Add UNKNOWNS to Checkov reports #7458
Description
Describe the feature
Checkov currently shows the results for PASSED, FAILED & SKIPPED checks. In some scenarios, policies can return UNKNOWN. In these scenarios, this evaluation (or lack of evaluation) is not included in the overall reports that Checkov produces.
This produces a gap in Checkov reporting. It can be important to know which Checks did not pass/fail, nor were they skipped, but instead could not return a determinisitic result. Measuring UNKNOWNS can be crucial to determine whether to keep a policy in place and accept the % of UNKNOWNS, or to remove it. This is currently not a supported behaviour by Checkov (UNKNOWNS are only visible in debug mode).
PR #7452 addresses this gap.
Examples
Before:
terraform_plan scan results:
Passed checks: 485, Failed checks: 55, Skipped checks: 0
New:
terraform_plan scan results:
Passed checks: 485, Failed checks: 55, Skipped checks: 0, Unknown checks: 132
JSON report:
Old:
"results": {
"passed_checks": [...],
"failed_checks": [...],
"skipped_checks": [...]
}
New:
"results": {
"passed_checks": [...],
"failed_checks": [...],
"skipped_checks": [...],
"unknown_checks": [
{
"check_id": "CKV_AWS_140",
"check_name": "Ensure that RDS global clusters are encrypted",
"resource": "module.db_module.module.global_cluster.aws_rds_global_cluster.global",
"file_path": "/plan.json",
"check_result": { "result": "UNKNOWN" }
}
]
}