sourcegraph · DaedalusG · Jun 20, 2025 · Jun 20, 2025
diff --git a/.buildkite/ci-checkov.sh b/.buildkite/ci-checkov.sh
@@ -1,7 +1,13 @@
 #!/usr/bin/env bash
-# Set this to fail on the install
+# Set this to fail on the install 
 set -euxo pipefail
 
+# Install and run the plugin for checkov
+# Create virtual environment to avoid externally-managed-environment error
+python3 -m venv checkov-venv
+source checkov-venv/bin/activate
+pip install checkov
+
 # List of checks we do not want to run here
 # This is a living list and will see additions and mostly removals over time.
 SKIP_CHECKS="CKV_GCP_22,CKV_GCP_66,CKV_GCP_13,CKV_GCP_71,CKV_GCP_61,CKV_GCP_21,CKV_GCP_65,CKV_GCP_67,CKV_GCP_20,CKV_GCP_69,CKV_GCP_12,CKV_GCP_24,CKV_GCP_25,CKV_GCP_64,CKV_GCP_68,CKV2_AWS_5,CKV2_GCP_3,CKV2_GCP_5,CKV_AWS_23,CKV_GCP_70,CKV_GCP_62,CKV_GCP_62,CKV_GCP_62,CKV_GCP_62,CKV_GCP_29,CKV_GCP_39"
@@ -15,7 +21,7 @@ echo "==========================================================================
 # Set not to fail on non-zero exit code
 set +e
 # Run checkov
-checkov --skip-check $SKIP_CHECKS --quiet --framework terraform --compact -d .
+python3 -m checkov.main --skip-check $SKIP_CHECKS --quiet --framework terraform --compact -d .
 
 # Options
 # --quiet: Only show failing tests