Skip to content

Deterministic Multi-Engine Security Orchestration (Offline-First) #7433

New issue
New issue
Open
Open
Deterministic Multi-Engine Security Orchestration (Offline-First)#7433
Labels
contribution requestedThis is a great feature idea, but we will need a contribution to get it added to Checkov.
@DataWizual-Labs

Description

@DataWizual-Labs
DataWizual-Labs
opened on Feb 11, 2026

The proposal is to introduce a Deterministic Multi-Engine Auditing workflow.

Currently, security teams have to jump between different tools (SAST, Secrets, IaC) which produce fragmented reports and inconsistent results. I propose a unified, deterministic engine that orchestrates multiple security layers while maintaining strict Zero Telemetry and Offline-first principles.

Key technical requirements:

  1. Deterministic Execution: Every scan must be 100% reproducible. Detection logic is based on explicit rules (Semgrep, Gitleaks, etc.), ensuring no hidden or probabilistic logic.
  2. Unified Security Snapshot: A single execution that evaluates Dockerfiles, CI/CD workflows, and IaC in one go, producing a consistent "Source of Truth" report.
  3. Advisory-only AI: Optional remediation advice (via local LLMs like Ollama) that is strictly separated from the detection engine to prevent AI hallucinations from affecting security scores.
  4. Professional Evidence: Generation of technical HTML/JSON reports specifically formatted for SOC2/ISO27001 compliance evidence.

Examples

Example Code (Terraform):

resource "aws_db_instance" "default" {
  allocated_storage    = 10
  engine               = "mysql"
  publicly_accessible  = true # Violation
  password             = "supersecret123" # Another violation (Secret)
}

Expected Inputs:

  • Project source code (Local).
  • (Optional) Local LLM endpoint for remediation advice.

Expected Outputs (Auditor Core Logic):

  • Unified Findings: The engine identifies BOTH the infrastructure misconfiguration (public DB) and the hardcoded secret in a single pass.
  • Decision: FAIL (1).
  • Report: An HTML report in the reports/ directory containing:
    • Detector: IaC (Checkov/Internal) -> "Publicly accessible DB"
    • Detector: Secrets (Gitleaks) -> "Hardcoded password found"
    • Remediation (AI Advisory): "Move password to secret manager and set publicly_accessible to false."

Additional context

This feature request is based on the Auditor Core Baseline architecture. The focus is on Explainability. Unlike modern black-box security tools, this approach ensures that every finding is mapped to a specific, transparent detector. By keeping the process Offline-first, we ensure that sensitive infrastructure code and identified vulnerabilities never leave the local environment.

Metadata

Metadata

Assignees

No one assigned

    Labels

    contribution requestedThis is a great feature idea, but we will need a contribution to get it added to Checkov.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions