Considering a CHECKOV_OUTPUT_LINE_LENGTH_LIMIT variable #7449
Description
Describe the issue
I saw this behavior where checkov would print the entire json file (that has been compacted, i.e. contains no whitespaces) whenever a rule fails,
Essentially the json file has been compacted using jq '.' -c cf-stack.json > compact-stack.json,
And when checkov is run, it shows the offending rule and the code_lines associated to it, but the code_lines itself is the entire json file
For example: Running checkov on the compacted file (CloudFormation template generated via Claude to intentionally show failed rules)
secrets scan results:
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: ca691df993ea81e073eb357f1dd8979f21d6f23f
File: /compact-stack.json:1-2
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6
1 | {"AWSTemplateFormatVersion":"2010-09-09","Description":"CloudFormation stack with intentional security issues for Checkov testing","Resources":{"InsecureS3Bucket":{"Type":"AWS::S3::Bucket","Properties":{"BucketName":"my-insecure-bucket-12345","PublicAccessBlockConfiguration":{"BlockPublicAcls":false,"BlockPublicPolicy":false,"IgnorePublicAcls":false,"RestrictPublicBuckets":false}}},"InsecureBucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"InsecureS3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"PublicReadAccess","Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":{"Fn::Sub":"${InsecureS3Bucket.Arn}/*"}}]}}},"Insec**********":{"Type":"AWS::EC2::Sec**********","Properties":{"GroupDescription":"Insecure security group for testing","VpcId":"vpc-12345678","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"CidrIp":"0.0.0.0/0"},{"IpProtocol":"tcp","FromPort":3389,"ToPort":3389,"CidrIp":"0.0.0.0/0"},{"IpProtocol":"tcp","FromPort":0,"ToPort":65535,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"IpProtocol":"-1","CidrIp":"0.0.0.0/0"}]}},"InsecureEC2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":"ami-12345678","InstanceType":"t2.micro","SecurityGroupIds":[{"Ref":"InsecureSecurityGroup"}],"BlockDeviceMappings":[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":20,"Encrypted":false}}]}},"InsecureRDSInstance":{"Type":"AWS::RDS::DBInstance","Properties":{"DBInstanceIdentifier":"insecure-database","DBInstanceClass":"db.t2.micro","Engine":"mysql","MasterUsername":"admin","MasterUserPassword":"password123","AllocatedStorage":20,"PubliclyAccessible":true,"StorageEncrypted":false,"EnableIAMDatabaseAuthentication":false,"DeletionProtection":false,"BackupRetentionPeriod":0}},"InsecureIAMPolicy":{"Type":"AWS::IAM::ManagedPolicy","Properties":{"ManagedPolicyName":"InsecurePolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}}},"InsecureIAMRole":{"Type":"AWS::IAM::Role","Properties":{"RoleName":"InsecureRole","AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]},"ManagedPolicyArns":[{"Ref":"InsecureIAMPolicy"}]}},"InsecureUserPolicy":{"Type":"AWS::IAM::Policy","Properties":{"PolicyName":"InsecureUserPolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iam:CreateUser","iam:CreateAccessKey","iam:AttachUserPolicy"],"Resource":"*"}]},"Roles":[{"Ref":"InsecureIAMRole"}]}},"InsecureSNSTopic":{"Type":"AWS::SNS::Topic","Properties":{"TopicName":"insecure-topic"}},"InsecureSQSQueue":{"Type":"AWS::SQS::Queue","Properties":{"QueueName":"insecure-queue"}},"InsecureDynamoDBTable":{"Type":"AWS::DynamoDB::Table","Properties":{"TableName":"insecure-table","AttributeDefinitions":[{"AttributeName":"id","AttributeType":"S"}],"KeySchema":[{"AttributeName":"id","KeyType":"HASH"}],"BillingMode":"PAY_PER_REQUEST"}},"InsecureLambdaFunction":{"Type":"AWS::Lambda::Function","Properties":{"FunctionName":"insecure-function","Runtime":"python3.9","Handler":"index.handler","Role":{"Fn::GetAtt":["InsecureIAMRole","Arn"]},"Code":{"ZipFile":"def