Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
checkov -f plan.json does not download external terraform modules for enrichment
See original GitHub issuewith a sample config when file is used for tfplan.json i can see it does not download the external terraform modules ( my scenario is a git source ) i can see when --directory is used it does download the external terraform module
I thought the enrichment should download the external module so the enrichment can work and suppression and so forth I only use the #comment suppression.
download-external-modules: True
evaluate-variables: True
external-modules-download-path: '.external_modules'
file:
- 'tfplan.json'
repo-root-for-plan-enrichment: '.'
framework: 'all'
no-guide: True
output: 'cli'
skip-fixes: True
skip-suppressions: True
Issue Analytics
- State:
- Created 2 years ago
- Reactions:4
- Comments:7 (1 by maintainers)
Top Results From Across the Web
download external modules flag is not working when using ...
Describe the issue When using the terraform_plan framework the checkov is throwing a warning saying that the external modules cannot be ...
Read more >CLI Command Reference - checkov
-f, --file FILE, File to scan (can not be used together with –directory). ... Download external terraform modules from public git repositories and...
Read more >checkov - MegaLinter by OX Security
MegaLinter is an Open-Source tool for CI/CD workflows that analyzes the consistency of your code, IAC, configuration, and scripts in your repository sources ......
Read more >AWS EKS Module - Terraform Registry
Terraform module to create an Elastic Kubernetes (EKS) cluster and ... However, these examples are not representative of clusters that you ...
Read more >Terraform plan analysis with Checkov and Bridgecrew
When building secure cloud infrastructure, our mantra at Bridgecrew is to use the least amount of code to describe the maximum set of ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thank you @melbit-michaelw for your investigation. This was a blocker for me so I ended up patching it after install:
So this looks like it is because of the plan enrichment. Specifically, this call to parse_directory which doesn’t pass along the configuration for download-external-modules (or external-modules-download-path):
https://github.com/bridgecrewio/checkov/blob/d73fd4bd7096d48ab3434a92a177bcc55605460a/checkov/common/runners/runner_registry.py#L250
However, I’m not sure modifying that would help with suppression, since as best I can tell, this stage only happens after checkov has determined any failures already, and is only used for output formatting.
In my particular use case, I have a terraform module which creates an aws_acm_certificate, with the create_before_destroy lifecycle rule, however CKV_AWS_233 “Ensure Create before destroy for ACM certificates” still fires when checking against the plan since that information isn’t contained within the plan file.
Enriching the plan (and forcing it to download modules by modifying the code I linked above) changes the output from a JSON map of the acm certificate resource to the full terraform code of the resource, but does nothing to correct the false positive.