Skip to content

Checkov ignores terraform tfvars file specified in --var-file flag #4321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ppawlowski opened this issue Jan 24, 2023 · 13 comments · May be fixed by #7107
Open

Checkov ignores terraform tfvars file specified in --var-file flag #4321

ppawlowski opened this issue Jan 24, 2023 · 13 comments · May be fixed by #7107
Assignees
@StevePerezUK
Labels
checks Check additions or changes terraform

Comments

@ppawlowski
Copy link
Contributor

Describe the issue
Checkov ignores path to tfvars file specified in --var-file when file is in different directory than terraform root module.
Deep analysis has been made in other PR discussion: #3580 (comment)

Examples

main.tf:

provider "azurerm" {
    features {}
}

variable "storage" {
    type = object({
        name = string
        tls = string
    })
}

resource "azurerm_storage_account" "this" {
  name = var.storage.name
  min_tls_version = var.storage.tls
}

terraform.tfvars:

storage = {
    name = "checkovTest"
    tls = "TLS1_2"
}

Directory structure:

.
└── checkov_debug
    ├── main.tf
    └── vars
        └── terraform.tfvars

checkov execution (irrevelant output omitted):

 $ checkov -d checkov_debug/ -c CKV_AZURE_44 --var-file=./checkov_debug/vars/terraform.tfvars

terraform scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
	FAILED for resource: azurerm_storage_account.this
	File: /main.tf:12-15
	Guide: https://docs.bridgecrew.io/docs/bc_azr_storage_2

		12 | resource "azurerm_storage_account" "this" {
		13 |   name = var.storage.name
		14 |   min_tls_version = var.storage.tls
		15 | }

Expected checkov output (irrevelant output omitted):

terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0

Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
	PASSED for resource: azurerm_storage_account.this
	File: /main.tf:12-15
	Guide: https://docs.bridgecrew.io/docs/bc_azr_storage_2

Version:

  • 2.2.297
@ppawlowski ppawlowski added the checks Check additions or changes label Jan 24, 2023
@nicholas-marchini
Copy link

@bridgecrew-bot Can you assign someone to this?

@StevePerezUK
Copy link

StevePerezUK commented Apr 24, 2023
edited
Loading

@gruebel - Hi, I would like to pick this issue up.
@JamesWoolfenden as discussed.

@gruebel
Copy link
Contributor

gruebel commented Apr 24, 2023

@StevePerezUK sure go ahead 🙂

@cbcoutinho
Copy link

Does the var-file option need to be relative to the current working directory, or whichever directory is passed to --directory?

Based on OP's' example I would assume the following, similar to how terraform includes tfvar files relative to whatever directory is passed to the --directory (checkov) or -src (terraform) argument.

$ checkov -d checkov_debug/ -c CKV_AZURE_44 --var-file=vars/terraform.tfvars

@StevePerezUK
Copy link

@cbcoutinho - This is the requirement to fix --var-file so it works in the same way as terraform.
https://developer.hashicorp.com/terraform/language/values/variables#variable-definition-precedence

@stale Stale
Copy link

stale bot commented Nov 13, 2023

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!

@stale stale bot added the stale label Nov 13, 2023
@ppawlowski
Copy link
Contributor Author

Not stale.

@stale stale bot removed the stale label Nov 16, 2023
@Januznl
Copy link
Contributor

Januznl commented Apr 17, 2024

I'm still seeing this issue, even when adding a file which does not exist, no error or warning is thrown.

@krukowskid
Copy link

@StevePerezUK any updates in this?

@stale Stale
Copy link

stale bot commented Feb 7, 2025

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!

@stale stale bot added the stale label Feb 7, 2025
@ARUNBABU99
Copy link

Hello
Do we have any update on this?

@stale stale bot removed the stale label Feb 7, 2025
@vinoddampuru-tw
Copy link

Do we have any update on this? or any workaround on how to include .tfvars in the same or different directory while scanning?

@thentenaar thentenaar linked a pull request Apr 15, 2025 that will close this issue
Open
5 tasks
@dmeiser
Copy link

dmeiser commented May 8, 2025

The severity of this issue is severely under-considered. This defect causes tests to be skipped, and in many scenarios, it causes checkov to issue misleading and erroneous reports. As an end-user, I had no idea this was happening, resulting in the deployment of nonconforming IAC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@StevePerezUK StevePerezUK

Labels
checks Check additions or changes terraform
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(terraform): Handle explicitly-specified tfvars explicitly thentenaar/checkov
10 participants
@dmeiser @Januznl @ppawlowski @cbcoutinho @gruebel @krukowskid @StevePerezUK @nicholas-marchini @ARUNBABU99 @vinoddampuru-tw