handler(event, context):\n return 'Hello'"}}},"InsecureKMSKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"Insecure KMS key","EnableKeyRotation":false,"KeyPolicy":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"kms:*","Resource":"*"}]}}},"InsecureECRRepository":{"Type":"AWS::ECR::Repository","Properties":{"RepositoryName":"insecure-repo","ImageScanningConfiguration":{"ScanOnPush":false},"ImageTagMutability":"MUTABLE"}},"InsecureECSCluster":{"Type":"AWS::ECS::Cluster","Properties":{"ClusterName":"insecure-cluster"}},"InsecureElasticsearchDomain":{"Type":"AWS::Elasticsearch::Domain","Properties":{"DomainName":"insecure-es","ElasticsearchVersion":"7.10","NodeToNodeEncryptionOptions":{"Enabled":false},"EncryptionAtRestOptions":{"Enabled":false}}},"InsecureCloudFrontDistribution":{"Type":"AWS::CloudFront::Distribution","Properties":{"DistributionConfig":{"Enabled":true,"Origins":[{"Id":"S3Origin","DomainName":{"Fn::GetAtt":["InsecureS3Bucket","DomainName"]},"S3OriginConfig":{"OriginAccessIdentity":""}}],"DefaultCacheBehavior":{"TargetOriginId":"S3Origin","ViewerProtocolPolicy":"allow-all","ForwardedValues":{"QueryString":false}}}}},"InsecureAPIGateway":{"Type":"AWS::ApiGateway::RestApi","Properties":{"Name":"insecure-api"}},"InsecureAPIStage":{"Type":"AWS::ApiGateway::Stage","Properties":{"StageName":"prod","RestApiId":{"Ref":"InsecureAPIGateway"},"DeploymentId":{"Ref":"InsecureAPIDeployment"}}},"InsecureAPIDeployment":{"Type":"AWS::ApiGateway::Deployment","Properties":{"RestApiId":{"Ref":"InsecureAPIGateway"}}},"InsecureECSTaskDefinition":{"Type":"AWS::ECS::TaskDefinition","Properties":{"Family":"insecure-task","ContainerDefinitions":[{"Name":"insecure-container","Image":"nginx:latest","Privileged":true,"User":"root"}]}},"InsecureSecret":{"Type":"AWS::SecretsManager::Secret","Properties":{"Name":"insecure-secret","SecretString":"{\"username\":\"admin\",\"password\":\"plaintext-password\"}"}}},"Outputs":{"BucketName":{"Value":{"Ref":"InsecureS3Bucket"}},"SecurityGroupId":{"Value":{"Ref":"InsecureSecurityGroup"}}}}
Check: CKV_SECRET_6: "Base64 High Entropy String"
FAILED for resource: d9284185dd7624f8163a9d141cde8b7018feb510
File: /compact-stack.json:1-2
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6
1 | {"AWSTemplateFormatVersion":"2010-09-09","Description":"CloudFormation stack with intentional security issues for Checkov testing","Resources":{"InsecureS3Bucket":{"Type":"AWS::S3::Bucket","Properties":{"BucketName":"my-insecure-bucket-12345","PublicAccessBlockConfiguration":{"BlockPublicAcls":false,"BlockPublicPolicy":false,"IgnorePublicAcls":false,"RestrictPublicBuckets":false}}},"InsecureBucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"InsecureS3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"PublicReadAccess","Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":{"Fn::Sub":"${InsecureS3Bucket.Arn}/*"}}]}}},"Insec**********":{"Type":"AWS::EC2::Sec**********","Properties":{"GroupDescription":"Insecure security group for