checkov: Checkov returns empty output with Kubernetes YAML file

Describe the issue Checkov produces empty output when scanning a kubernetes YAML file. I generated a YAML file from a helm chart using helm template prometheus > render.yaml. Then I used the command checkov -f render.yaml --framework kubernetes and the output is only the checkov logo.

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.1065

The YAML file is as follows:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: prometheus
    group: com.stakater.platform
    provider: stakater
    version: 2.2.0-rc.0
    chart: prometheus-1.0.32
    release: release-name
    heritage: Helm
  name: monitoring-k8s
  namespace: default
---
apiVersion: v1 
# document conitnues

Additional context Systems tried: Ubuntu, WSL(Ubuntu, Debian) Fails on all systems.

Log info:

2022-04-15 18:52:52,711 [MainThread  ] [DEBUG]  Leveraging the bundled IAM Definition.
2022-04-15 18:52:52,711 [MainThread  ] [DEBUG]  Leveraging the IAM definition at /home/epodegrid/.local/lib/python3.9/site-packages/policy_sentry/shared/data/iam-definition.json
2022-04-15 18:52:52,826 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/bicep/checks/graph_checks
2022-04-15 18:52:52,904 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:52,979 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,002 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,002 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,034 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,040 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,074 [MainThread  ] [DEBUG]  Popen(['git', 'version'], cwd=/home/epodegrid/Desktop/glitchy, universal_newlines=False, shell=None, istream=None)
2022-04-15 18:52:53,081 [MainThread  ] [DEBUG]  Popen(['git', 'version'], cwd=/home/epodegrid/Desktop/glitchy, universal_newlines=False, shell=None, istream=None)
2022-04-15 18:52:53,182 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,182 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,182 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,183 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,183 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,201 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,288 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,392 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,393 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,394 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,397 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,397 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,397 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,398 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,400 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,401 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,403 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): all
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  No API key present; setting include_all_checkov_policies to True
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  Checkov version: 2.0.1065
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  Python executable: /usr/bin/python3
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  Python version: 3.9.7 (default, Sep 10 2021, 14:59:43) 
[GCC 11.2.0]
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  Checkov executable (argv[0]): /home/epodegrid/.local/bin/checkov
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  Command Line Args:   -f render.yaml --framework kubernetes
Defaults:
  --branch:          master
  --download-external-modules:False
  --external-modules-download-path:.external_modules
  --evaluate-variables:True

