Open PIfM1 opened 8 months ago
I have the same situation where the sarif export is linking the plan instead of the respective .tf file with enabled --repo-root-for-plan-enrichment.
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
Was this issue solved? Should I retest? The problem is, that I never got any feedback on this (other than the other one having the same issue)...
Describe the issue regarding: SARIF output current: When scanning a Terraform plan (with --repo-root-for-plan-enrichment enabled) the SARIF results (physicalLocation) point to the plan file. expected: "physicalLocation" should point to the actuals Terraform file (of course only if enrichment was successful) use case: Use the SARIF results with github annotations.
Additional context I'm not sure but think that it has to do with checkov/common/output/sarif.py using the "repo_file_path" to build the "artifactLocation" and checkov/common/output/report.py only replacing the "file_path" record property (with "scanned file") but not "repo_file_path" (and "file_abs_path") as well.
Is there a workaround/advice on how to deal with this to have a sarif file that can be used with github annotations? Or is a bug and will be fixed?
(Edited to use the formal issue template for "outputs")