* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Cloud Security](https://www.paloaltonetworks.com.au/blog/cloud-security/)
* [DevSecOps](https://www.paloaltonetworks.com.au/blog/cloud-security/category/devsecops/)
* ChatGPT and Checkov: Fix ...

# ChatGPT and Checkov: Fix IaC Security Issues Fast

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fchatgpt-checkov-iac-security%2F)  
[](https://twitter.com/share?text=ChatGPT+and+Checkov%3A+Fix+IaC+Security+Issues+Fast&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fchatgpt-checkov-iac-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fcloud-security%2Fchatgpt-checkov-iac-security%2F&title=ChatGPT+and+Checkov%3A+Fix+IaC+Security+Issues+Fast&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/cloud-security/chatgpt-checkov-iac-security/&ts=markdown)  
\[\](mailto:?subject=ChatGPT and Checkov: Fix IaC Security Issues Fast)  
Link copied  
By [Steve Giguere](https://www.paloaltonetworks.com/blog/author/steve-giguere/?ts=markdown "Posts by Steve Giguere")  
Jun 27, 2023  
5 minutes  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[AI](https://www.paloaltonetworks.com/blog/tag/ai/?ts=markdown)  
[Checkov](https://www.paloaltonetworks.com/blog/tag/checkov/?ts=markdown)  
[IaC security](https://www.paloaltonetworks.com/blog/tag/iac-security/?ts=markdown)

Infrastructure as code (IaC) offers a robust method for managing cloud resources. Developers use IaC to describe their infrastructure in code format, which can then undergo versioning, testing and deployment like any software code.

While IaC provides [significant automation advantages](https://www.paloaltonetworks.com/blog/prisma-cloud/scaling-in-the-cloud/), it's still code. Like any software code, IaC can harbor security vulnerabilities or misconfigurations, potentially leading to downtime or data breaches --- and making it crucial to use an IaC scanning tool capable of identifying security issues in your IaC code.

One such open-source IaC scanning tool, [Checkov](https://www.checkov.io/), has gained popularity due to its ability to scan IaC code written in Terraform, Kubernetes, CloudFormation and other popular IaC languages.

To take its scanning capabilities a step further, Checkov has incorporated ChatGPT to suggest code fixes for potential issues found in IaC code.

## Efficient IaC Security with ChatGPT and Checkov

ChatGPT, a natural language processing (NLP) tool, understands natural language and provides responses or suggestions based on its advanced language model. In the Checkov context, ChatGPT aids in analyzing potential issues found in IaC code and offers suggestions on how to fix them.

For example, if Checkov detects an insecure configuration in your IaC code --- such as a security group that allows traffic from any IP address --- it can provide a suggested code fix using ChatGPT. The suggested fix might involve adding a more restrictive security group rule that limits traffic to a specific IP range.

Developers can save significant time by using ChatGPT's suggested code fixes, as it reduces the need to manually review and resolve potential issues. As a bonus, the suggestions from ChatGPT can reinforce optimal coding practices and help developers avoid similar mistakes in the future.

## Getting Started with Checkov and ChatGPT

To start, you need to obtain an API key from the [OpenAI platform](https://platform.openai.com/). Begin by creating an OpenAI account and retrieving your API key from your settings. Note that only a limited free tier is available for testing this feature. After exceeding that limit, the standard pay-for-what-you-use [pricing model](https://openai.com/pricing) becomes applicable, which we have found inexpensive at the time of writing.

Once you obtain your API key, you can [update or install Checkov](https://www.checkov.io/1.Welcome/Quick%20Start.html) and run a simple **checkov -h**to see the new command line option.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297216-2.png)
Figure 1: Checkov's new command line option enables you to enter an API key from OpenAI.

Checkov retrieves AI-generated guidelines for a maximum of five findings by default, to manage costs. You can modify the default behavior by setting the environment variable CKV\_OPENAI\_MAX\_FINDINGS to a specific number, or to 0 to see all findings.

Keep in mind that modifying the default behavior can extend this process duration, as it takes approximately 5 to 10 seconds to retrieve each finding.