2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  Resultant set of frameworks (removing skipped frameworks): kubernetes
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  kubernetes_runner declares no system dependency checks required.
2022-04-15 18:52:53,408 [MainThread  ] [DEBUG]  No API key found. Scanning locally only.
2022-04-15 18:52:54,331 [MainThread  ] [DEBUG]  Got checkov mappings and guidelines from Bridgecrew BE
2022-04-15 18:52:54,332 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/terraform/checks/graph_checks
2022-04-15 18:52:54,332 [MainThread  ] [DEBUG]  Searching through ['__pycache__', 'azure', 'gcp', 'aws'] and ['__init__.py']
2022-04-15 18:52:54,332 [MainThread  ] [DEBUG]  Searching through [] and ['__init__.cpython-39.pyc']
2022-04-15 18:52:54,332 [MainThread  ] [DEBUG]  Searching through [] and ['VAsetPeriodicScansOnSQL.yaml', 'StorageLoggingIsEnabledForBlobService.yaml', 'CognitiveServicesCustomerManagedKey.yaml', 'MSQLenablesCustomerManagedKey.yaml', 'PGSQLenablesCustomerManagedKey.yaml', 'VMHasBackUpMachine.yaml', 'AzureStorageAccountsUseCustomerManagedKeyForEncryption.yaml', 'DataExplorerEncryptionUsesCustomKey.yaml', 'StorageLoggingIsEnabledForTableService.yaml', 'VAconfiguredToSendReportsToAdmins.yaml', 'AzureNetworkInterfacePublicIPAddressId.yaml', 'VAisEnabledInStorageAccount.yaml', 'VAconfiguredToSendReports.yaml', 'AzureAntimalwareIsConfiguredWithAutoUpdatesForVMs.yaml', 'AzureSynapseWorkspacesHaveNoIPFirewallRulesAttached.yaml', 'AzureUnattachedDisksAreEncrypted.yaml', 'StorageCriticalDataEncryptedCMK.yaml', 'AzureActiveDirectoryAdminIsConfigured.yaml', 'SQLServerAuditingEnabled.yaml', 'AccessToPostgreSQLFromAzureServicesIsDisabled.yaml', 'AzureDataFactoriesEncryptedWithCustomerManagedKey.yaml', 'StorageContainerActivityLogsNotPublic.yaml', 'VirtualMachinesUtilizingManagedDisks.yaml', 'SQLServerAuditingRetention90Days.yaml', 'AzureMSSQLServerHasSecurityAlertPolicy.yaml']
2022-04-15 18:52:54,443 [MainThread  ] [DEBUG]  Searching through [] and ['GCPProjectHasNoLegacyNetworks.yaml', 'GCPKMSKeyRingsAreNotPubliclyAccessible.yaml', 'DisableAccessToSqlDBInstanceForRootUsersWithoutPassword.yaml', 'GCPAuditLogsConfiguredForAllServicesAndUsers.yaml', 'GCPContainerRegistryReposAreNotPubliclyAccessible.yaml', 'GCPKMSCryptoKeysAreNotPubliclyAccessible.yaml', 'GCPLogBucketsConfiguredUsingLock.yaml', 'GKEClustersAreNotUsingDefaultServiceAccount.yaml', 'ServiceAccountHasGCPmanagedKey.yaml']
2022-04-15 18:52:54,494 [MainThread  ] [DEBUG]  Searching through [] and ['AWSNATGatewaysshouldbeutilized.yaml', 'APIProtectedByWAF.yaml', 'PostgresRDSHasQueryLoggingEnabled.yaml', 'S3BucketVersioning.yaml', 'PostgresDBHasQueryLoggingEnabled.yaml', 'EIPAllocatedToVPCAttachedEC2.yaml', 'S3PublicACLRead.yaml', 'CloudtrailHasCloudwatch.yaml', 'SubnetHasACL.yaml', 'ALBProtectedByWAF.yaml', 'S3BucketEncryption.yaml', 'S3PublicACLWrite.yaml', 'AWSSSMParameterShouldBeEncrypted.yaml', 'CloudFrontHasSecurityHeadersPolicy.yaml', 'WAF2HasLogs.yaml', 'RDSClusterHasBackupPlan.yaml', 'VPCHasFlowLog.yaml', 'AppSyncProtectedByWAF.yaml', 'GuardDutyIsEnabled.yaml', 'IAMUserHasNoConsoleAccess.yaml', 'EFSAddedBackup.yaml', 'SGAttachedToResource.yaml', 'AutoScalingEnableOnDynamoDBTables.yaml', 'IAMGroupHasAtLeastOneUser.yaml', 'IAMUsersAreMembersAtLeastOneGroup.yaml', 'S3BucketHasPublicAccessBlock.yaml', 'S3BucketLogging.yaml', 'APIGWLoggingLevelsDefinedProperly.yaml', 'Route53ARecordAttachedResource.yaml', 'S3KMSEncryptedByDefault.yaml', 'EBSAddedBackup.yaml', 'AutoScallingEnabledELB.yaml', 'AMRClustersNotOpenToInternet.yaml', 'VPCHasRestrictedSG.yaml', 'EncryptedEBSVolumeOnlyConnectedToEC2s.yaml', 'ALBRedirectsHTTPToHTTPS.yaml', 'HTTPNotSendingPasswords.yaml']
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/cloudformation/checks/graph_checks
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Searching through ['__pycache__'] and ['__init__.py']
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Searching through [] and ['__init__.cpython-39.pyc']
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/kubernetes/checks/graph_checks
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Searching through ['__pycache__'] and ['__init__.py']
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Searching through [] and ['__init__.cpython-39.pyc']
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/bicep/checks/graph_checks
2022-04-15 18:52:54,694 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/terraform_plan/checks/graph_checks
2022-04-15 18:52:54,701 [MainThread  ] [ERROR]  Template file not found: render.yaml
2022-04-15 18:52:54,702 [MainThread  ] [INFO ]  creating kubernetes graph
2022-04-15 18:52:54,703 [MainThread  ] [DEBUG]  Loading external checks from /home/epodegrid/.local/lib/python3.9/site-packages/checkov/kubernetes/checks/graph_checks
2022-04-15 18:52:54,703 [MainThread  ] [DEBUG]  Searching through ['__pycache__'] and ['__init__.py']
2022-04-15 18:52:54,703 [MainThread  ] [DEBUG]  Searching through [] and ['__init__.cpython-39.pyc']

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.1065 

2022-04-15 18:52:54,704 [MainThread  ] [DEBUG]  Getting exit code for report kubernetes
2022-04-15 18:52:54,704 [MainThread  ] [DEBUG]  In get_exit_code; soft_fail: False, soft_fail_on: None, hard_fail_on: None
2022-04-15 18:52:54,704 [MainThread  ] [DEBUG]  No failed checks, or soft_fail is True and soft_fail_on and hard_fail_on are empty - returning 0

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 17 (3 by maintainers)

Most upvoted comments

@epodegrid Is it fixed ?

+1
maver1ck on Feb 19, 2023

I am experiencing same issue as reported here, the yaml file has {{variables}} in it. As an intermediate solution I am using the following command: cat non-working.yml | sed "s/{{/[[/" > working.yml basically it converts the {{ to [[ and then the checkov will be able to scan the file again.

+1
Jan-Paul on Aug 18, 2022
Read more comments on GitHub
← ExoMedia: Looping is broken
checkov: Very slow terraform scan on medium sized repository →