testing","VpcId":"vpc-12345678","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"CidrIp":"0.0.0.0/0"},{"IpProtocol":"tcp","FromPort":3389,"ToPort":3389,"CidrIp":"0.0.0.0/0"},{"IpProtocol":"tcp","FromPort":0,"ToPort":65535,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"IpProtocol":"-1","CidrIp":"0.0.0.0/0"}]}},"InsecureEC2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":"ami-12345678","InstanceType":"t2.micro","SecurityGroupIds":[{"Ref":"InsecureSecurityGroup"}],"BlockDeviceMappings":[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":20,"Encrypted":false}}]}},"InsecureRDSInstance":{"Type":"AWS::RDS::DBInstance","Properties":{"DBInstanceIdentifier":"insecure-database","DBInstanceClass":"db.t2.micro","Engine":"mysql","MasterUsername":"admin","MasterUserPassword":"password123","AllocatedStorage":20,"PubliclyAccessible":true,"StorageEncrypted":false,"EnableIAMDatabaseAuthentication":false,"DeletionProtection":false,"BackupRetentionPeriod":0}},"InsecureIAMPolicy":{"Type":"AWS::IAM::ManagedPolicy","Properties":{"ManagedPolicyName":"InsecurePolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}}},"InsecureIAMRole":{"Type":"AWS::IAM::Role","Properties":{"RoleName":"InsecureRole","AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]},"ManagedPolicyArns":[{"Ref":"InsecureIAMPolicy"}]}},"InsecureUserPolicy":{"Type":"AWS::IAM::Policy","Properties":{"PolicyName":"InsecureUserPolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iam:CreateUser","iam:CreateAccessKey","iam:AttachUserPolicy"],"Resource":"*"}]},"Roles":[{"Ref":"InsecureIAMRole"}]}},"InsecureSNSTopic":{"Type":"AWS::SNS::Topic","Properties":{"TopicName":"insecure-topic"}},"InsecureSQSQueue":{"Type":"AWS::SQS::Queue","Properties":{"QueueName":"insecure-queue"}},"InsecureDynamoDBTable":{"Type":"AWS::DynamoDB::Table","Properties":{"TableName":"insecure-table","AttributeDefinitions":[{"AttributeName":"id","AttributeType":"S"}],"KeySchema":[{"AttributeName":"id","KeyType":"HASH"}],"BillingMode":"PAY_PER_REQUEST"}},"InsecureLambdaFunction":{"Type":"AWS::Lambda::Function","Properties":{"FunctionName":"insecure-function","Runtime":"python3.9","Handler":"index.handler","Role":{"Fn::GetAtt":["InsecureIAMRole","Arn"]},"Code":{"ZipFile":"def handler(event, context):\n return 'Hello'"}}},"InsecureKMSKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"Insecure KMS key","EnableKeyRotation":false,"KeyPolicy":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"kms:*","Resource":"*"}]}}},"InsecureECRRepository":{"Type":"AWS::ECR::Repository","Properties":{"RepositoryName":"insecure-repo","ImageScanningConfiguration":{"ScanOnPush":false},"ImageTagMutability":"MUTABLE"}},"InsecureECSCluster":{"Type":"AWS::ECS::Cluster","Properties":{"ClusterName":"insecure-cluster"}},"InsecureElasticsearchDomain":{"Type":"AWS::Elasticsearch::Domain","Properties":{"DomainName":"insecure-es","ElasticsearchVersion":"7.10","NodeToNodeEncryptionOptions":{"Enabled":false},"EncryptionAtRestOptions":{"Enabled":false}}},"InsecureCloudFrontDistribution":{"Type":"AWS::CloudFront::Distribution","Properties":{"DistributionConfig":{"Enabled":true,"Origins":[{"Id":"S3Origin","DomainName":{"Fn::GetAtt":["InsecureS3Bucket","DomainName"]},"S3OriginConfig":{"OriginAccessIdentity":""}}],"DefaultCacheBehavior":{"TargetOriginId":"S3Origin","ViewerProtocolPolicy":"allow-all","ForwardedValues":{"QueryString":false}}}}},"InsecureAPIGateway":{"Type":"AWS::ApiGateway::RestApi","Properties":{"Name":"insecure-api"}},"InsecureAPIStage":{"Type":"AWS::ApiGateway::Stage","Properties":{"StageName":"prod","RestApiId":{"Ref":"InsecureAPIGateway"},"DeploymentId":{"Ref":"InsecureAPIDeployment"}}},"InsecureAPIDeployment":{"Type":"AWS::ApiGateway::Deployment","Properties":{"RestApiId":{"Ref":"InsecureAPIGateway"}}},"InsecureECSTaskDefinition":{"Type":"AWS::ECS::TaskDefinition","Properties":{"Family":"insecure-task","ContainerDefinitions":[{"Name":"insecure-container","Image":"nginx:latest","Privileged":true,"User":"root"}]}},"InsecureSecret":{"Type":"AWS::SecretsManager::Secret","Properties":{"Name":"insecure-secret","SecretString":"{\"username\":\"admin\",\"password\":\"plaintext-password\"}"}}},"Outputs":{"BucketName":{"Value":{"Ref":"InsecureS3Bucket"}},"SecurityGroupId":{"Value":{"Ref":"InsecureSecurityGroup"}}}}
