# =============================================================================
# Checkov Configuration — IaC Security Scanning
# =============================================================================

# checkov.yml
branch: main
compact: true
directory:
  - terraform/
  - k8s/
  - docker/
framework:
  - terraform
  - kubernetes
  - dockerfile
  - arm
  - cloudformation
skip_check:
  # Skip checks that have compensating controls:
  - CKV_AWS_79  # EKS public endpoint (we use private)
  - CKV_K8S_21 # Default namespace (we enforce via Kyverno)

output: cli
soft_fail: false
quiet: false

# Integration with PR comments
repo_id: devsecops/platform
skip_fixes: false