checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Multipart kubernetes files

Open kiberonlabsdev opened this issue 5 months ago • 2 comments

Describe the issue Checkov seems incapable of handling a multipart yaml file. These frequently show up in autogenerated code for flux and other systems

Examples

# This manifest was generated by flux. DO NOT EDIT.
# Flux Version: v2.6.1
# Components: source-controller,kustomize-controller,helm-controller,notification-controller
apiVersion: v1
kind: Namespace
metadata:
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    app.kubernetes.io/version: v2.6.1
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: latest
  name: flux-system
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    app.kubernetes.io/instance: flux-system
    app.kubernetes.io/part-of: flux
    app.kubernetes.io/version: v2.6.1
  name: allow-egress
  namespace: flux-system
spec:
  egress:
  - {}
  ingress:
  - from:
    - podSelector: {}
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

Exception Trace Please share the trace for the exception and all relevant output by checkov. To maximize the understanding, please run checkov with LOG_LEVEL set to debug as follows:

Running through pre-commit gives the following error

Checkov..................................................................Failed
- hook id: checkov
- exit code: 2

2025-07-21 19:34:46,830 [ThreadPoolEx] [ERROR]  YAML error parsing .\clusters\redacted\flux-system\flux\flux.yaml: expected a single document in the stream
  in "<unicode string>", line 5, column 1
but found another document
  in "<unicode string>", line 15, column 1
2025-07-21 19:34:50,109 [MainThread  ] [ERROR]  Exception traceback:
Traceback (most recent call last):
  File "C:\Users\Redacted\.cache\pre-commit\repo7mhpdmw9\py_env-python3.13\Lib\site-packages\checkov\main.py", line 532, in run
    self.scan_reports = runner_registry.run(
                        ~~~~~~~~~~~~~~~~~~~^
        root_folder=root_folder,
        ^^^^^^^^^^^^^^^^^^^^^^^^
        external_checks_dir=external_checks_dir,
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        files=file,
        ^^^^^^^^^^^
    )
    ^

Desktop (please complete the following information):

  • OS: Windows 10
  • Checkov Version 3.2.451

Additional context This is related to a prior issue https://github.com/bridgecrewio/checkov/issues/1108

kiberonlabsdev avatar Jul 21 '25 17:07 kiberonlabsdev

Probably try to add the frameworks to the command: checkov -d . --framework kubernetes,terraform

adamlahbib avatar Aug 01 '25 14:08 adamlahbib

I cannot reproduce this with latest version. I am passing the "kubernetes" framework as a parameter. If it's still happening please share the full command and all available logs.

maxamel avatar Oct 11 '25 13:10 maxamel