Hamburger Cross Icon
Checkov Collector - Lunar Collector

Checkov Collector

Collector Beta Security

Auto-runs Checkov on infrastructure code (Terraform, CloudFormation, Kubernetes, Dockerfiles) and detects Checkov CI executions. Results are normalized into .iac_scan for the iac-scan policy.

Add checkov to your lunar-config.yml:
uses: github://earthly/lunar-lib/collectors/checkov@v1.0.5
Get Started View on GitHub

What This Integration Collects

This integration includes 2 collectors that gather metadata from your systems.

Collector code

scan

Auto-runs Checkov against infrastructure code in the repository. Detects IaC files (Terraform, CloudFormation, Kubernetes, Dockerfiles, ARM, etc.), runs Checkov with JSON output, and normalizes findings by severity into .iac_scan. Also writes .iac.files to signal IaC presence for policy skip logic. Skips gracefully if no IaC files are detected.

checkov iac terraform cloudformation kubernetes dockerfile security scanning auto-run
Book a demo
Collector ci-after-command

cicd

Detects Checkov execution in CI pipelines. Records command metadata to .iac_scan.native.checkov.cicd.cmds and attempts to collect the JSON report file if --output-file-path can be parsed from the command.

checkov ci ci detection iac scanning
Book a demo

How Collectors Fit into Lunar

Lunar watches your code and CI/CD systems to collect SDLC data from config files, test results, IaC, deployment configurations, security scans, and more.

Collectors are the automatic data-gathering layer. They extract structured metadata from your repositories and pipelines, feeding it into Lunar's centralized database where guardrails evaluate it to enforce your engineering standards.

Learn How Lunar Works
1
Collectors Gather Data This Integration
Triggered by code changes or CI pipelines, collectors extract metadata from config files, tool outputs, test results, and scans
2
{ } Centralized as JSON
All data merged into each component's unified metadata document
3
Guardrails Enforce Standards
Real-time feedback in PRs and AI workflows

Example Collected Data

This collector writes structured metadata to the Component JSON. Here's an example of the data it produces:

{ } component.json Component JSON 
{
  "iac": {
    "files": [
      {"path": "infra/main.tf"},
      {"path": "Dockerfile"},
      {"path": "k8s/deployment.yaml"}
    ]
  },
  "iac_scan": {
    "source": {
      "tool": "checkov",
      "version": "3.2.1",
      "integration": "code"
    },
    "findings": {
      "critical": 0,
      "high": 2,
      "medium": 5,
      "low": 8,
      "total": 15
    },
    "summary": {
      "has_critical": false,
      "has_high": true,
      "has_medium": true,
      "has_low": true
    },
    "native": {
      "checkov": {
        "auto": {
          "passed": 42,
          "failed": 15,
          "skipped": 3,
          "findings": [
            {
              "check_id": "CKV_AWS_18",
              "check_name": "Ensure the S3 bucket has access logging enabled",
              "severity": "high",
              "resource": "aws_s3_bucket.data",
              "file": "infra/main.tf",
              "file_line_range": [10, 15]
            }
          ]
        }
      }
    }
  }
}

Related

Policy Security And Compliance
IaC Scan Guardrails

Enforces IaC security thresholds using Checkov scan data

Documentation

View on GitHub

Checkov Collector

Auto-runs Checkov IaC security scanning on infrastructure code and detects existing Checkov CI executions.

Overview

This collector runs Checkov against infrastructure code (Terraform, CloudFormation, Kubernetes manifests, Dockerfiles, ARM templates, etc.) and detects existing Checkov executions in CI pipelines. Scan results are normalized into the .iac_scan Component JSON category, feeding the iac-scan policy for IaC security enforcement. No configuration or secrets required.

Collected Data

This collector writes to the following Component JSON paths:

Path Type Description
.iac.files[] array IaC files detected in the repository (signals IaC presence)
.iac_scan.source object Source metadata (tool, version, integration)
.iac_scan.findings object Finding counts by severity (critical, high, medium, low, total)
.iac_scan.summary object Summary booleans (has_critical, has_high, has_medium, has_low)
.iac_scan.native.checkov.auto object Raw Checkov scan results (auto-run)
.iac_scan.native.checkov.cicd.cmds array CI command metadata

Collectors

This plugin provides the following collectors (use include to select a subset):

Collector Hook Type Description
scan code Auto-runs Checkov against repository infrastructure code
cicd ci-after-command Detects Checkov CLI executions in CI and collects report files

Installation

Add to your lunar-config.yml:

collectors:
  - uses: github://earthly/lunar-lib/collectors/checkov@main
    on: ["domain:your-domain"]  # Or use tags

No configuration or secrets required. The scan sub-collector auto-runs Checkov using the checkov-main container image. The cicd sub-collector detects existing Checkov invocations in CI pipelines.

The scan collector detects IaC files before running Checkov and skips gracefully if none are found. Findings are capped at 100 per scan to avoid oversized Component JSON payloads.

Open Source

This collector is open source and available on GitHub. Contribute improvements, report issues, or fork it for your own use.

View Repository

Ready to Automate Your Standards?

See how Lunar can turn your AGENTS.md, engineering wiki, compliance docs, or postmortem action items into automated guardrails with our 100+ built-in guardrails.

Works with any process
check AI agent rules & prompt files
check Post-mortem action items
check Security & compliance policies
check Testing & quality requirements
Automate Now
Paste your AGENTS.md or manual process doc and get guardrails in minutes
Book a Demo