Jetbrains

Checkov Plugin for Jetbrains IDEA

The Checkov Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.

The plugin is currently available for download directly from the IntelliJ Plugin Marketplace and its source code is available in an Apache 2.0 licensed repository.

Activating the plugin requires submission of one-time Bridgecrew API Token that can be obtained by creating a new Bridgecrew platform account. It uses open Bridgecrew Developer APIs to evaluate code and offer automated inline fixes. For more information about data shared with Bridgecrew see the Disclaimer section below).

Plugin features include:

  • 1000+ built-in policies covering security and compliance best practices for AWS, Azure and Google Cloud.
  • Terraform, Terraform Plan, CloudFormation, Kubernetes, Helm, Serverless and ARM template scanning.
  • Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
  • In Terraform and CloudFormation checks support evaluation of arguments expressed in variables and remote modules to their actual values.
  • Supports inline suppression via comments.
  • Links to policy descriptions, rationales as well as step by step instructions for fixing known misconfigurations.
  • Fix suggestions for commonly misconfigured Terraform and CloudFormation attributes.

Getting started

Install

  • Using IDE built-in plugin system:

    Settings/Preferences > Plugins > Marketplace > Search for "checkov" >
    Install Plugin

  • Manually:

    Download the latest release and install it manually using
    Settings/Preferences > Plugins > ⚙️ > Install plugin from disk...

Dependencies

The Checkov plugin will invoke the latest version of Checkov.

Configuration

  • Sign up to a Bridgecrew Community account here. If you already have an account, sign in and go to the next step.

  • From Integrations, select API Token and copy the API key.

  • In Jetbrains, enter your API Token in the Checkov plugin settings page under tools.

  • Using a custom CA certificate is possible. If needed, set the path to the certificate file in the Checkov plugin settings page.

Usage

  • Open a file you wish to scan with checkov in IntelliJ.
  • Checkov will run automatically everytime an IaC is opened or saved.
  • Scan results should now appear in the checkov tool window in the bottom of your IDE.
  • Scan results will appear on the left side as a tree of File Names -> Resources -> Violated checks.
  • Click a check to see its details. Details including violating policy and a link to step-by-step fix guidelines.
  • In most cases, the Details will include a fix option. This will either add, remove or replace an unwanted configuration, based on the Checkov fix dictionaries.
  • You can skip checks by adding an inline skip annotation checkov:skip=<check_id>:<suppression_comment>. For more details see the docs.
  • To get Checkov results updated as you code you can configure the IDE to autosave modified files at regular time intervals.

Troubleshooting logs

To access checkov-intellij logs directory, go to Help and select Show Log in Finder (for macOS) or Show Log in Explorer (for Windows).

Contributing

Contribution is welcomed!

Start by reviewing the contribution guidelines. After that, take a look at a good first issue.

Looking to contribute new checks? Learn how to write a new check (AKA policy) here.

Disclaimer

To use this checkov-jetbrains plugin, you will need to create a free account at bridgecrew.cloud using your e-mail, the plugin uses Bridgecrew.cloud's fixes API to analyse and produce code fixes, and enrich the results provided into jetbrains IDE. Please notice bridgecrew privacy policy for more details on collected data when using bridgecrew application.
To generate fixes, files found to have triggered checkov violations are made available to the fixes API for the sole purpose of generating inline fixes code recommendations.


The plugin is based on the Jetbrains Platform Plugin Template.


Did this page help you?