Now let's look at a few examples to see how suggested code fixes work in practice.

## Using ChatGPT and Checkov for Kubernetes Security

In this example, we want to check a default Kubernetes deployment manifest that uses NGINX.

Start by running the following command in the terminal:

checkov --openai-api-key $OPENAI\_KEY -d . --frameworks kubernetes
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297216-3.png)
Figure 2: After running the command above, the CLI's output provides information about the number of requested suggested code fixes powered by ChatGPT.

Of the five enhanced guidelines, one of the examples was for CKV\_K8S\_43:
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297216-4.png)
Figure 3: Checkov surfaces a potential issue in the manifest.

In this example, Checkov surfaces the security issue by providing the relevant code block and links to [Checkov documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html) to help you remediate the issue. But with the new connection to ChatGPT, Checkov provides additional guidance, as seen in figure 4.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297216-5.png)
Figure 4: ChatGPT provides a suggested fix to remediate the security issue identified by Checkov.

The AI-generated output stands out because it explains that referencing images with sha256 is more secure --- plus it delves into the mutability of alternatives, how to determine the sha256 digest and the application method and location.

## Checking an S3 Bucket Generated by ChatGPT

Instead of just using ChatGPT to check code we already wrote, we wanted to test how well ChatGPT could write secure code. In this next example, we use Checkov to identify issues with Terraform code written by ChatGPT.

When we ran this experiment, ChatGPT did a decent job of generating Terraform for the requested "secure S3 bucket." The AI-generated code passed seven checks, but it still failed five checks.

Let's review one of the failed checks: CKV\_AWS\_145:
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297216-6.png)
Figure 5: Checkov fails a check on the S3 bucket.

In addition to Checkov's usual guidance, ChatGPT's suggestions included a code fix to remediate a failed check on an S3 bucket, as seen in figure 6.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297216-7.png)
Figure 6: ChatGPT provides a suggested code fix to remediate a failed check on an S3 bucket.

ChatGPT correctly pointed out that, in addition to server-side encryption, KMS provided additional security features, such as key rotation and access control. ChatGPT then followed its advice by creating a version of the code that included the suggested fixes.

While these examples show that ChatGPT can help produce a secure version of your code, you need to consider that ChatGPT must consume your code to provide fix suggestions. To protect your intellectual property, take precautions when using this feature on proprietary code.

## The Future of ChatGPT and IaC Security

Checkov's integration with ChatGPT offers a promising step toward making IaC development more efficient and secure. As [IaC scanning](https://www.paloaltonetworks.com/prisma/cloud/infrastructure-as-code-security) tools begin to incorporate NLP and other AI technologies, we can expect further improvements in the speed and accuracy of identifying and fixing issues in IaC code.

## Level up Your IaC Security

Interested in learning more about efficient, simplified IaC security? Download the [DevSecGuide to IaC Security](https://start.paloaltonetworks.com/devsecguide-to-infrastructure-as-code) and discover how you can shift your cloud security left.

*** ** * ** ***

## Related Blogs

### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### OpenID Connect: Let's Talk Security](https://www.paloaltonetworks.com.au/blog/cloud-security/openid-connect-oidc-security/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Top 3 IAM Risks in Your GitHub Organization](https://www.paloaltonetworks.com.au/blog/cloud-security/prevent-inadequate-iam-github-organization/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### How To Prevent the 5 Most Common Software Supply Chain Weaknesses](https://www.paloaltonetworks.com.au/blog/cloud-security/common-software-supply-chain-weaknesses/)

### [Application Security](https://www.paloaltonetworks.com/blog/category/application-security/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Shift Left Secrets Security: How to Prioritize Secrets Risks](https://www.paloaltonetworks.com.au/blog/cloud-security/shift-left-secrets-security-risk-prioritization/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Achieving Comprehensive Cloud Security: The Power of Consolidation](https://www.paloaltonetworks.com.au/blog/cloud-security/cloud-security-consolidation/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Top 6 Considerations for Integrating Cloud Security and GitOps](https://www.paloaltonetworks.com.au/blog/cloud-security/6-considerations-for-integrating-cloud-security-and-gitops/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language