Skip to content

feat: Checkov scan target for Pulumi JSON plan support #7601

Description

@leonavevor

Describe the feature

Please add support for scanning Pulumi-generated JSON plans in a way that works with current Checkov framework options, or update the Pulumi/Checkov integration guidance and examples so Pulumi users can scan preview output without hitting an invalid framework error.

Right now, a Pulumi preview JSON file is being generated successfully, but the follow-up Checkov invocation fails because pulumi is not a valid value for --framework.

Reproduction from a Pulumi Python/Azure project:

make checkov_scan

This runs:

pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json

Then Checkov fails with:

checkov: error: Invalid frameworks specified: pulumi.
Valid values are: ansible, argo_workflows, arm, azure_pipelines, bicep, bitbucket_pipelines, cdk, circleci_pipelines, cloudformation, dockerfile, github_configuration, github_actions, gitlab_configuration, gitlab_ci, bitbucket_configuration, helm, json, yaml, kubernetes, kustomize, openapi, sca_package, sca_image, secrets, serverless, terraform, terraform_json, terraform_plan, sast, sast_python, sast_java, sast_javascript, sast_typescript, sast_golang, 3d_policy, all

The main request:

  • support Pulumi preview JSON as an accepted framework/input type, or
  • document the correct supported way to scan Pulumi output with Checkov today.

Examples

Example input command:

pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json
checkov -f out/plan_mg_prod.json --framework pulumi

Example input artifact:

  • out/plan_mg_prod.json: Pulumi preview JSON emitted by pulumi preview --json

Actual Checkov outcome:

checkov: error: Invalid frameworks specified: pulumi.

Expected outcomes from Checkov:

Option A:

  • Checkov accepts --framework pulumi
  • Checkov parses the Pulumi JSON plan
  • Checkov returns policy findings against the planned infrastructure

Expected output behavior:

  • no CLI validation failure for a documented Pulumi workflow
  • actionable findings or a clear compatibility error with remediation guidance

Additional context

Environment:

  • OS: Linux
  • Shell: zsh or bash or sh or any

Project context:

  • Pulumi project
  • Python-based stack
  • Azure-focused infrastructure
  • command used to generate the plan:
    pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json

Full observed output:

pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json
pwd
/home/leonard/Downloads/pulumi/pulumi-azure-start
realpath out/plan_mg_prod.json
/home/leonard/Downloads/pulumi/pulumi-azure-start/out/plan_mg_prod.json
usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check] [-f FILE [FILE ...]] [--skip-path SKIP_PATH] [--external-checks-dir EXTERNAL_CHECKS_DIR] [--external-checks-git EXTERNAL_CHECKS_GIT] [--external-checks-public-key EXTERNAL_CHECKS_PUBLIC_KEY] [-l]
               [-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}] [--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids] [--include-all-checkov-policies] [--quiet] [--compact] [--framework FRAMEWORK [FRAMEWORK ...]] [--skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]] [-c CHECK]
               [--skip-check SKIP_CHECK] [--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON] [--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY] [--prisma-api-url PRISMA_API_URL] [--skip-results-upload] [--docker-image DOCKER_IMAGE] [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID] [-b BRANCH] [--skip-download]
               [--use-enforcement-rules] [--download-external-modules DOWNLOAD_EXTERNAL_MODULES] [--var-file VAR_FILE] [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH] [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE] [--no-cert-verify] [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
               [--config-file CONFIG_FILE] [--create-config CREATE_CONFIG] [--show-config] [--create-baseline] [--baseline BASELINE] [--output-baseline-as-skipped] [--skip-cve-package SKIP_CVE_PACKAGE] [--policy-metadata-filter POLICY_METADATA_FILTER] [--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION]
               [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE] [--enable-secret-scan-all-files] [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN] [--summary-position {top,bottom}] [--skip-resources-without-violations] [--deep-analysis] [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history]
               [--secrets-history-timeout SECRETS_HISTORY_TIMEOUT] [--custom-tool-name CUSTOM_TOOL_NAME]
checkov: error: Invalid frameworks specified: pulumi.
Valid values are: ansible, argo_workflows, arm, azure_pipelines, bicep, bitbucket_pipelines, cdk, circleci_pipelines, cloudformation, dockerfile, github_configuration, github_actions, gitlab_configuration, gitlab_ci, bitbucket_configuration, helm, json, yaml, kubernetes, kustomize, openapi, sca_package, sca_image, secrets, serverless, terraform, terraform_json, terraform_plan, sast, sast_python, sast_java, sast_javascript, sast_typescript, sast_golang, 3d_policy, all
make: *** [Makefile:83: checkov_scan] Error 2

Impact:

  • blocks a straightforward CI/local security scan workflow for Pulumi users
  • makes it unclear whether Pulumi is supported, partially supported, or unsupported in current Checkov CLI workflows

Metadata

Metadata

Assignees

No one assigned

    Labels

    contribution requestedThis is a great feature idea, but we will need a contribution to get it added to Checkov.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions