Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Crash when a custom check on a Terraform module returns CheckResult.SKIPPED
See original GitHub issueDescribe the bug
When a custom check on a Terraform module returns CheckResult.SKIPPED, checkov crashes during the reporting stage.
To Reproduce Steps to reproduce the behavior:
- Implement a custom check returning
CheckResult.SKIPPED
from checkov.common.models.enums import CheckResult, CheckCategories
from checkov.terraform.checks.module.base_module_check import BaseModuleCheck
class Foo(BaseModuleCheck):
def __init__(self):
name = "Foo"
id = "FOO_REP_1"
supported_resources = ["module"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(
name=name,
id=id,
categories=categories,
supported_resources=supported_resources,
)
def scan_module_conf(self, conf):
return CheckResult.SKIPPED
scanner = Foo()
- Write a terraform module call which could trigger that check
- Run checkov
Expected behavior No error.
Screenshots
You’ll notice checks have been correctly skipped but the reporting isn’t very happy.
By bridgecrew.io | version: 1.0.590
terraform scan results:
Passed checks: 1, Failed checks: 0, Skipped checks: 10
Check: CKV_GIT_1: "Ensure Repository is Private"
PASSED for resource: github_repository.doc
File: /repo_doc.tf:1-9
Traceback (most recent call last):
File "/Users/jeromepin/.asdf/installs/python/3.7.5/bin/checkov", line 4, in <module>
__import__('pkg_resources').run_script('checkov==1.0.590', 'checkov')
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/pkg_resources/__init__.py", line 666, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/pkg_resources/__init__.py", line 1462, in run_script
exec(code, namespace, namespace)
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/checkov-1.0.590-py3.7.egg/EGG-INFO/scripts/checkov", line 5, in <module>
run()
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/checkov-1.0.590-py3.7.egg/checkov/main.py", line 71, in run
runner_registry.print_reports(scan_reports, args)
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/checkov-1.0.590-py3.7.egg/checkov/common/runners/runner_registry.py", line 50, in print_reports
report.print_console(is_quiet=args.quiet)
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/checkov-1.0.590-py3.7.egg/checkov/common/output/report.py", line 91, in print_console
print(record)
File "/Users/jeromepin/.asdf/installs/python/3.7.5/lib/python3.7/site-packages/checkov-1.0.590-py3.7.egg/checkov/common/output/record.py", line 73, in __str__
suppress_comment = "\tSuppress comment: {}\n".format(self.check_result['suppress_comment'])
KeyError: 'suppress_comment'
Desktop (please complete the following information):
- OS: MacOS 10.14.6
- Checkov Version: 1.0.590
Quick fix
Here is a quick fix if you need.
diff --git i/checkov/common/output/record.py w/checkov/common/output/record.py
index c2bc87cf..593f6aaf 100644
--- i/checkov/common/output/record.py
+++ w/checkov/common/output/record.py
@@ -59,6 +59,7 @@ class Record:
status = ''
evaluation_message = f''
status_color = "white"
+ suppress_comment = ''
if self.check_result['result'] == CheckResult.PASSED:
status = CheckResult.PASSED.name
status_color = "green"
@@ -68,7 +69,8 @@ class Record:
elif self.check_result['result'] == CheckResult.SKIPPED:
status = CheckResult.SKIPPED.name
status_color = 'blue'
- suppress_comment = "\tSuppress comment: {}\n".format(self.check_result['suppress_comment'])
+ if "suppress_comment" in self.check_result:
+ suppress_comment = "\tSuppress comment: {}\n".format(self.check_result['suppress_comment'])
check_message = colored("Check: {}: \"{}\"\n".format(self.check_id, self.check_name), "white")
guideline_message = ''
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Custom Condition Checks - Configuration Language | Terraform
This is an expression that must return true if the conditition is fufilled or false if it is invalid. The expression can refer...
Read more >Data sources should allow empty results without failing #16380
Replacing data "aws_ami" with custom module to query awscli e.g. ... to return empty results hashicorp/terraform-provider-aws#8302.
Read more >terraform-aws-modules/security-group/aws
Name Type Required
auto_groups map(map(list(string))) no
computed_egress_rules list(string) no
computed_egress_with_cidr_blocks list(map(string)) no
Read more >Icinga2 Api - Icinga 2
The following example allows the API user to query all hosts and services which have a custom variable os that matches the regular...
Read more >Terraform Plan Scanning - checkov
It can also be used to evaluate terraform plan expressed in a json file. ... checkov -f tf.json Check: CKV_AWS_21: "Ensure all data...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Don’t worry, it wasn’t a big deal, I used a workaround for the meantime. Ok, I’ll go with
UNKNOWNthen. Thank you very much !Hi @jeromepin , sorry for not getting back to you! We’ve dramatically improved our scanning of modules over the past month, but now I realize that doesn’t directly relate to your issue. I do think returning UNKNOWN is the way to go in this case, instead of
SKIPPED