Deep Analysis Ignores Terraform Inline Skips/Missing checks

[savagete2860]

Describe the issue I am trying to scan a Terraform project using its plan file and the .tf files for enrichment. My end goal is to be able to scan a plan file but have the ability to add resource specific skips in the code rather than ignoring a check across all resources.

With deep analysis enabled, any inline skips are ignored. When flipped to disabled, the inline skips are respected. I also noticed with DA enabled, the number of check changes, for my specific project there 293 total checks with DA set to false and 298 with it set to true.

Examples Here is my .checkov.yaml

download-external-modules: true
evaluate-variables: true
external-modules-download-path: .external_modules
framework:
  - terraform
  - terraform_plan
output: cli
quiet: true
compact: true
skip-check:
  - CKV_TF_1 # Ensure Terraform module sources use a commit hash
repo-root-for-plan-enrichment: ./
deep-analysis: false # setting this to true removes inline skip functionality
soft-fail: false
summary-position: bottom

module "alb" {
  source  = "terraform-aws-modules/alb/aws"
  version = "9.16.0"
  #checkov:skip=CKV_AWS_150:Ensure that Load Balancer has deletion protection enabled
  enable_deletion_protection = false
  ...
}

I run:

tf plan --out tfplan.binary && terraform show -json tfplan.binary | jq > tfplan.json && checkov -f tfplan.json

flipping between DA true and flase in the checkov.yaml shows 1 skip when set to false, and 0 with it set to true and it fails CKV_AWS_150

Version (please complete the following information):

• Checkov Version 3.2.447 (instaled via pip) and 3.2.440 (installed via homebrew)

Additional context Add any other context about the problem here.

[maxamel]

@savagete2860 is this still an issue? Does your use-case require the deep-analysis flag on? Usually it is needed in only specific cases when there's incomplete data in the plan file.