Tool integration

Checkov Integration Guide

Policy-as-code IaC scanner for Terraform, CloudFormation, Kubernetes

Get a Free API Key

Integrate Checkov with Vulnetix. Scan IaC for security misconfigurations with SARIF, CycloneDX, and SPDX output.

CLI toolSARIFCycloneDXSPDX

Install & scan

$ uv run --with checkov checkov --version
$ uv run --with checkov checkov -d . -o sarif --output-file-path .

Run Checkov in CI

Scan on every push and upload the results to Vulnetix:

- name: Run Checkov
  run: |
    pip install checkov
    checkov -d . -o sarif --output-file-path .
- name: Upload to Vulnetix
  run: vulnetix upload --file results_sarif.sarif

How Vulnetix compares — better together

Vulnetix does not replace Checkov. Keep running it. Vulnetix sits on top of Checkov — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Checkov is strongest at its core category and also carries features in Container & Image Scanning, Secret Scanning, SCA, SBOM Generation, License Compliance — just like Vulnetix spans categories.

CapabilityVulnetixCheckov
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph~ SCA of open-source packages and images for CVEs (checkov.io/7.Scan Examples/Sca)
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile~ Dockerfile misconfig checks plus SCA image scanning for CVEs
IaC / misconfigurationTerraform, k8s, CloudFormationCore: 750+ graph-based policies across Terraform, CFN, K8s, Helm, ARM, Bicep (checkov.io)
Secret scanning1,000+ rules, source + binary + git history~ Regex/keyword/entropy secrets detection with optional live API-key verification
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy~ Package license data surfaced via SCA scanning
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable~ CycloneDX BOM output for scanned resources/packages (checkov.io/8.Outputs)
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Checkov does well

Where Vulnetix adds to it: Checkov is the strongest multi-domain scanner of the four, so Vulnetix leans on it: it ingests Checkov IaC/SCA/secrets findings and deduplicates them with its own scanners into one prioritised queue. Vulnetix then adds what Checkov lacks — EPSS/KEV/LEV exploit-intel prioritisation, reachability for its SCA findings, immutable versioned VEX, EOL and SSVC policy, and Safe Harbour fix PRs. Better together, not a replacement.

No migration, no rip-and-replace. Checkov keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Checkov results in Vulnetix

Upload Checkov SARIF, CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Checkov documentation ↗  ·  Source repository ↗

Wire Checkov into your CI/CD pipeline →