unable to skip checks in a module specifying a count number and using --repo-root-for-plan-enrichment flag

[fleroux514]

Describe the issue Noticed that skips are not taken into account in a module when the module itself specifies a count number.

The specific use-case is that we have a conditional count based on a variable:

count  = var.some_boolean_variable? 1 : 0

Reproduced with different modules

Examples

Without any count number, skips are working as intented:

module "bucket" {
  #checkov:skip=CKV_GCP_62
  #checkov:skip=CKV_GCP_63
  #checkov:skip=CKV_GCP_78
  #checkov:skip=CKV_GCP_114
  source        = "terraform-google-modules/cloud-storage/google"
  version       = "3.4.0"
  project_id    = 123456
  storage_class = "STANDARD"

  prefix           = ""
  names            = ["test"]
}

For modules, scanning directories does not seem to work in general when trying to skip checks, so performing it on the plan JSON output:

terraform plan -out=./plan.tfplan;terraform show -no-color -json plan.tfplan > plan.json
checkov --file plan.json --repo-root-for-plan-enrichment . --download-external-modules "true"

Output:

Adding a count number to the module:

module "bucket" {
  #checkov:skip=CKV_GCP_62
  #checkov:skip=CKV_GCP_63
  #checkov:skip=CKV_GCP_78
  #checkov:skip=CKV_GCP_114
  count         = 1
  source        = "terraform-google-modules/cloud-storage/google"
  version       = "3.4.0"
  project_id    = 123456
  storage_class = "STANDARD"

  prefix           = ""
  names            = ["test"]
}

Output:

Version (please complete the following information):

• Checkov Version 2.3.287

[gruebel]

hey @fleroux514 thanks for reaching out.

Normal Terraform scanning with module + count works as it should. This seems to be an issue especially related to Terraform plan + --repo-root-for-plan-enrichment flag.

[frankthing]

Same issue when using for_each, using checkov v 2.4.5.

This example works:

locals {
  acr = {
    acr_1 = {
      name                = "mytestacr"
      resource_group_name = data.azurerm_resource_group.main.name
      location            = data.azurerm_resource_group.main.location
      sku                 = "Premium"
      admin_enabled       = false
    }
  }
}

module "acr" {
  #checkov:skip=CKV_AZURE_167:testing
  #checkov:skip=CKV_AZURE_164:testing
  #checkov:skip=CKV_AZURE_166:testing
  #checkov:skip=CKV_AZURE_139:testing
  source = "../modules/container_registry"
  settings = local.acr.acr_1
}

Running checkov on plan:

terraform plan -out=./plan.tfplan;terraform show -no-color -json plan.tfplan > plan.json
checkov --file plan.json --framework terraform_plan --repo-root-for-plan-enrichment . --download-external-modules true --compact --summary-position bottom

Results:

..while using for each when calling the module does not pick up my skip comments:

locals {
  acr = {
    acr_1 = {
      name                = "mytestacr"
      resource_group_name = data.azurerm_resource_group.main.name
      location            = data.azurerm_resource_group.main.location
      sku                 = "Premium"
      admin_enabled       = false
    }
  }
}

module "acr" {
  #checkov:skip=CKV_AZURE_167:testing
  #checkov:skip=CKV_AZURE_164:testing
  #checkov:skip=CKV_AZURE_166:testing
  #checkov:skip=CKV_AZURE_139:testing
  source = "../modules/container_registry"
  for_each = local.acr
  settings = each.value
}

Results:

[balq60]

Yes I can replicate in a Windows Git Bash Window. On Linux this works fine. This scenario happens on Windows.

checkov --version 2.4.41

This is fine on linux.

[Nevana]

I have the same problem with for_each.

➜ checkov --version
3.1.42

Operatin system: Mac OS ARM and Alpine Linux

[ronenl1]

Same issue here with count on a module. When count is removed, checkov skips the checks as expected.

checkov --version 3.2.159

OS: Ubuntu 22.04