如何在地形图上进行checkov扫描

Question

我想让checkov扫描terraform计划输出，但是我在that.Below中的代码、GitHub操作工作流和我的工作流完成时得到的消息没有任何成功。我尝试过几种方法来使它工作，但我仍然无法正确地配置它，以便checkov能够分析terraform平面的Json输出。我非常感谢您的任何帮助，因为您提前提供了帮助。

terragrunt.hcl

terraform {
  after_hook "after_hook_plan" {
      commands     = ["plan"]
      execute      = ["sh", "-c", "terraform show -json tfplan.binary > ${get_parent_terragrunt_dir()}/plan.json"]
  }
}

GitHubActions Workflow

name: 'Checkov Security Scan'
on:
  push:
    branches:
      - test

jobs:
  Terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest

    defaults:
      run:
        working-directory: ${{ env.tf_working_dir }}

    steps:
      - name: 'checkout'
        uses: actions/checkout@v2

      - name: configure AWS credentials
        uses: aws-actions/configure-aws-credentials@master
        with:
          aws-region: us-east-1
          role-to-assume: ${{ env.dev_role_arn }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v1.3.2
        with:
          terraform_version: ${{ env.tf_version }}
          terraform_wrapper: true

      - name: Setup Terragrunt
        uses: autero1/action-terragrunt@v1.1.0
        with:
          terragrunt_version: ${{ env.tg_version }}
         
      - name: Init
        id: init
        run: |
          terragrunt run-all init --terragrunt-non-interactive
      - name: Plan
        id: plan
        run: |
          terragrunt run-all plan -out=tfplan.binary -no-color --terragrunt-non-interactive
      - name: 'Test Plan (Checkov)'
        uses: bridgecrewio/checkov-action@master
        with:
          directory: ./applied/test/
          quiet: false # optional: display only failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          output_format: json # optional: the output format, one of: cli, json, junitxml, github_failed_only

checkov output message
{
    "passed": 0,
    "failed": 0,
    "skipped": 0,
    "parsing_errors": 0,
    "resource_count": 0,
    "checkov_version": "2.0.706"

Answer 1

我想它不支持，不过你可以试试这个

      - name: Terraform Plan
        id: plan
        if: github.event_name == 'pull_request'
        run: terraform plan --out tfplan.binary -no-color
        continue-on-error: true

      - name: Terraform Show
        id: show
        run: terraform show -json tfplan.binary | jq '.' > tfplan.json

      - name: Set up Python 3.8
        uses: actions/setup-python@v1
        with:
          python-version: 3.8
        id: setup_py

      - name: Install Checkov
        id: checkov
        run: |
          python3 -m pip3 install --upgrade pip3
          pip3 install checkov
        continue-on-error: true

      - name: Run Checkov
        id: run_checkov
        run: checkov -f tfplan.json -o sarif -s
        continue-on-error: true

      - name: Upload SARIF file
        id: upload_sarif
        uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: results.sarif
          category: checkov
        continue-on-error: true