# checkov - Doramagic AI Context Pack

> Purpose: pre-work context for the user's host AI. This pack does not prove that the project has been installed, run, or validated.

## Project

- canonical_name: `bridgecrewio/checkov`
- capability: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
- expected_user_outcome: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

## Operating Boundaries

- Do not claim that the project has been installed, run, called through an API, or used on local files unless separate evidence proves it.
- Project facts must come from repo evidence, Claim Graph, or explicit source references.
- When a capability is not verified, mark it as unverified instead of completing it as fact.
- publish_status: `publishable`
- blocking_gaps: none

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Overview and Core Architecture**: importance `high`
  - source_paths: checkov/main.py
- **Supported IaC, Pipeline, and SCA Frameworks**: importance `high`
  - source_paths: checkov/terraform/runner.py
- **Configuration, Custom Policies, and Output Formats**: importance `high`
  - source_paths: checkov/runner_filter.py
- **Known Issues, False Positives, and Community Workarounds**: importance `high`
  - source_paths: checkov/bicep/parser.py

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `efe84c2a9a05c121dd9bb42865865086ea813fa4`
- inspected_files: `Dockerfile`, `README.md`, `pyproject.toml`, `docs/1.Welcome/Feature Descriptions.md`, `docs/1.Welcome/Migration.md`, `docs/1.Welcome/Quick Start.md`, `docs/1.Welcome/Terms and Concepts.md`, `docs/1.Welcome/What is Checkov.md`, `docs/2.Basics/CLI Command Reference.md`, `docs/2.Basics/Handling Variables.md`, `docs/2.Basics/Hard and soft fail.md`, `docs/2.Basics/Installing Checkov.md`, `docs/2.Basics/Reviewing Scan Results.md`, `docs/2.Basics/Scanning Credentials and Secrets.md`, `docs/2.Basics/Suppressing and Skipping Policies.md`, `docs/2.Basics/Visualizing Checkov Output.md`, `docs/3.Custom Policies/Custom Policies Overview.md`, `docs/3.Custom Policies/Examples.md`, `docs/3.Custom Policies/Python Custom Policies.md`, `docs/3.Custom Policies/Sharing Custom Policies.md`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Installation risk requires verification

- Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7394
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Installation risk requires verification

- Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/6645
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Installation risk requires verification

- Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/6950
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Configuration risk requires verification

- Trigger: Project evidence flags a configuration risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7473
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: Security: Multiple CVEs in Dependencies (urllib3, asteval, ply) - Checkov 3.2.517
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: Security: Multiple CVEs in Dependencies (urllib3, asteval, ply) - Checkov 3.2.517. Context: Observed when using python
- Why it matters: Developers may expose sensitive permissions or credentials: Security: Multiple CVEs in Dependencies (urllib3, asteval, ply) - Checkov 3.2.517
- Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7504
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 6: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7402
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 7: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7396
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 8: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7210
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 9: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7504
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 10: Installation risk requires verification

- Trigger: Developers should check this installation risk before relying on the project: Discrepancy Between Homebrew vs pip Installations: CKV2 Checks Not Running with Homebrew
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: Discrepancy Between Homebrew vs pip Installations: CKV2 Checks Not Running with Homebrew. Context: Observed when using python, docker, macos, linux
- Why it matters: Developers may fail before the first successful local run: Discrepancy Between Homebrew vs pip Installations: CKV2 Checks Not Running with Homebrew
- Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/6645
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.