Policy as Code: Blocking Non-Compliant Terraform PRs at the CI/CD Pipeline Gate
How embedding Checkov static security analysis in GitHub Actions PR pipelines prevented non-compliant cloud infrastructure from reaching production.
βDiscovering an unencrypted S3 bucket or open RDP port in production costs $50,000 in incident response. Catching it in a GitHub Actions Pull Request costs $0.β
While building the Azure Landing Zone DevSecOps Factory at Kyndryl, developers frequently submitted Terraform PRs containing public storage accounts or missing customer-managed encryption keys.
Architecture: Shift-Left Security with Checkov Policy as Code
We integrated Checkov static policy analysis directly into our GitHub Actions CI/CD pipeline as a mandatory status check.
- Static IaC Scanning: Every
git pushor Pull Request automatically runs Checkov against the proposed.tfplan files. - Hard Automated Blocks: If Checkov detects critical violations (e.g.
CKV_AZURE_3- Storage Account public access enabled), the PR build fails automatically and comments the exact line number on the GitHub PR.
[!NOTE] Define custom Checkov policies in YAML to enforce enterprise-specific naming conventions and mandatory tag requirements (
Environment,CostCenter,Owner).
# # GitHub Actions Workflow Task: Checkov Static IaC Security Scan
- name: Run Checkov Static Security Scan
uses: bridgecrewio/checkov-action@master
with:
framework: terraform
output_format: cli
soft_fail: false # Hard fail PR on critical security violations
The Verdict
Key Takeaway
Embed Checkov Static Security Scanning as a Mandatory CI/CD Pipeline Gate.
Shifting security left with Checkov Policy as Code blocks 100% of non-compliant Terraform configurations before cloud resources are ever provisioned.
Sachin Kumar Sharma
Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp
Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.