with -d flag) must be checked-out from the given branch name.

Skip Check per Terraform Definition Block

To skip a check on a given Terraform definition block, add the following comment pattern in the scope of that file.

  • <check_id> is one of the available check scanners (see AWS Policy Index).
  • <suppression_comment> is an optional suppression reason to be included in the output


The comment in the example below will cause the scan to skip the check BC_AWS_IAM_1 on foo-bucket.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #bridgecrew:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"

Advanced parameters






Environment variable name of the Bridgecrew API key from Bridgecrew app


Secret parameter


IaC root directory to scan


Input parameter


Runs checks without failing build


Input parameter


Filter scan to run only on a specific check identifier, You can specify multiple checks separated by comma delimiter


Input parameter


Filter scan to run on all check but a specific check identifier(blacklist), You can specify multiple checks separated by comma delimiter


Input parameter


Display only failed checks


Input parameter

Skip Check Globally

To globally skip a certain check or checks during a scan include the SKIP_CHECK flag in the command line. Use a comma delimiter to list multiple checks.

--skip-check SKIP_CHECK

Run Only Specific Checks

If you do not want to run the full set of Bridgecrew checks, you can indicate specific checks to run in the command line. Use a comma delimiter to list multiple checks.

-c CHECK, --check CHECK



For a list of all check IDs, run:
bridgecrew --list

Updated 8 days ago

Connect to Bridgecrew CLI

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.