checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

terraform_plan: Handling of non-indented json

Open syphernl opened this issue 3 years ago • 4 comments

Describe the issue We're using using terraform show --json plan.tfplan > tfplan.json to output a JSON file. This is a raw JSON file with no formatting/indenting. As a result the check output is not showing much information and is kind of useless..

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
	FAILED for resource: aws_vpc.default
	File: /tfplan.json:0-0
	Guide: https://docs.bridgecrew.io/docs/networking_4

With a formatted JSON (e.g. generated using cat tfplan.json | jq > tfplan2.json) it does produce useful results:

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
	FAILED for resource: aws_vpc.default
	File: /tfplan.json:1691-1722
	Guide: https://docs.bridgecrew.io/docs/networking_4

		1692 |                 "arn": "REDACTED",
		1693 |                 "assign_generated_ipv6_cidr_block": true,
		1694 |                 "cidr_block": "REDACTED",
		1695 |                 "default_network_acl_id": "REDACTED",
		1696 |                 "default_route_table_id": "REDACTED",
		1697 |                 "default_security_group_id": "REDACTED",
		1698 |                 "dhcp_options_id": "REDACTED",
		1699 |                 "enable_classiclink": false,
		1700 |                 "enable_classiclink_dns_support": false,
		1701 |                 "enable_dns_hostnames": true,
		1702 |                 "enable_dns_support": true,
		1703 |                 "id": "vpc-REDACTED",
		1704 |                 "instance_tenancy": "default",
		1705 |                 "ipv4_ipam_pool_id": null,
		1706 |                 "ipv4_netmask_length": null,
		1707 |                 "ipv6_association_id": "vpc-cidr-assoc-REDACTED",
		1708 |                 "ipv6_cidr_block": "REDACTED:/56",
		1709 |                 "ipv6_cidr_block_network_border_group": "REDACTED",
		1710 |                 "ipv6_ipam_pool_id": "",
		1711 |                 "ipv6_netmask_length": 0,
		1712 |                 "main_route_table_id": "rtb-REDACTED",
		1713 |                 "owner_id": "REDACTED",
		1714 |                 "tags": {
		1715 |                   "Name": "REDACTED",
		1716 |                   "Namespace": "REDACTED",
		1717 |                   "Stage": "REDACTED"
		1718 |                 },
		1719 |                 "tags_all": {
		1720 |                   "Name": "REDACTED",
		1721 |                   "Namespace": "REDACTED",
		1722 |                   "Stage": "REDACTED"

It would be nice if Checkov could format the JSON prior to processing it so it would produce actually useful results.

Example Value

syphernl avatar Feb 02 '22 08:02 syphernl

I'm not sure about it, on one hand I can understand the wish for this feature, but on the other hand I don't know, if we want to add this to checkov @schosterbarak @tsmithv11 any thoughts?

gruebel avatar Feb 02 '22 08:02 gruebel

it's hard to track lines of code if checkov is doing the idents. i prefer to have the idents to happen before running checkov.

schosterbarak avatar Feb 07 '22 16:02 schosterbarak

i do think we should update the docs accordingly

schosterbarak avatar Feb 07 '22 16:02 schosterbarak

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Aug 06 '22 16:08 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Aug 31 '22 20:08 stale[bot]