checkov
checkov copied to clipboard
Published
20 hours ago •
bridgecrewio
bridgecrewio
tf variables are not evaluated when main.tf is a symlink file
Describe the issue
Checkov is not evaluating terraform variables from tfvars file for symlinked main.tf file and hence not finding vulnerabilities.
We have a main.tf file which is symlinked to respective dir(dev,stg,prod,..) and each dir has terrraform.tfvars file with variable values.
When I run checkov inside each dir, its not evaluating variable values, hence not finding vulnerabilities.
Below is an example. When main.tf is a symlink file, Check: CKV_AWS_24 passes, but when its not a symlink the check fails correctly.
Expectation: Even when main.tf is symlink file, Check: CKV_AWS_24 should fail since variable holds cidr value 0.0.0.0/0
Examples
❯ tree
.
├── dev
│ ├── main.tf -> ../main.tf
│ └── terraform.tfvars
├── main.tf
├── prod
│ ├── main.tf # not symlinked for this demo purpose
│ └── terraform.tfvars
└── staging
├── main.tf -> ../main.tf
└── terraform.tfvars
❯ cat main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4"
}
}
}
provider "aws" {
region = "us-west-2"
}
variable "cidr_test" {
type = string
}
resource "aws_security_group_rule" "test" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [var.cidr_test]
security_group_id = aws_security_group.aravind.id
}
❯ cat dev/terraform.tfvars
cidr_test = "0.0.0.0/0"
❯ cd dev
❯ checkov -d .
[ terraform framework ]: 100%|████████████████████|[1/1], Current File Scanned=../main.tf
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./main.tf
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.1.149
Update available 2.1.149 -> 2.1.156
Run pip3 install -U checkov to update
terraform scan results:
Passed checks: 4, Failed checks: 1, Skipped checks: 0
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
PASSED for resource: aws_security_group_rule.test
File: /../main.tf:18-25
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
PASSED for resource: aws_security_group_rule.test
File: /../main.tf:18-25
Guide: https://docs.bridgecrew.io/docs/networking_1-port-security
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
PASSED for resource: aws_security_group_rule.test
File: /../main.tf:18-25
Guide: https://docs.bridgecrew.io/docs/networking_2
Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
PASSED for resource: aws.default
File: /../main.tf:10-12
Guide: https://docs.bridgecrew.io/docs/bc_aws_secrets_5
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.test
File: /../main.tf:18-25
Guide: https://docs.bridgecrew.io/docs/networking_31
18 | resource "aws_security_group_rule" "test" {
19 | type = "ingress"
20 | from_port = 22
21 | to_port = 22
22 | protocol = "tcp"
23 | cidr_blocks = [var.cidr_test]
24 | security_group_id = aws_security_group.aravind.id
25 | }
❯ cd ../prod
❯ checkov -d .
[ terraform framework ]: 100%|████████████████████|[1/1], Current File Scanned=main.tf
[ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./main.tf
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.1.149
Update available 2.1.149 -> 2.1.156
Run pip3 install -U checkov to update
terraform scan results:
Passed checks: 3, Failed checks: 2, Skipped checks: 0
Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80"
PASSED for resource: aws_security_group_rule.test
File: /main.tf:18-25
Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389"
PASSED for resource: aws_security_group_rule.test
File: /main.tf:18-25
Guide: https://docs.bridgecrew.io/docs/networking_2
Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
PASSED for resource: aws.default
File: /main.tf:10-12
Guide: https://docs.bridgecrew.io/docs/bc_aws_secrets_5
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: aws_security_group_rule.test
File: /main.tf:18-25
Guide: https://docs.bridgecrew.io/docs/networking_1-port-security
18 | resource "aws_security_group_rule" "test" {
19 | type = "ingress"
20 | from_port = 22
21 | to_port = 22
22 | protocol = "tcp"
23 | cidr_blocks = [var.cidr_test]
24 | security_group_id = aws_security_group.aravind.id
25 | }
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: aws_security_group_rule.test
File: /main.tf:18-25
Guide: https://docs.bridgecrew.io/docs/networking_31
18 | resource "aws_security_group_rule" "test" {
19 | type = "ingress"
20 | from_port = 22
21 | to_port = 22
22 | protocol = "tcp"
23 | cidr_blocks = [var.cidr_test]
24 | security_group_id = aws_security_group.aravind.id
25 | }
❯ cd ..
❯ diff prod/main.tf dev/main.tf
❯
Version (please complete the following information):
❯ checkov --version
2.1.149