Additional context
Steps to reproduce the issue:
- Download
pip3 install checkov - Copy the json file below which is usually pretty printed and save it in
insecure-stack.json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "CloudFormation stack with intentional security issues for Checkov testing",
"Resources": {
"InsecureS3Bucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "my-insecure-bucket-12345",
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
}
}
},
"InsecureBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": { "Ref": "InsecureS3Bucket" },
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": { "Fn::Sub": "${InsecureS3Bucket.Arn}/*" }
}
]
}
}
},
"InsecureSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Insecure security group for testing",
"VpcId": "vpc-12345678",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 65535,
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "-1",
"CidrIp": "0.0.0.0/0"
}
]
}
},
"InsecureEC2Instance": {
"Type": "AWS::EC2::Instance",
"Properties": {
"ImageId": "ami-12345678",
"InstanceType": "t2.micro",
"SecurityGroupIds": [
{ "Ref": "InsecureSecurityGroup" }
],
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 20,
"Encrypted": false
}
}
]
}
},
"InsecureRDSInstance": {
"Type": "AWS::RDS::DBInstance",
"Properties": {
"DBInstanceIdentifier": "insecure-database",
"DBInstanceClass": "db.t2.micro",
"Engine": "mysql",
"MasterUsername": "admin",
"MasterUserPassword": "password123",
"AllocatedStorage": 20,
"PubliclyAccessible": true,
"StorageEncrypted": false,
"EnableIAMDatabaseAuthentication": false,
"DeletionProtection": false,
"BackupRetentionPeriod": 0
}
},
"InsecureIAMPolicy": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"ManagedPolicyName": "InsecurePolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
}
},
"InsecureIAMRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "InsecureRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
{ "Ref": "InsecureIAMPolicy" }
]
}
},
"InsecureUserPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "InsecureUserPolicy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:AttachUserPolicy"
],
"Resource": "*"
}
]
},
"Roles": [
{ "Ref": "InsecureIAMRole" }
]
}
},
"InsecureSNSTopic": {
"Type": "AWS::SNS::Topic",
"Properties": {
"TopicName": "insecure-topic"
}
},
"InsecureSQSQueue": {
"Type": "AWS::SQS::Queue",
"Properties": {
"QueueName": "insecure-queue"
}
},
"InsecureDynamoDBTable": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"TableName": "insecure-table",
"AttributeDefinitions": [
{
"AttributeName": "id",
"AttributeType": "S"
}
],
"KeySchema": [
{
"AttributeName": "id",
"KeyType": "HASH"
}
],
"BillingMode": "PAY_PER_REQUEST"
}
},
"InsecureLambdaFunction": {
"Type": "AWS::Lambda::Function",
"Properties": {
"FunctionName": "insecure-function",
"Runtime": "python3.9",
"Handler": "index.handler",
"Role": { "Fn::GetAtt": ["InsecureIAMRole", "Arn"] },
"Code": {
"ZipFile": "def handler(event, context):\n return 'Hello'"
}
}
},
"InsecureKMSKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "Insecure KMS key",
"EnableKeyRotation": false,
"KeyPolicy": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "kms:*",
"Resource": "*"
}
]
}
}
},
"InsecureECRRepository": {
"Type": "AWS::ECR::Repository",
"Properties": {
"RepositoryName": "insecure-repo",
"ImageScanningConfiguration": {
"ScanOnPush": false
},
"ImageTagMutability": "MUTABLE"
}
},
"InsecureECSCluster": {
"Type": "AWS::ECS::Cluster",
"Properties": {
"ClusterName": "insecure-cluster"
}
},
"InsecureElasticsearchDomain": {
"Type": "AWS::Elasticsearch::Domain",
"Properties": {
"DomainName": "insecure-es",
"ElasticsearchVersion": "7.10",
"NodeToNodeEncryptionOptions": {
"Enabled": false
},
"EncryptionAtRestOptions": {
"Enabled": false
}
}
},
"InsecureCloudFrontDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true,
"Origins": [
{
"Id": "S3Origin",
"DomainName": { "Fn::GetAtt": ["InsecureS3Bucket", "DomainName"] },
"S3OriginConfig": {
"OriginAccessIdentity": ""
}
}
],
"DefaultCacheBehavior": {
"TargetOriginId": "S3Origin",
"ViewerProtocolPolicy": "allow-all",
"ForwardedValues": {
"QueryString": false
}
}
}
}
},
"InsecureAPIGateway": {
"Type": "AWS::ApiGateway::RestApi",
"Properties": {
"Name": "insecure-api"
}
},
"InsecureAPIStage": {
"Type": "AWS::ApiGateway::Stage",
"Properties": {
"StageName": "prod",
"RestApiId": { "Ref": "InsecureAPIGateway" },
"DeploymentId": { "Ref": "InsecureAPIDeployment" }
}
},
"InsecureAPIDeployment": {
"Type": "AWS::ApiGateway::Deployment",
"Properties": {
"RestApiId": { "Ref": "InsecureAPIGateway" }
}
},
"InsecureECSTaskDefinition": {
"Type": "AWS::ECS::TaskDefinition",
"Properties": {
"Family": "insecure-task",
"ContainerDefinitions": [
{
"Name": "insecure-container",
"Image": "nginx:latest",
"Privileged": true,
"User": "root"
}
]
}
},
"InsecureSecret": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": "insecure-secret",
"SecretString": "{\"username\":\"admin\",\"password\":\"plaintext-password\"}"
}
}
},
"Outputs": {
"BucketName": {
"Value": { "Ref": "InsecureS3Bucket" }
},
"SecurityGroupId": {
"Value": { "Ref": "InsecureSecurityGroup" }
}
}
}
- Copy the json file below which is compacted using
jq '.' -c insecure-stack.json > compact-stack.json
{"AWSTemplateFormatVersion":"2010-09-09","Description":"CloudFormation stack with intentional security issues for Checkov testing","Resources":{"InsecureS3Bucket":{"Type":"AWS::S3::Bucket","Properties":{"BucketName":"my-insecure-bucket-12345","PublicAccessBlockConfiguration":{"BlockPublicAcls":false,"BlockPublicPolicy":false,"IgnorePublicAcls":false,"RestrictPublicBuckets":false}}},"InsecureBucketPolicy":{"Type":"AWS::S3::BucketPolicy","Properties":{"Bucket":{"Ref":"InsecureS3Bucket"},"PolicyDocument":{"Version":"2012-10-17","Statement":[{"Sid":"PublicReadAccess","Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":{"Fn::Sub":"${InsecureS3Bucket.Arn}/*"}}]}}},"InsecureSecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Insecure security group for testing","VpcId":"vpc-12345678","SecurityGroupIngress":[{"IpProtocol":"tcp","FromPort":22,"ToPort":22,"CidrIp":"0.0.0.0/0"},{"IpProtocol":"tcp","FromPort":3389,"ToPort":3389,"CidrIp":"0.0.0.0/0"},{"IpProtocol":"tcp","FromPort":0,"ToPort":65535,"CidrIp":"0.0.0.0/0"}],"SecurityGroupEgress":[{"IpProtocol":"-1","CidrIp":"0.0.0.0/0"}]}},"InsecureEC2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":"ami-12345678","InstanceType":"t2.micro","SecurityGroupIds":[{"Ref":"InsecureSecurityGroup"}],"BlockDeviceMappings":[{"DeviceName":"/dev/sda1","Ebs":{"VolumeSize":20,"Encrypted":false}}]}},"InsecureRDSInstance":{"Type":"AWS::RDS::DBInstance","Properties":{"DBInstanceIdentifier":"insecure-database","DBInstanceClass":"db.t2.micro","Engine":"mysql","MasterUsername":"admin","MasterUserPassword":"password123","AllocatedStorage":20,"PubliclyAccessible":true,"StorageEncrypted":false,"EnableIAMDatabaseAuthentication":false,"DeletionProtection":false,"BackupRetentionPeriod":0}},"InsecureIAMPolicy":{"Type":"AWS::IAM::ManagedPolicy","Properties":{"ManagedPolicyName":"InsecurePolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}}},"InsecureIAMRole":{"Type":"AWS::IAM::Role","Properties":{"RoleName":"InsecureRole","AssumeRolePolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