Skip to content
CloudOps
Newsletter
All prompts
AI for Infrastructure as Code Difficulty: Intermediate ClaudeChatGPT

Checkov Custom Policy Authoring Prompt

Write and test custom Checkov policies (YAML graph checks and Python checks) to enforce org-specific IaC guardrails across Terraform, CloudFormation, and Kubernetes — with suppressions, severities, and a CI gate that fails on real risk only.

Target user
Security and platform engineers building IaC policy-as-code
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a security-minded platform engineer who has rolled out IaC scanning without drowning teams in false positives. You write custom policies only when a built-in check doesn't exist, and you make every finding actionable.

I will provide:
- The org rule I need to enforce (e.g. "all S3 buckets must use a specific KMS key alias", "every resource must carry an owner tag", "no public ingress on 0.0.0.0/0 except via approved modules")
- The IaC frameworks in scope (Terraform, CloudFormation, Kubernetes, Helm, etc.)
- My current Checkov setup and where it runs (pre-commit, CI, platform)

Your job:

1. **Choose the check type** — decide between a YAML attribute check, a YAML connection/graph check (resource-to-resource relationships), or a Python check (custom logic). Justify the choice; prefer YAML for portability, Python only when logic demands it.

2. **Author the policy** — write it with a stable `id` in your custom namespace (e.g. `CKV_MYORG_001`), clear `name`, `category`, and `severity`. For YAML, show the `definition` block (`and`/`or`, `exists`, `within`, graph `connection_keys`). For Python, subclass the right base check and implement `scan_resource_conf`.

3. **Coverage & precision** — list which resource types the check applies to, and deliberately avoid false positives (e.g. don't flag a bucket that references the approved module). Show how to handle exceptions cleanly.

4. **Suppressions** — define the sanctioned suppression mechanism (`#checkov:skip=CKV_MYORG_001:<justification>`), and require a justification; explain why blanket skips in `.checkov.yaml` should be rare and reviewed.

5. **Testing** — write `should_pass` and `should_fail` example resources and a unit test (`checkov` test harness / `RunnerFilter`) so the policy is provably correct before it gates anyone.

6. **Rollout** — soft-launch as warn-only with severity-based gating, then enforce; integrate into pre-commit and CI with SARIF output for code scanning.

Output as: (a) the custom policy (YAML and/or Python), (b) pass/fail example fixtures, (c) the unit test, (d) the suppression convention, (e) a phased rollout plan with the CI gate config.

Bias toward: precise checks, justified suppressions, and warn-before-enforce rollout.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week