Merge pull request #3027 from bridgecrewio/fail-on-parsing-errors

add environment variable to hard fail on parsing errors
bridgecrewio · May 31, 2022 · da1fbdd · da1fbdd
2 parents ff5348b + bb1b7bb
commit da1fbdd
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py
@@ -3,6 +3,7 @@
 import argparse
 import json
 import logging
+import os
 from collections.abc import Iterable
 from dataclasses import dataclass
 from typing import List, Dict, Union, Any, Optional, Set, TYPE_CHECKING, cast
@@ -16,6 +17,7 @@
 from checkov.common.bridgecrew.severities import Severities, BcSeverities
 from checkov.common.models.enums import CheckResult
 from checkov.common.output.record import Record
+from checkov.common.util.consts import PARSE_ERROR_FAIL_FLAG
 from checkov.common.util.json_utils import CustomJSONEncoder
 from checkov.common.util.type_forcers import convert_csv_string_arg_to_list
 from checkov.runner_filter import RunnerFilter
@@ -145,9 +147,13 @@ def get_exit_code(
         :return: Exit code 0 or 1.
         """
 
-        logging.debug(f'In get_exit_code; soft_fail: {soft_fail}, soft_fail_on: {soft_fail_on}, hard_fail_on: {hard_fail_on}')
+        hard_fail_on_parsing_errors = os.getenv(PARSE_ERROR_FAIL_FLAG, "false").lower() == 'true'
+        logging.debug(f'In get_exit_code; soft_fail: {soft_fail}, soft_fail_on: {soft_fail_on}, hard_fail_on: {hard_fail_on}, hard_fail_on_parsing_errors: {hard_fail_on_parsing_errors}')
 
-        if not self.failed_checks or (not soft_fail_on and not hard_fail_on and soft_fail):
+        if self.parsing_errors and hard_fail_on_parsing_errors:
+            logging.debug('hard_fail_on_parsing_errors is True and there were parsing errors - returning 1')
+            return 1
+        elif not self.failed_checks or (not soft_fail_on and not hard_fail_on and soft_fail):
             logging.debug('No failed checks, or soft_fail is True and soft_fail_on and hard_fail_on are empty - returning 0')
             return 0
         elif not soft_fail_on and not hard_fail_on and self.failed_checks:

diff --git a/checkov/common/util/consts.py b/checkov/common/util/consts.py
@@ -9,3 +9,5 @@
     'Accept': 'application/json',
     'Content-Type': 'application/json'
 }
+
+PARSE_ERROR_FAIL_FLAG = 'CKV_PARSE_ERROR_FAIL'
diff --git a/tests/common/output/test_get_exit_code.py b/tests/common/output/test_get_exit_code.py
@@ -1,9 +1,11 @@
+import os
 import unittest
 
 from checkov.common.bridgecrew.severities import BcSeverities, Severities
 from checkov.common.models.enums import CheckResult
 from checkov.common.output.report import Report
 from checkov.common.output.record import Record
+from checkov.common.util.consts import PARSE_ERROR_FAIL_FLAG
 
 
 class TestGetExitCode(unittest.TestCase):
@@ -128,6 +130,11 @@ def test_get_exit_code(self):
         self.assertEqual(combined_test_soft_fail_id_hard_fail_sev, 1)
         self.assertEqual(combined_test_soft_fail_id_hard_fail_sev_fail, 0)
 
+        os.environ[PARSE_ERROR_FAIL_FLAG] = 'true'
+        r.add_parsing_error('some_file.tf')
+        self.assertEqual(r.get_exit_code(soft_fail=False, soft_fail_on=None, hard_fail_on=None), 1)
+        del os.environ[PARSE_ERROR_FAIL_FLAG]
+
 
 if __name__ == '__main__':
     unittest.main()