TrademarkTrademark
Features
Documentation

Bridgecrew Terraform: Pricing, Use Cases, Best Practices & Alternatives

Bridgecrew scans Terraform code for security issues before deployment. Free tier includes 50 resources, paid plans start at $99/mo with Checkov.
Sebastian StadilMarch 4, 2026Updated March 31, 2026
Bridgecrew Terraform: Pricing, Use Cases, Best Practices & Alternatives
Key takeaways
  • Bridgecrew provides static analysis for Terraform, scanning for security vulnerabilities, compliance violations, and misconfigurations before deployment via the open-source Checkov scanner and a SaaS platform.
  • Bridgecrew pricing runs from a free Community tier (50 resources) to Standard at $99/month (150 resources) and Premium at $999+, while the Checkov CLI tool stays completely free.
  • Palo Alto Networks acquired Bridgecrew in 2021 and folded it into Prisma Cloud.
  • Best practice is to roll Checkov out gradually with soft-fail mode, then enforce by severity, using pre-commit hooks and CI/CD integration to catch issues early.
  • Alternatives include Terrascan, Snyk IaC, Sentinel, and Prisma Cloud; tfsec is deprecated in favor of Trivy.

Bridgecrew helps teams catch infrastructure misconfigurations early, before they ship. Palo Alto Networks bought it in 2021 and made it part of Prisma Cloud, but it kept its developer-friendly side through the open-source Checkov scanner.

What Bridgecrew Does for Terraform

Bridgecrew runs static analysis on your Terraform configurations, scanning for security vulnerabilities, compliance violations, and best practice deviations. It has two main parts:

  1. Checkov - The open-source CLI scanner that runs locally or in CI/CD pipelines
  2. Bridgecrew Platform - The SaaS dashboard for policy management, reporting, and team collaboration

Here's what it catches:

  • Publicly exposed resources (S3 buckets, databases)
  • Missing encryption configurations
  • Overly permissive IAM policies
  • Non-compliant resource configurations (CIS, NIST, HIPAA, PCI)
  • Network security group misconfigurations

Current Pricing Structure

Plan Monthly Cost Resources Key Features
Community Free 50 - All IaC frameworks
- CI/CD integrations
- Unlimited users
- Basic policies
Standard $99 150 - Custom policies
- Compliance reports
- Enhanced dashboards
- Direct support
Premium $999+ Custom - Roles & teams
- Priority support
- Private hosting
- Volume discounts

Additional resources on Standard plan cost $49/month per 10-resource block. The open-source Checkov tool remains completely free without limitations.

Installation and Basic Usage

Installing Checkov

# Install via pip
pip install checkov
 
# Or using Homebrew on macOS
brew install checkov
 
# Or run with Docker
docker run --rm -v $(pwd):/tf bridgecrew/checkov -d /tf

Basic Terraform Scan

# Scan current directory
checkov -d .
 
# Scan specific file
checkov -f main.tf
 
# Output results as JSON
checkov -d . -o json
 
# Run specific check
checkov -d . --check CKV_AWS_20

Example Vulnerable Terraform Code

# This S3 bucket has multiple security issues
resource "aws_s3_bucket" "vulnerable" {
  bucket = "my-public-bucket"
  acl    = "public-read"  # Issue: Public access
  
  # Issue: No encryption
  # Issue: No versioning
  # Issue: No logging
}
 
resource "aws_security_group" "wide_open" {
  name = "allow_all"
  
  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]  # Issue: Open to world
  }
}

Fixed Version with Checkov Suppressions

resource "aws_s3_bucket" "secure" {
  bucket = "my-private-bucket"
}
 
resource "aws_s3_bucket_acl" "secure" {
  bucket = aws_s3_bucket.secure.id
  acl    = "private"
}
 
resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
  bucket = aws_s3_bucket.secure.id
  
