Closed CaspervdKerk closed 7 months ago
You're right. That's a bug in checkov - it returns wrong exit code
If you run checkov -d "$(pwd)" --hard-fail-on MEDIUM
- you'll get error message and exit code 0
@CaspervdKerk please open the issue in https://github.com/bridgecrewio/checkov/ It also break their checkov pre-commit hook, as far as I can see
Thank you for confirming my findings! I'll raise this bug on the checkov repo as well.
There is definitely some strange behavior going on. During my testing I found my code also triggered CKV_AZURE_103, which is a LOW severity check.
Using the pre-commit hook with --soft-fail
and --hard-fail-on MEDIUM
Checkov passes, as is expected. However, when I use the local installed Checkov CLI it fails on this LOW severity check, even though the --soft-fail
and --hard-fail-on MEDIUM
flags are passed...
From https://github.com/bridgecrewio/checkov/issues/5560#issuecomment-1722313286 :
Severities only work with an API key, that's why it doesn't work as expected.
Describe the bug
When running terraform_checkov without any fail flags any matching rule will result in a failed result. However when the
--soft-fail
and--hard-fail-on MEDIUM
flags are enabled, everything passes. Even when violating a HIGH severity rule on purpose.How can we reproduce it?
Test by violating CKV_AZURE_104 on purpose, which is a HIGH severity rule.
main.tf
```bash terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = ">=3.28.0" } } } resource "azurerm_data_factory" "azure_data_factory" { name = var.factory_name resource_group_name = var.resource_group_name location = var.location public_network_enabled = true identity { type = "SystemAssigned" } lifecycle { ignore_changes = [tags] } } ```.pre-commit-config.yaml
```bash repos: - repo: https://github.com/antonbabenko/pre-commit-terraform rev: v1.82.0 hooks: - id: terraform_checkov args: - --args=--download-external-modules true - --args=--quiet - --args=--soft-fail - --args=--hard-fail-on MEDIUM - --args=--check CKV_AZURE_104 ```Test by using
pre-commit run terraform_checkov --all-files
. When the flags are enabled the pre-commit hook will pass. When the lines- --args=--soft-fail
and- --args=--hard-fail-on MEDIUM
are commented out, the hook will fail.Environment information
OS: MacOS Ventura 13.5.1
uname -a
and/orsysteminfo | Select-String "^OS"
output:.pre-commit-config.yaml
: (same as above).pre-commit-config.yaml