Describe the issue
Checkov's terraform_json framework crashes when scanning CDKTF-generated cdk.tf.json files that contain terraform.required_version block.
Related: #5498, #5504 (partially fixed in #5509, which addressed data block parsing but not this issue).
Steps to Reproduce
Check repo for code: https://github.com/garvit14/checkov-cdktf-json-issue-repro
# 1. Clone this repo
cd checkov-cdktf-bug
# 2. Install dependencies and synthesize
npm install
npx cdktf synth
# 3. Run checkov
checkov -f cdktf.out/stacks/minimal-stack/cdk.tf.json --framework terraform_json
CDKTF Code (main.ts)
import { App, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { provider, vpc } from "@cdktf/provider-aws";
class MinimalStack extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
this.addOverride("terraform.required_version", ">= 1.5.0");
new provider.AwsProvider(this, "aws", {
region: "us-east-1",
});
new vpc.Vpc(this, "vpc", {
cidrBlock: "10.0.0.0/16",
tags: { Name: "test-vpc" },
});
}
}
const app = new App();
new MinimalStack(app, "minimal-stack");
app.synth();Generated cdk.tf.json (relevant section)
{
"terraform": {
"backend": {
"local": {
"path": "terraform.minimal-stack.tfstate"
}
},
"required_providers": {
"aws": {
"source": "aws",
"version": "6.25.0"
}
},
"required_version": ">= 1.5.0"
}
}Expected Behavior
Checkov should parse the cdk.tf.json file and run checks without crashing.
Actual Behavior
2026-03-04 21:18:57,831 [MainThread ] [ERROR] Exception traceback:
Traceback (most recent call last):
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/main.py", line 647, in run
self.scan_reports = runner_registry.run(
~~~~~~~~~~~~~~~~~~~^
external_checks_dir=external_checks_dir,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
files=self.config.file,
^^^^^^^^^^^^^^^^^^^^^^^
repo_root_for_plan_enrichment=self.config.repo_root_for_plan_enrichment,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/common/runners/runner_registry.py", line 126, in run
self.runners[0].run(root_folder, external_checks_dir=external_checks_dir, files=files,
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
runner_filter=self.runner_filter,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
collect_skip_comments=collect_skip_comments)]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/runner.py", line 87, in run
self.definitions, self.definitions_raw, parsing_errors = create_definitions(file_paths)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/utils.py", line 59, in create_definitions
template, file_lines = parse(file_path)
~~~~~^^^^^^^^^^^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/parser.py", line 32, in parse
template, template_lines = loads(file_path=file_path)
~~~~~^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/parser.py", line 77, in loads
template = prepare_definition(template)
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/parser.py", line 89, in prepare_definition
definition_new[block_type] = handle_block_type(block_type=block_type, blocks=blocks)
~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/parser.py", line 115, in handle_block_type
result.append({block_name: hclify(obj=config)})
~~~~~~^^^^^^^^^^^^
File "/opt/homebrew/Cellar/checkov/3.2.500/libexec/lib/python3.14/site-packages/checkov/terraform_json/parser.py", line 128, in hclify
raise Exception("this method receives only dicts")
Exception: this method receives only dicts
Environment
- Checkov version: 3.2.500
- CDKTF version: 0.21.0
- @cdktf/provider-aws: 21.22.1
- Python: 3.14
- OS: macOS (Darwin)
Describe the issue
Checkov's
terraform_jsonframework crashes when scanning CDKTF-generatedcdk.tf.jsonfiles that containterraform.required_versionblock.Related: #5498, #5504 (partially fixed in #5509, which addressed data block parsing but not this issue).
Steps to Reproduce
Check repo for code: https://github.com/garvit14/checkov-cdktf-json-issue-repro
CDKTF Code (
main.ts)Generated
cdk.tf.json(relevant section){ "terraform": { "backend": { "local": { "path": "terraform.minimal-stack.tfstate" } }, "required_providers": { "aws": { "source": "aws", "version": "6.25.0" } }, "required_version": ">= 1.5.0" } }Expected Behavior
Checkov should parse the
cdk.tf.jsonfile and run checks without crashing.Actual Behavior
Environment