Merge pull request #18 from aws-samples/checkov

jakebark · web-flow · commit 0e66d42cb421 · 2025-04-16T08:15:36.000+01:00
- fixed checkov to 3.2.0
- added guidance for reports
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ module "pipeline" {
   ...
   branch                = "main"
   mode                  = "SUPERSEDED"
-  detect_changes        = true
+  detect_changes        = false
   kms_key               = aws_kms_key.this.arn
   access_logging_bucket = aws_s3_bucket.this.id
   artifact_retention    = 90
@@ -90,7 +90,7 @@ module "pipeline" {
 
 `mode` is [pipeline execution mode](https://docs.aws.amazon.com/codepipeline/latest/userguide/concepts-how-it-works.html#concepts-how-it-works-executions). It defaults to `SUPERSEDED`.
 
-`detect_changes` is used with third-party services, like GitHub. It enables AWS CodeConnections to invoke the pipeline when there is a commit to the repo.  
+`detect_changes` is used with third-party services, like GitHub. It enables AWS CodeConnections to invoke the pipeline when there is a commit to the repo. It defaults to `false`.
 
 `kms_key` is the arn of an *existing* AWS KMS key. This input will encrypt the Amazon S3 bucket with a AWS KMS key of your choice. Otherwise the bucket will be encrypted using SSE-S3. Your AWS KMS key policy will need to allow codebuild and codepipeline to `kms:GenerateDataKey*` and `kms:Decrypt`.
 
diff --git a/locals.tf b/locals.tf
@@ -13,10 +13,11 @@ locals {
   })
 
   env_var = {
-    TFLINT_VERSION  = var.tflint_version
-    SAST_REPORT_ARN = aws_codebuild_report_group.sast.arn
     CHECKOV_SKIPS   = join(",", "${var.checkov_skip}")
+    CHECKOV_VERSION = var.checkov_version
+    SAST_REPORT_ARN = aws_codebuild_report_group.sast.arn
     TF_VERSION      = var.terraform_version
+    TFLINT_VERSION  = var.tflint_version
   }
   conditional_env_var = merge(local.env_var, {
     TAGS           = var.tags
diff --git a/modules/codebuild/buildspecs/sast.yml b/modules/codebuild/buildspecs/sast.yml
@@ -10,7 +10,7 @@ phases:
       - yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo
       - yum install -y terraform-${TF_VERSION}
       - python -V
-      - pip3 install checkov
+      - pip3 install checkov==${CHECKOV_VERSION}
 
   build:
     commands:   
@@ -21,6 +21,7 @@ phases:
         else
           checkov --directory ./ --skip-path ./deploy --skip-check ${CHECKOV_SKIPS} -o junitxml > checkov.xml
         fi
+      - echo "Checkov complete. Report available in CodeBuild project > Reports" 
 reports:
   ${SAST_REPORT_ARN}:
     files:
diff --git a/variables.tf b/variables.tf
@@ -44,7 +44,7 @@ variable "checkov_skip" {
 
 variable "checkov_version" {
   type    = string
-  default = "latest"
+  default = "3.2.0"
 }
 
 variable "codebuild_policy" {
@@ -61,7 +61,7 @@ variable "connection" {
 
 variable "detect_changes" {
   description = "allows third-party servicesm like GitHub to invoke the pipeline"
-  type        = string
+  type        = bool
   default     = false
 }
 
@@ -83,7 +83,6 @@ variable "mode" {
     ], var.mode)
     error_message = "unsupported pipeline mode"
   }
-
 }
 
 variable "kms_key" {

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ variable "checkov_skip" {`
`44`	`44`
`45`	`45`	`variable "checkov_version" {`
`46`	`46`	`type = string`
`47`		`- default = "latest"`
	`47`	`+ default = "3.2.0"`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`variable "codebuild_policy" {`
`@@ -61,7 +61,7 @@ variable "connection" {`
`61`	`61`
`62`	`62`	`variable "detect_changes" {`
`63`	`63`	`description = "allows third-party servicesm like GitHub to invoke the pipeline"`
`64`		`- type = string`
	`64`	`+ type = bool`
`65`	`65`	`default = false`
`66`	`66`	`}`
`67`	`67`
`@@ -83,7 +83,6 @@ variable "mode" {`
`83`	`83`	`], var.mode)`
`84`	`84`	`error_message = "unsupported pipeline mode"`
`85`	`85`	`}`
`86`		`-`
`87`	`86`	`}`
`88`	`87`
`89`	`88`	`variable "kms_key" {`