diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix
index 8750b61c48fa..da72bbbf6ed8 100644
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@@ -1,75 +1,124 @@
-{ pkgs, lib, python3, fetchFromGitHub }:
-
+{ lib
+, fetchFromGitHub
+, python3
+}:
 let
+  py = python3.override {
+    packageOverrides = self: super: {
+
+      boto3 = super.boto3.overridePythonAttrs (oldAttrs: rec {
+        version = "1.17.112";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "1byqrffbgpp1mq62gnn3w3hnm54dfar0cwgvmkl7mrgbwz5xmdh8";
+        };
+      });
+
+      botocore = super.botocore.overridePythonAttrs (oldAttrs: rec {
+        version = "1.20.112";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "1ksdjh3mwbzgqgfj58vyrhann23b9gqam8id2svmpdmmdq5vgffh";
+        };
+      });
+
+      s3transfer = super.s3transfer.overridePythonAttrs (oldAttrs: rec {
+        version = "0.4.2";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "1cp169vz9rvng7dwbn33fgdbl3b014zpsdqsnfxxw7jm2r5jy0nb";
+        };
+      });
+
+      dpath = super.dpath.overridePythonAttrs (oldAttrs: rec {
+        version = "1.5.0";
+        src = oldAttrs.src.override {
+          inherit version;
+          sha256 = "06rn91n2izw7czncgql71w7acsa8wwni51njw0c6s8w4xas1arj9";
+        };
+        doCheck = false;
+      });
+
+    };
+  };
+in
+with py.pkgs;
+
+buildPythonApplication rec {
   pname = "checkov";
-  version = "1.0.674";
+  version = "2.0.496";
+
+  disabled = python3.pythonOlder "3.7";
+
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = pname;
     rev = version;
-    sha256 = "/S8ic5ZVxA2vd/rjRPX5gslbmnULL7BSx34vgWIsheQ=";
+    sha256 = "sha256-JDKM706z8e+e+LhZ/3bMcVkYGW+gOF2iOUYLQASlXbc=";
   };
 
-  disabled = pkgs.python3Packages.pythonOlder "3.7";
-
-  # CheckOV only work with `dpath 1.5.0`
-  dpath = pkgs.python3Packages.buildPythonPackage rec {
-    pname = "dpath";
-    version = "1.5.0";
-
-    src = pkgs.python3Packages.fetchPypi {
-      inherit pname version;
-      sha256 = "SWYVtOqEI20Y4NKGEi3nSGmmDg+H4sfsZ4f/KGxINhs=";
-    };
-
-    doCheck = false;
-  };
-in
-python3.pkgs.buildPythonPackage rec {
-  inherit pname version disabled src;
-
-  nativeBuildInputs = with python3.pkgs; [ setuptools-scm ];
-
-  propagatedBuildInputs = with python3.pkgs; [
-    pytest
-    coverage
-    bandit
-    bc-python-hcl2
-    deep_merge
-    tabulate
-    colorama
-    termcolor
-    junit-xml
-    dpath
-    pyyaml
-    boto3
-    GitPython
-    six
-    jmespath
-    tqdm
-    update_checker
-    semantic-version
-    packaging
+  nativeBuildInputs = with py.pkgs; [
+    setuptools-scm
   ];
 
-  # Both of these tests are pulling from external srouces (https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml)
-  preCheck = ''
-    rm -rf integration_tests/*
-    rm -rf tests/terraform/*
-  '';
+  propagatedBuildInputs = with py.pkgs; [
+    bc-python-hcl2
+    boto3
+    cachetools
+    cloudsplaining
+    colorama
+    configargparse
+    cyclonedx-python-lib
+    deep_merge
+    detect-secrets
+    docker
+    dockerfile-parse
+    dpath
+    GitPython
+    jmespath
+    junit-xml
+    networkx
+    packaging
+    policyuniverse
+    pyyaml
+    semantic-version
+    tabulate
+    termcolor
+    tqdm
+    typing-extensions
+    update_checker
+  ];
 
-  # Wrap the executable so that the python packages are available
-  # it's just a shebang script which calls `python -m checkov "$@"`
-  postFixup = ''
-    wrapProgram $out/bin/checkov \
-      --set PYTHONPATH $PYTHONPATH
-  '';
+  checkInputs = with py.pkgs; [
+    jsonschema
+    pytest-xdist
+    pytestCheckHook
+  ];
+
+  disabledTests = [
+    # No API key available
+    "api_key"
+    # Requires network access
+    "TestSarifReport"
+  ];
+
+  disabledTestPaths = [
+    # Tests are pulling from external sources
+    # https://github.com/bridgecrewio/checkov/blob/f03a4204d291cf47e3753a02a9b8c8d805bbd1be/.github/workflows/build.yml
+    "integration_tests/"
+    "tests/terraform/"
+  ];
+
+  pythonImportsCheck = [
+    "checkov"
+  ];
 
   meta = with lib; {
-    homepage = "https://github.com/bridgecrewio/checkov";
     description = "Static code analysis tool for infrastructure-as-code";
+    homepage = "https://github.com/bridgecrewio/checkov";
     longDescription = ''
-    Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
+      Prevent cloud misconfigurations during build-time for Terraform, Cloudformation,
+      Kubernetes, Serverless framework and other infrastructure-as-code-languages.
     '';
     license = licenses.asl20;
     maintainers = with maintainers; [ anhdle14 ];