]},"ManagedPolicyArns":[{"Ref":"InsecureIAMPolicy"}]}},"InsecureUserPolicy":{"Type":"AWS::IAM::Policy","Properties":{"PolicyName":"InsecureUserPolicy","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["iam:CreateUser","iam:CreateAccessKey","iam:AttachUserPolicy"],"Resource":"*"}]},"Roles":[{"Ref":"InsecureIAMRole"}]}},"InsecureSNSTopic":{"Type":"AWS::SNS::Topic","Properties":{"TopicName":"insecure-topic"}},"InsecureSQSQueue":{"Type":"AWS::SQS::Queue","Properties":{"QueueName":"insecure-queue"}},"InsecureDynamoDBTable":{"Type":"AWS::DynamoDB::Table","Properties":{"TableName":"insecure-table","AttributeDefinitions":[{"AttributeName":"id","AttributeType":"S"}],"KeySchema":[{"AttributeName":"id","KeyType":"HASH"}],"BillingMode":"PAY_PER_REQUEST"}},"InsecureLambdaFunction":{"Type":"AWS::Lambda::Function","Properties":{"FunctionName":"insecure-function","Runtime":"python3.9","Handler":"index.handler","Role":{"Fn::GetAtt":["InsecureIAMRole","Arn"]},"Code":{"ZipFile":"def handler(event, context):\n return 'Hello'"}}},"InsecureKMSKey":{"Type":"AWS::KMS::Key","Properties":{"Description":"Insecure KMS key","EnableKeyRotation":false,"KeyPolicy":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"kms:*","Resource":"*"}]}}},"InsecureECRRepository":{"Type":"AWS::ECR::Repository","Properties":{"RepositoryName":"insecure-repo","ImageScanningConfiguration":{"ScanOnPush":false},"ImageTagMutability":"MUTABLE"}},"InsecureECSCluster":{"Type":"AWS::ECS::Cluster","Properties":{"ClusterName":"insecure-cluster"}},"InsecureElasticsearchDomain":{"Type":"AWS::Elasticsearch::Domain","Properties":{"DomainName":"insecure-es","ElasticsearchVersion":"7.10","NodeToNodeEncryptionOptions":{"Enabled":false},"EncryptionAtRestOptions":{"Enabled":false}}},"InsecureCloudFrontDistribution":{"Type":"AWS::CloudFront::Distribution","Properties":{"DistributionConfig":{"Enabled":true,"Origins":[{"Id":"S3Origin","DomainName":{"Fn::GetAtt":["InsecureS3Bucket","DomainName"]},"S3OriginConfig":{"OriginAccessIdentity":""}}],"DefaultCacheBehavior":{"TargetOriginId":"S3Origin","ViewerProtocolPolicy":"allow-all","ForwardedValues":{"QueryString":false}}}}},"InsecureAPIGateway":{"Type":"AWS::ApiGateway::RestApi","Properties":{"Name":"insecure-api"}},"InsecureAPIStage":{"Type":"AWS::ApiGateway::Stage","Properties":{"StageName":"prod","RestApiId":{"Ref":"InsecureAPIGateway"},"DeploymentId":{"Ref":"InsecureAPIDeployment"}}},"InsecureAPIDeployment":{"Type":"AWS::ApiGateway::Deployment","Properties":{"RestApiId":{"Ref":"InsecureAPIGateway"}}},"InsecureECSTaskDefinition":{"Type":"AWS::ECS::TaskDefinition","Properties":{"Family":"insecure-task","ContainerDefinitions":[{"Name":"insecure-container","Image":"nginx:latest","Privileged":true,"User":"root"}]}},"InsecureSecret":{"Type":"AWS::SecretsManager::Secret","Properties":{"Name":"insecure-secret","SecretString":"{\"username\":\"admin\",\"password\":\"plaintext-password\"}"}}},"Outputs":{"BucketName":{"Value":{"Ref":"InsecureS3Bucket"}},"SecurityGroupId":{"Value":{"Ref":"InsecureSecurityGroup"}}}}
- Run
checkov -f insecure-stack.jsonwhich shows failed rules, and code blocks nicely (which is expected) - Run
checkov -f compact-stack.jsonwhich shows failed rules, and code blocks that is the entire file (which is not expected)
Based on searching, seems like at
checkov/checkov/common/output/record.py
Lines 117 to 134 in 109a536
it ends up truncating the code blocks if the length is above the OUTPUT_CODE_LINE_LIMIT = 50
It would be neat to also do a check on the length of the string too (something like CHECKOV_OUTPUT_LINE_LENGTH_LIMIT)
I do also see checkov --compact does remove the code lines from the output which is also helpful