Describe the feature
Please add support for scanning Pulumi-generated JSON plans in a way that works with current Checkov framework options, or update the Pulumi/Checkov integration guidance and examples so Pulumi users can scan preview output without hitting an invalid framework error.
Right now, a Pulumi preview JSON file is being generated successfully, but the follow-up Checkov invocation fails because pulumi is not a valid value for --framework.
Reproduction from a Pulumi Python/Azure project:
This runs:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json
Then Checkov fails with:
checkov: error: Invalid frameworks specified: pulumi.
Valid values are: ansible, argo_workflows, arm, azure_pipelines, bicep, bitbucket_pipelines, cdk, circleci_pipelines, cloudformation, dockerfile, github_configuration, github_actions, gitlab_configuration, gitlab_ci, bitbucket_configuration, helm, json, yaml, kubernetes, kustomize, openapi, sca_package, sca_image, secrets, serverless, terraform, terraform_json, terraform_plan, sast, sast_python, sast_java, sast_javascript, sast_typescript, sast_golang, 3d_policy, all
The main request:
- support Pulumi preview JSON as an accepted framework/input type, or
- document the correct supported way to scan Pulumi output with Checkov today.
Examples
Example input command:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json
checkov -f out/plan_mg_prod.json --framework pulumi
Example input artifact:
out/plan_mg_prod.json: Pulumi preview JSON emitted by pulumi preview --json
Actual Checkov outcome:
checkov: error: Invalid frameworks specified: pulumi.
Expected outcomes from Checkov:
Option A:
- Checkov accepts
--framework pulumi
- Checkov parses the Pulumi JSON plan
- Checkov returns policy findings against the planned infrastructure
Expected output behavior:
- no CLI validation failure for a documented Pulumi workflow
- actionable findings or a clear compatibility error with remediation guidance
Additional context
Environment:
- OS: Linux
- Shell: zsh or bash or sh or any
Project context:
- Pulumi project
- Python-based stack
- Azure-focused infrastructure
- command used to generate the plan:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json
Full observed output:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json
pwd
/home/leonard/Downloads/pulumi/pulumi-azure-start
realpath out/plan_mg_prod.json
/home/leonard/Downloads/pulumi/pulumi-azure-start/out/plan_mg_prod.json
usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check] [-f FILE [FILE ...]] [--skip-path SKIP_PATH] [--external-checks-dir EXTERNAL_CHECKS_DIR] [--external-checks-git EXTERNAL_CHECKS_GIT] [--external-checks-public-key EXTERNAL_CHECKS_PUBLIC_KEY] [-l]
[-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}] [--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids] [--include-all-checkov-policies] [--quiet] [--compact] [--framework FRAMEWORK [FRAMEWORK ...]] [--skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]] [-c CHECK]
[--skip-check SKIP_CHECK] [--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON] [--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY] [--prisma-api-url PRISMA_API_URL] [--skip-results-upload] [--docker-image DOCKER_IMAGE] [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID] [-b BRANCH] [--skip-download]
[--use-enforcement-rules] [--download-external-modules DOWNLOAD_EXTERNAL_MODULES] [--var-file VAR_FILE] [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH] [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE] [--no-cert-verify] [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
[--config-file CONFIG_FILE] [--create-config CREATE_CONFIG] [--show-config] [--create-baseline] [--baseline BASELINE] [--output-baseline-as-skipped] [--skip-cve-package SKIP_CVE_PACKAGE] [--policy-metadata-filter POLICY_METADATA_FILTER] [--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION]
[--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE] [--enable-secret-scan-all-files] [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN] [--summary-position {top,bottom}] [--skip-resources-without-violations] [--deep-analysis] [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history]
[--secrets-history-timeout SECRETS_HISTORY_TIMEOUT] [--custom-tool-name CUSTOM_TOOL_NAME]
checkov: error: Invalid frameworks specified: pulumi.
Valid values are: ansible, argo_workflows, arm, azure_pipelines, bicep, bitbucket_pipelines, cdk, circleci_pipelines, cloudformation, dockerfile, github_configuration, github_actions, gitlab_configuration, gitlab_ci, bitbucket_configuration, helm, json, yaml, kubernetes, kustomize, openapi, sca_package, sca_image, secrets, serverless, terraform, terraform_json, terraform_plan, sast, sast_python, sast_java, sast_javascript, sast_typescript, sast_golang, 3d_policy, all
make: *** [Makefile:83: checkov_scan] Error 2
Impact:
- blocks a straightforward CI/local security scan workflow for Pulumi users
- makes it unclear whether Pulumi is supported, partially supported, or unsupported in current Checkov CLI workflows
Describe the feature
Please add support for scanning Pulumi-generated JSON plans in a way that works with current Checkov framework options, or update the Pulumi/Checkov integration guidance and examples so Pulumi users can scan preview output without hitting an invalid framework error.
Right now, a Pulumi preview JSON file is being generated successfully, but the follow-up Checkov invocation fails because
pulumiis not a valid value for--framework.Reproduction from a Pulumi Python/Azure project:
This runs:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.jsonThen Checkov fails with:
The main request:
Examples
Example input command:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.json checkov -f out/plan_mg_prod.json --framework pulumiExample input artifact:
out/plan_mg_prod.json: Pulumi preview JSON emitted bypulumi preview --jsonActual Checkov outcome:
Expected outcomes from Checkov:
Option A:
--framework pulumiExpected output behavior:
Additional context
Environment:
Project context:
pulumi -C stacks/core/management_groups preview --diff -s prod --json > out/plan_mg_prod.jsonFull observed output:
Impact: