Skip to content

How to Fix Checkov Infrastructure as Code Scan Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Checkov Infrastructure as Code Scan Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Checkov scan returns Check: CKV_AWS_52: "Ensure S3 bucket has public access block" or FAILED: Passed checks: 80, Failed checks: 5 — the infrastructure code violates security best practices.

The Problem

checkov -d .
...
Check: CKV_AWS_52: "Ensure S3 bucket has public access block"
	FAILED for resource: aws_s3_bucket.my_bucket
	File: /main.tf:1-10

Step-by-Step Fix

Step 1: Run Checkov on a specific directory

checkov -d /path/to/terraform

Step 2: Fix common Terraform violations

# Bad: Public S3 bucket
resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-unsecured-bucket"
}

# Good: S3 bucket with public access block
resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-secure-bucket"
}

resource "aws_s3_bucket_public_access_block" "my_bucket" {
  bucket = aws_s3_bucket.my_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls     = true
  restrict_public_buckets = true
}

Step 3: Use soft-fail for non-blocking checks

checkov -d . --soft-fail

Step 4: Skip specific checks

checkov -d . --skip-check CKV_AWS_52

Step 5: Output results

checkov -d . --output json | jq '.results.failed_checks[].check_id'
checkov -d . --output junitxml > checkov-results.xml

Step 6: Use config file

# .checkov.yaml
quiet: true
skip-check:
  - CKV_AWS_52
  - CKV_AWS_53
output: cli
soft-fail: false

Prevention Tips

  • Run Checkov in CI/CD as a mandatory check
  • Use --compact for concise output
  • Keep .checkov.yaml in the Repository root
  • Generate SARIF output for GitHub code scanning integration

Common Mistakes with iac scan

  1. Using return to exit a function early instead of wrapping a pure value in the monad
  2. Mixing let bindings with <- bindings in do notation, producing type errors
  3. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors

These mistakes appear frequently in real-world CHECKOV code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is Checkov and what does it scan?

Checkov is a Static Analysis tool for Infrastructure as Code. It scans Terraform, CloudFormation, Kubernetes, ARM, Bicep, and Dockerfile templates against hundreds of built-in policies based on CIS benchmarks and best practices.

How do I create custom Checkov policies?

Create custom policies using Python or YAML in the .checkov directory. Python policies use the checkov.common.checks.base_check framework. YAML policies use a simplified format. Store them in the custom_policies directory.

What is the difference between SKIP_CHECK and soft-fail?

--skip-check CKV_AWS_52 completely ignores that check. --soft-fail runs all checks but returns exit code 0 regardless of failures. Use skip for known false positives and soft-fail for non-blocking informational checks.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro