Visualize Checkov Results on Your Architecture Diagram

Checkov finds hundreds of misconfigurations in your Terraform, Kubernetes, and CloudFormation code — but its output is a wall of terminal text. Resource names like aws_s3_bucket.data_lake and check IDs like CKV_AWS_18 don't tell you much when you're looking at 60 resources across 12 files.

InfraSketch's security overlay fixes this. Run checkov -o json, paste the output, and every failing resource gets a red border directly on your architecture diagram. Hover for the failing check IDs. See at a glance which part of your infrastructure is the riskiest.

TL;DR: Generate your diagram in InfraSketch → click 🛡 Security → paste checkov -d . -o json output → failing resources highlighted instantly. Free, no login, nothing leaves your browser.

Why "checkov diagram" matters

When Checkov reports that CKV_AWS_18 failed on aws_s3_bucket.access_logs, your next question is always: "Where does this bucket sit in my architecture? What connects to it? Is it public-facing or internal?" The terminal output can't answer that. You have to mentally map resource names to your architecture.

A visual overlay eliminates this mental overhead. You see the bucket in context — inside its VPC, connected to the CloudFront distribution, adjacent to the Lambda that writes to it. The security failure becomes spatially meaningful, not just a name on a list.

This matters even more when you're reviewing someone else's infrastructure. You can hand a reviewer a diagram link with security failures already highlighted, and they immediately understand scope without reading any code.

Step-by-step: generate and overlay

1. Run Checkov and save JSON output checkov -d . -o json > checkov-results.json If you're scanning a specific file: checkov -f main.tf -o json > checkov-results.json For Kubernetes manifests: checkov -d ./k8s -o json > checkov-results.json
2. Generate your architecture diagram Open infrasketch.cloud, paste your Terraform (or Kubernetes YAML, CloudFormation, etc.), and click Generate Diagram. Your resources appear as nodes with official cloud icons.
3. Open the Security overlay In the export bar at the bottom, click the 🛡 Security button. A modal opens with a textarea.
4. Paste the Checkov JSON output Open checkov-results.json, copy its contents, paste into the textarea, and click Apply.
5. Review the highlighted diagram Resources with failing checks get a red border ring and a red badge in the top-right corner showing the number of failing checks. Hover over any red badge to see the specific check IDs in a tooltip (e.g., CKV_AWS_18, CKV_AWS_19, CKV_AWS_21).

The overlay is non-destructive — click Clear in the modal to remove all highlighting without regenerating the diagram. You can also close and re-apply with different Checkov output (e.g., after a targeted scan).

What Checkov checks does InfraSketch cover?

InfraSketch maps Checkov's resource IDs (e.g., aws_s3_bucket.my_bucket) to diagram nodes using the resource field from each failed check in the JSON output. Any check that Checkov reports a failure on will be highlighted — there's no fixed list on InfraSketch's side.

That said, here are the most common AWS checks you'll see highlighted:

Check ID	Resource Type	Description
CKV_AWS_18	S3 Bucket	Access logging enabled
CKV_AWS_19	S3 Bucket	Server-side encryption enabled
CKV_AWS_20	S3 Bucket	Bucket not publicly accessible
CKV_AWS_21	S3 Bucket	Versioning enabled
CKV_AWS_23	CloudFront	Minimum TLS 1.2 enforced
CKV_AWS_57	S3 Bucket	Block public ACLs
CKV_AWS_91	ALB	Access logging enabled
CKV_AWS_116	Lambda	Dead letter queue configured
CKV_AWS_149	Secrets Manager	KMS CMK used for encryption
CKV_K8S_14	Pod	Container does not run as root

The same principle applies for Azure and GCP checks — as long as the resource name in the Checkov JSON matches the resource name in your IaC code, the overlay works.

Understanding the overlay: what the red badges mean

Each highlighted node shows a number badge in the top-right corner. That number is the count of failing checks for that specific resource. A badge showing 5 means Checkov found five distinct misconfigurations on that resource.

Hover over the badge to see a tooltip listing the check IDs. For example:

aws_s3_bucket.raw_data
CKV_AWS_18: Access logging not enabled
CKV_AWS_19: Server-side encryption not configured
CKV_AWS_20: Bucket is publicly readable
CKV_AWS_21: Versioning not enabled
CKV_AWS_57: Public ACLs not blocked

This tells you the full picture without leaving the diagram. A resource with a badge of 5 on a public-facing S3 bucket is an obvious priority. A badge of 1 on an internal Lambda with a missing dead-letter queue is much lower risk.

High-risk pattern to watch for: Any storage resource (S3, RDS, DynamoDB) with red borders that sits outside a VPC boundary in the diagram is likely exposed. Prioritize these above all else.

Combining security and cost overlays

InfraSketch supports two overlays simultaneously: Checkov security (🛡) and Infracost cost (💰). You can apply both at once — security badges appear top-right, cost pills appear bottom-centre, so they don't overlap.

This combination is especially useful for prioritization. A resource that's both expensive and misconfigured (red border + amber/red cost badge) is a double priority: it's costing you money and creating risk. A cheap misconfigured resource can be triaged differently.

To use both overlays:

1. Generate the diagram
2. Apply Checkov overlay via 🛡 Security
3. Apply Infracost overlay via 💰 Cost (see the Infracost guide)
4. Both overlays remain active — export as PNG or SVG to share

Using the overlay in pull request reviews

The most powerful workflow is combining the Checkov overlay with the InfraSketch GitHub Action. The action auto-posts diagram links on every IaC PR. Reviewers can then manually apply the Checkov overlay on their local scan, or you can run Checkov in CI and include results in the PR comment.

Here's a CI workflow that posts both the diagram link and the Checkov scan summary:

# .github/workflows/infrasketch-security.yml
name: IaC Diagram + Security Scan
on:
pull_request:
paths: ['**/*.tf', '**/*.yaml']

jobs:
diagram:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: pandey-raghvendra/infrasketch@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

checkov:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: terraform
output_format: github_failed_only

The diagram job posts a table with diagram links. The Checkov job posts inline PR annotations on the failing lines. Together, reviewers get both spatial context (which resources, where in the architecture) and precise line-level failures.

Supported IaC formats for the security overlay

The security overlay works with any diagram InfraSketch can generate. Checkov supports the same formats — so you can overlay results from any Checkov-compatible scan:

• Terraform HCL — checkov -d . --framework terraform -o json
• Terraform plan JSON — checkov -f tfplan.json --framework terraform_plan -o json
• CloudFormation — checkov -d . --framework cloudformation -o json
• Kubernetes YAML — checkov -d ./k8s --framework kubernetes -o json
• Docker Compose — checkov -f docker-compose.yml --framework dockerfile -o json
• Bicep / ARM — checkov -f template.bicep --framework bicep -o json

Paste the resulting JSON into InfraSketch's Security overlay after generating the diagram for that format.

Exporting diagrams with security overlays

Once you've applied the Checkov overlay, you can export the diagram with the security highlighting preserved:

• PNG (2× retina) — best for Confluence pages, Notion, Slack, or Jira tickets. Red borders and badges export cleanly.
• SVG — scalable, icons inlined. Good for design tools or documentation systems that support SVG.
• Share link — copies a URL that encodes your diagram state. The security overlay state is not included in the share link (the receiver needs to apply it themselves), but the diagram structure is preserved.

For PNG export: click Export PNG in the export bar. The overlay renders at full resolution. For documentation-heavy teams, this is the fastest way to attach a security-annotated architecture snapshot to a ticket or post-mortem.

Troubleshooting common issues

No resources highlighted after pasting Checkov output

The overlay matches on the resource name exactly as it appears in your IaC code (e.g., aws_s3_bucket.my_bucket). If your diagram was generated from a Terraform plan JSON, resource names include a module path prefix (module.storage.aws_s3_bucket.my_bucket). InfraSketch strips common module prefixes during matching, but if resources still don't match, try:

• Regenerate the diagram from the same HCL files that Checkov scanned (not plan JSON)
• Check the Checkov JSON for the exact resource field value and compare to node IDs in the diagram
• Ensure you're pasting the full JSON (not just the summary section)

Checkov output is an array, not a single object

When scanning multiple frameworks together, Checkov sometimes wraps results in a JSON array ([{...}, {...}]). InfraSketch handles both formats — array-wrapped and single-object — automatically.

Only some resources are highlighted, not all failing ones

This usually means some resources in the Checkov scan correspond to files that weren't included in the diagram. For example, if your diagram shows only the networking layer but Checkov scanned the whole codebase, compute-layer failures won't have matching nodes to highlight. Generate a diagram from the same scope as the Checkov scan.

Frequently asked questions

Does InfraSketch send my Checkov output to any server?

No. Everything runs in your browser. The Checkov JSON is parsed in JavaScript on your machine. Nothing is transmitted — no analytics, no logging, no server-side processing. Your security findings stay private.

Can I overlay Checkov results from a CI/CD pipeline?

Yes. Run checkov -d . -o json > checkov.json as a CI step, download the artifact, and paste it into the InfraSketch security overlay. The process is identical whether you ran Checkov locally or in GitHub Actions, GitLab CI, or Jenkins.

Does the overlay work with Checkov's SARIF output?

Not currently. InfraSketch parses Checkov's -o json format, which includes the results.failed_checks array with resource fields. SARIF is a different schema. Use -o json (not -o sarif) when generating output for InfraSketch.

Can I pass Checkov results while skipping certain checks?

Yes — filter before scanning. Use checkov --skip-check CKV_AWS_18,CKV_AWS_21 -d . -o json to exclude checks you've accepted as known risks. Only the remaining failures appear in the JSON, so only those get highlighted.

Does the overlay work with custom Checkov policies?

Yes. Custom policies that output the standard Checkov JSON format (with results.failed_checks[].resource) work identically to built-in checks. InfraSketch doesn't validate check IDs — it just reads the resource names and highlights them.

Can I use this with Bridgecrew / Prisma Cloud results?

Bridgecrew and Prisma Cloud use Checkov under the hood and can export in the same JSON format. As long as the output includes a results.failed_checks array with resource fields, InfraSketch can parse it.

Try the security overlay now Generate your architecture diagram and overlay Checkov results — free, no login, nothing leaves your browser. Open InfraSketch →

Related guides

• Visualize Infracost results on your architecture diagram
• Auto-post architecture diagrams on IaC PRs with GitHub Actions
• Terraform diagram generator — visualize HCL instantly