As environments scale, keeping security policies consistent and manageable can be a real challenge.

One of our clients was using Checkov, an open-source policy-as-code tool, to scan their infrastructure code and enforce security policies. But as their environment grew, they needed a simpler way to create and manage custom policies.

What’s in this article:

• Why traditional Python-based Checkov policies limit security self-service.
• How the system we developed translates simple requirements like "Enable S3 versioning" into Checkov code.
• A look at the automated backend that handles intent detection, policy creation, auto-correction, and policy management.

The Challenge: Custom Policy Creation and Management in Checkov Requires Coding Expertise

Creating and updating custom policies requires knowledge of Python, limiting this work to a small group of experts.

Let me show you what a typical Checkov policy looks like:

Even a simple check requires 20+ lines of Python code. And writing the rules is only the first step. Teams also need to:

• Define and maintain policy metadata
• Register the check-in scan configurations
• Organize policies by cloud provider and IaC framework
• Update, override, or disable policies as requirements evolve

When you have dozens or even hundreds of custom policies across different cloud providers and IaC frameworks, keeping them organized and up to date requires continuous effort. Handling versioning, consistency, naming standards, and policy updates adds ongoing maintenance work.

All of this increases both development effort and operational overhead, making custom policy management difficult to scale and less self-service oriented.

The AI Solution: Just Describe What You Want in Checkov

To simplify the creation and management of custom Checkov policies, we built an AI-assisted layer on top of Checkov. This interface allows users to bypass complex Python configurations and manual file management.

Here's how simple it is:

Select the Scope: Users simply select their infrastructure type—be it Terraform, CloudFormation, or Kubernetes—and the cloud provider.

Natural Language Input: Users can type in their requirement, for example, “Ensure S3 buckets have versioning enabled.”

Automated Generation: The AI handles the heavy lifting, generating and saving a complete, production-ready Checkov policy instantly.

Policy management is just as simple. The tool provides specific controls depending on the policy type:

Default Policies: These can be enabled or disabled.

Custom Policies: These offer broader flexibility, with options to enable, disable, or delete. They support direct updates, such as adding exceptions for specific resources as requirements change.

How It Works

Backend Processing

When a user submits a requirement via the user interface, the backend handles several steps automatically:

• Intent Detection: Identifies whether the user wants to create, modify, delete, or view a policy.
• Policy Generation: Builds the correct Checkov policy structure based on the user’s infrastructure type and requirements.
• Auto-Correction: Fixes common issues (such as Terraform’s list-wrapped values) before saving.
• Duplicate & Conflict Check: Detects similar or conflicting policies to avoid redundancy.
• Policy Storage: Saves the validated policy in the appropriate Checkov directory.

The process runs automatically in the background, so users don’t need to manage files or write any Python code.

LLM Integration

To translate natural language into policy code, the system connects to a configurable LLM provider. Users can choose from:

• Local Providers: Ollama, AnythingLLM (ideal for private or air-gapped environments)
• Cloud Providers: OpenAI, Azure OpenAI, Anthropic
• Custom Integrations: Any OpenAI-compatible API

The provider is configured through the config.yaml file, allowing flexibility without changing the core application.

The system can be set up using the provided setup and launch scripts. Users just run the scripts to install the required dependencies and start the application. The Checkov version can be specified in the setup script, helping maintain consistent deployments across environments.

Value Delivered

With the Checkov AI Policy Manager, teams can now create and manage policies without any coding effort. Checkov policy changes that once required requests, code edits, and PR reviews and took days can now be completed in a few hours or minutes through a simple, streamlined, self-service process. Even as the number of policies grows, management remains consistent and easy to handle.