Open briantkatch opened 1 month ago
gruebel
commented
1 month ago hey @briantkatch I fixed it in the parser library a while ago, but I can see checkov is pinned to the version before the fix. In general I added support for quite a lot more new Bicep syntax, but haven't released it yet.
briantkatch
commented
1 month ago Hey @gruebel, that's awesome. Is there a separate repo for parser issues?
Is there a way to get a more verbose error/line position when checkov fails to parse a file?
gruebel
commented
1 month ago Yeah, here it is https://github.com/gruebel/pycep
I'm not 100% sure, but if you enable debug logs, then it should be visible, but it is typically very cryptic.
Describe the issue
Using join() in a value anywhere in a Bicep file causes checkov to fail to parse the entire file.
Also, there does not seem to be any way to get more detail on why checkov failed to parse a file, making debugging/issue identification difficult.
Example Value Please share an example check / use case that this issue will allow checkov to support.
Minimal example: this is valid Bicep and will deploy if you change the tenant ID to your own, and the keyVault name to one that is not already taken:
Checkov fails to parse this file.
Of course, we are not using join() for a resource name but rather the value of an environment variable of a Function App, join()ing an array of parameters into a comma-separated list.
If join() cannot be fully supported, it would be better if it was just treated as an un-resolvable parameter so checkov can validate what it understands - checkov does not seem to support Bicep parameter files at the moment anyway (unlike Terraform variable files).