Integrate Checkov with Vulnetix. Scan IaC for security misconfigurations with SARIF, CycloneDX, and SPDX output.
Install & scan
$ uv run --with checkov checkov --version $ uv run --with checkov checkov -d . -o sarif --output-file-path .
Run Checkov in CI
Scan on every push and upload the results to Vulnetix:
- name: Run Checkov
run: |
pip install checkov
checkov -d . -o sarif --output-file-path .
- name: Upload to Vulnetix
run: vulnetix upload --file results_sarif.sarif
How Vulnetix compares — better together
Vulnetix does not replace Checkov. Keep running it. Vulnetix sits on top of Checkov — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Checkov is strongest at its core category and also carries features in Container & Image Scanning, Secret Scanning, SCA, SBOM Generation, License Compliance — just like Vulnetix spans categories.
| Capability | Vulnetix | Checkov |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ~ SCA of open-source packages and images for CVEs (checkov.io/7.Scan Examples/Sca) |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ~ Dockerfile misconfig checks plus SCA image scanning for CVEs |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✓ Core: 750+ graph-based policies across Terraform, CFN, K8s, Helm, ARM, Bicep (checkov.io) |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ Regex/keyword/entropy secrets detection with optional live API-key verification |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ~ Package license data surfaced via SCA scanning |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ~ CycloneDX BOM output for scanned resources/packages (checkov.io/8.Outputs) |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Checkov does well
- Graph-based scanning builds a resource connection graph so policies can reason across related IaC resources (e.g. a security group referenced by an instance), catching misconfigs single-file scanners miss
- Broad framework support (Terraform/plan, CloudFormation, SAM, Kubernetes, Helm, Kustomize, ARM, Bicep, Serverless, OpenTofu, Dockerfile) with 750+ built-in policies
- Genuinely multi-domain for an OSS tool: adds SCA for open-source packages and images, plus entropy-based secrets detection with optional live key verification
- Deep Prisma Cloud/Palo Alto integration and custom policies in Python or YAML, with SARIF and CycloneDX outputs
Where Vulnetix adds to it: Checkov is the strongest multi-domain scanner of the four, so Vulnetix leans on it: it ingests Checkov IaC/SCA/secrets findings and deduplicates them with its own scanners into one prioritised queue. Vulnetix then adds what Checkov lacks — EPSS/KEV/LEV exploit-intel prioritisation, reachability for its SCA findings, immutable versioned VEX, EOL and SSVC policy, and Safe Harbour fix PRs. Better together, not a replacement.
No migration, no rip-and-replace. Checkov keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Checkov results in Vulnetix
Upload Checkov SARIF, CycloneDX, SPDX output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.