search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.03k stars 1.1k forks source link

Checkov ignores terraform tfvars file specified in `--var-file` flag #4321

Open ppawlowski opened 1 year ago

ppawlowski commented 1 year ago

Describe the issue Checkov ignores path to tfvars file specified in --var-file when file is in different directory than terraform root module. Deep analysis has been made in other PR discussion: https://github.com/bridgecrewio/checkov/issues/3580#issuecomment-1346950236

Examples

main.tf:

provider "azurerm" {
    features {}
}

variable "storage" {
    type = object({
        name = string
        tls = string
    })
}

resource "azurerm_storage_account" "this" {
  name = var.storage.name
  min_tls_version = var.storage.tls
}

terraform.tfvars:

storage = {
    name = "checkovTest"
    tls = "TLS1_2"
}

Directory structure:

.
└── checkov_debug
    ├── main.tf
    └── vars
        └── terraform.tfvars

checkov execution (irrevelant output omitted):

 $ checkov -d checkov_debug/ -c CKV_AZURE_44 --var-file=./checkov_debug/vars/terraform.tfvars

terraform scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
    FAILED for resource: azurerm_storage_account.this
    File: /main.tf:12-15
    Guide: https://docs.bridgecrew.io/docs/bc_azr_storage_2

        12 | resource "azurerm_storage_account" "this" {
        13 |   name = var.storage.name
        14 |   min_tls_version = var.storage.tls
        15 | }

Expected checkov output (irrevelant output omitted):

terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0

Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
    PASSED for resource: azurerm_storage_account.this
    File: /main.tf:12-15
    Guide: https://docs.bridgecrew.io/docs/bc_azr_storage_2

Version:

nicholas-marchini commented 1 year ago

@bridgecrew-bot Can you assign someone to this?

StevePerezUK commented 1 year ago

@gruebel - Hi, I would like to pick this issue up. @JamesWoolfenden as discussed.

gruebel commented 1 year ago

@StevePerezUK sure go ahead 🙂

cbcoutinho commented 1 year ago

Does the var-file option need to be relative to the current working directory, or whichever directory is passed to --directory?

Based on OP's' example I would assume the following, similar to how terraform includes tfvar files relative to whatever directory is passed to the --directory (checkov) or -src (terraform) argument.

$ checkov -d checkov_debug/ -c CKV_AZURE_44 --var-file=vars/terraform.tfvars
StevePerezUK commented 1 year ago

@cbcoutinho - This is the requirement to fix --var-file so it works in the same way as terraform. https://developer.hashicorp.com/terraform/language/values/variables#variable-definition-precedence

stale[bot] commented 10 months ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

ppawlowski commented 10 months ago

Not stale.

Januznl commented 5 months ago

I'm still seeing this issue, even when adding a file which does not exist, no error or warning is thrown.

krukowskid commented 1 month ago

@StevePerezUK any updates in this?