Search code examples
checkov

How to run checkov scan on terraform plan

I would like to have checkov scan terraform plan output but I am not getting any success with that.Below is my code in terragrunt.hcl,GitHub Actions workflow and the message I got when my workflow completed.I have tried few methods to have it work but I am still unable to configure it correctly so that checkov can analyse the Json output of terraform plan.I would appreciate any help that I can get on this.Thank you for your assistance inadvance

terragrunt.hcl

terraform {
  after_hook "after_hook_plan" {
      commands     = ["plan"]
      execute      = ["sh", "-c", "terraform show -json tfplan.binary > ${get_parent_terragrunt_dir()}/plan.json"]
  }
}

GitHubActions Workflow

name: 'Checkov Security Scan'
on:
  push:
    branches:
      - test

jobs:
  Terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest

    defaults:
      run:
        working-directory: ${{ env.tf_working_dir }}

    steps:
      - name: 'checkout'
        uses: actions/checkout@v2

      - name: configure AWS credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: us-east-1
          role-to-assume: ${{ env.dev_role_arn }}

      - name: Setup Terraform
        uses: hashicorp/[email protected]
        with:
          terraform_version: ${{ env.tf_version }}
          terraform_wrapper: true

      - name: Setup Terragrunt
        uses: autero1/[email protected]
        with:
          terragrunt_version: ${{ env.tg_version }}
         
      - name: Init
        id: init
        run: |
          terragrunt run-all init --terragrunt-non-interactive
      - name: Plan
        id: plan
        run: |
          terragrunt run-all plan -out=tfplan.binary -no-color --terragrunt-non-interactive
      - name: 'Test Plan (Checkov)'
        uses: bridgecrewio/checkov-action@master
        with:
          directory: ./applied/test/
          quiet: false # optional: display only failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          output_format: json # optional: the output format, one of: cli, json, junitxml, github_failed_only

checkov output message
{
    "passed": 0,
    "failed": 0,
    "skipped": 0,
    "parsing_errors": 0,
    "resource_count": 0,
    "checkov_version": "2.0.706"
Solution

  • I guess it doesn't support however you can try this

          - name: Terraform Plan
        id: plan
        if: github.event_name == 'pull_request'
        run: terraform plan --out tfplan.binary -no-color
        continue-on-error: true

      - name: Terraform Show
        id: show
        run: terraform show -json tfplan.binary | jq '.' > tfplan.json

      - name: Set up Python 3.8
        uses: actions/setup-python@v1
        with:
          python-version: 3.8
        id: setup_py

      - name: Install Checkov
        id: checkov
        run: |
          python3 -m pip3 install --upgrade pip3
          pip3 install checkov
        continue-on-error: true

      - name: Run Checkov
        id: run_checkov
        run: checkov -f tfplan.json -o sarif -s
        continue-on-error: true

      - name: Upload SARIF file
        id: upload_sarif
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif
          category: checkov
        continue-on-error: true