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}
 
# Suppression example when public access is intended
resource "aws_s3_bucket" "static_website" {
  #checkov:skip=CKV_AWS_20:Public website bucket
  bucket = "my-website-files"
  acl    = "public-read"
}

CI/CD Integration Best Practices

GitHub Actions Example

name: Terraform Security Scan
 
on: [pull_request]
 
jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Checkov
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform
          output_format: sarif
          output_file_path: results.sarif
          
      - name: Upload SARIF results
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

GitLab CI Example

checkov:
  stage: test
  image:
    name: bridgecrew/checkov:latest
    entrypoint: [""]
  script:
    - checkov -d . -o junitxml --output-file-path checkov.test.xml
  artifacts:
    reports:
      junit: checkov.test.xml
    paths:
      - checkov.test.xml

Pre-commit Hook Configuration

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/bridgecrewio/checkov.git
    rev: 2.5.0
    hooks:
      - id: checkov
        args: ['--framework', 'terraform', '--compact']

Implementation Best Practices

1. Phased Rollout

Start with soft-fail mode to establish baseline:

# Don't fail builds initially
checkov -d . --soft-fail

Then gradually enforce by severity:

# Fail only on critical issues
checkov -d . --check CKV_AWS_20,CKV_AWS_21 --hard-fail-on HIGH

2. Custom Policies

Create organization-specific policies in Python:

# my_custom_check.py
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
 
class S3BucketNaming(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 buckets follow naming convention"
        id = "CKV_CUSTOM_1"
        supported_resources = ['aws_s3_bucket']
        categories = [CheckCategories.CONVENTION]
        super().__init__(name=name, id=id, categories=categories, 
                        supported_resources=supported_resources)
 
    def scan_resource_conf(self, conf, entity_type):
        bucket_name = conf.get("bucket", [""])[0]
        if bucket_name.startswith("company-"):
            return CheckResult.PASSED
        return CheckResult.FAILED
 
check = S3BucketNaming()

3. Handle False Positives

Use inline suppressions with justification:

resource "aws_db_instance" "main" {
  #checkov:skip=CKV_AWS_17:Dev environment doesn't need encryption
  #checkov:skip=CKV_AWS_16:Using default master username is acceptable
  
  identifier     = "dev-database"
  engine         = "postgres"
  instance_class = "db.t3.micro"
}

Alternative Tools Comparison

Tool Type Pricing Strengths Limitations
Checkov Open Source Free - 1000+ policies
- Multi-framework
- Graph analysis
- No central dashboard
- Limited reporting
Terrascan Open Source Free - 500+ policies
- API server mode
- Drift detection
- Complex Rego language
- Less coverage
tfsec Deprecated N/A - Was fastest
- Simple setup
- No longer maintained
- Migrate to Trivy
Sentinel Commercial Enterprise - Native HCP integration
- External data access
- HashiCorp only
- Proprietary language
Snyk IaC Commercial $25/dev/mo - Unified platform
- Developer friendly
- Limited reporting
- UI constraints
Prisma Cloud Commercial Custom - Full CNAPP
- 3000+ policies
- Complex for small

How to Adopt Checkov and Bridgecrew

Start with Checkov, since it's free and covers most use cases. Roll it out gradually: run it in soft-fail mode at first so it doesn't block builds. Put it in pre-commit hooks, which catch issues fastest, and run it early and often. Write custom policies when you need to enforce your organization's internal standards. Move to a paid Bridgecrew tier once you need centralized reporting and team management.

If you're just getting started, Checkov on its own does most of the job. The Bridgecrew platform earns its cost later, once you have enough people and audits that centralized reporting and team management start to matter.

For more reading, a comprehensive guide can be found here: IaC Security: Securing Your Terraform and OpenTofu Infrastructure.

Key Sources Used

About the author
Sebastian StadilCEO at Scalr
Sebastian Stadil is the CEO of Scalr with 15+ years of DevOps experience. He started with AWS in 2004 and advised early Microsoft Azure and Google Cloud.