Checkov Does not Output Results for Files with Specific Symbols #5643
Comments
|
Hey @SachithKasthuriarachchi thanks for reaching out. Not sure how the rendered file looks like, but we identified it as not being a valid Kubernetes manifest |
gruebel
added
Parser
|
oh thanks @gruebel for pointing that out. Would it be more easy to debug if we change the above log from DEBUG to WARN? Also, is there any clue on identifying where the erroneous resource is? |
|
also please note that the same file perfectly works on Checkov 2.0.740 |
|
checked with 2.2.150 and was able to reproduce the error. Was there any breaking changes introduced after |
|
not really breaking change, but we check generic files like JSON/YAML for specific keywords and if they are not included that specific framework is skipped. I'm still curious, how your Kubernetes manifest can be valid without an A higher log level doesn't make any sense here, because it will spam the output.Let's take a JSON file, it could be a template for ARM, CloudFormation, Kubernetes, OpenAPI, Terraform or just some generic file. We would then log a warning for each of them for each file. |
|
@gruebel does checkov skip running checks if the
apiVersion: v1
data:
pod-utilization.json: |-
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"legendFormat": "{{cluster_id}} {{pod}}/{{container}} (usage max)"
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
}
kind: ConfigMap
metadata:
annotations:
kapp.k14s.io/disable-default-label-scoping-rules: ""
labels:
app: cost-analyzer
app.kubernetes.io/instance: kubecost
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: cost-analyzer
grafana_dashboard: "1"
helm.sh/chart: cost-analyzer-1.106.0
name: prom-benchmark-dashboard
namespace: kubecost
checkov -f invalid.yaml --framework kubernetes
|
@gruebel I checked the generated yaml and |
SachithKasthuriarachchi
changed the title
|
interesting we don't skip it on purpose, probably there is an issue with parsing the file. |
|
ok, I checked the code and we filter out content, which has |
|
yes just because a file contain |
|
@gruebel any plans on assigning someone from Checkov team to fix this? |
|
any update on this? |
|
Hi Team, Could you provide some alternate way or suggest some ideas ? |
|
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com |
|
is there any workaround for this? |
|
Any updates on this issue? I have had to revert to |
|
any update on this? why does the checkov team keeps ignoring this? |
|
I found my issue being if you create the yaml file using helm in windows it will create a CRLF file and checkov doesn't work with this, you will need to force it to a LF file |
|
Hi @SachithKasthuriarachchi, thank you for reaching out. |
Describe the issue
Checkov (latest) does not output the results for very large files (around 50000 lines)
Update to the Description
Checkov does not analyze files with some specific symbols like
{{. Check #5643 (comment) for explanationAdditional context
Command:
LOG_LEVEL=DEBUG checkov -f "my-rendered.yaml" \ --framework kubernetes \ --skip-check CKV_K8S_14,CKV_K8S_15,CKV_K8S_35,CKV_K8S_43 \ --external-checks-dir ../../cloud-sre-common/security/tools/static-scanning/iac/checkov/kubernetesDebug Logs:
The text was updated successfully, but these errors were encountered: