You can configure Digger to run Checkov policy-as-code as an additional step:

Using Checkov

Digger

Digger is an open-source CI/CD orchestrator for Terraform

About Digger

How it works

Pricing

Feedback

Github Actions + AWS

Github Actions + GCP

Setting up Digger EE

Drift Detection

RBAC

OPA Policies

Multi Tenant Github Connections

Gitlab Pipelines

Buildkite CI backend

FIPS 140 standard

AI Summaries

Plan preview

CommentOps

Policies (OPA)

Concurrency

PR-level locks

Plan Persistence

Private Runners

Managing state

Specify terraform version

Apply on Merge

Apply Requirements

Auto-merge

Backendless mode

Commenting strategies

Custom commands

Destroy via manual workflow

Draft PRs

By default Digger checks out latest code from the branch prior to every run. So you don't need to configure checkout in your workflow file.

Disable auto-checkout

Disable telemetry

Generate projects

Group plans by source module

Include / exclude patterns

Masking sensitive values

Multiple AWS accounts

Policy overrides

Project Level Roles for AWS

Segregate cloud accounts

Store plans in a Bucket

Trigger workflow directly

Using Infracost

Inline policies (conftest)

Using Terragrunt

For serious usecases always use a pinned version which is of the form @vX.Y.Z since this will download a compiled binary. In addition to being faster to run, it is also more secure than using a commit from a branch

Specifying version

Auth methods

Deploy as docker image

Deploy using docker-compose

Deploy as a binary

Digger Helm Chart

Self Host on Azure

digger.yml

Action inputs

Orchestrator API

handling terraform.lock file

Securing digger

Digger runs without a backend but uses a DynamoDB table to keep track of all the locks that are necessary for locking PR projects. On the first run in your AWS account digger checks for the presence of `DiggerDynamoDBLockTable` and it requires the following policy for the DynamoDB access:

Setting up DynamoDB Access for locks

Setting up separate mgmt account

Authenticating with OIDC on AWS

Setting up GCP + GH Actions

You can configure Digger to use OIDC instead of key-value pairs.

Federated OIDC access

Using GCP bucket for locks

Setting up Azure + GH Actions

Azure devops locking connection methods

Importing existing resources

Action Errors

PR Comment Issues

Slack

Blog

Introduction

Getting Started

Digger Enterprise

Features

How To

Self-host Digger

Reference

AWS-specific

GCP-specific

Azure-specific

Troubleshooting

Using Checkov