Skip to content

BST-18560 - Add E2E tests for checkov-tf-plan scanner module #286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fproulx-boostsecurity merged 1 commit into from
Jan 19, 2026
Merged

BST-18560 - Add E2E tests for checkov-tf-plan scanner module #286

fproulx-boostsecurity merged 1 commit into from
Jan 19, 2026

Conversation

@fproulx-boostsecurity
Copy link
Collaborator

@fproulx-boostsecurity fproulx-boostsecurity commented Jan 19, 2026
edited
Loading

Summary

  • Add tests.yaml for checkov-tf-plan with three test scenarios using pre-generated terraform plan fixtures
  • Update module.yaml to make BOOST_TF_TAGS_POLICY optional using ${BOOST_TF_TAGS_POLICY:-{}} syntax

Test Scenarios

Test Description Expected Findings
aws-security-violations S3 bucket with intentional security issues (no encryption, versioning disabled, public ACL) ~6 checkov findings
aws-compliant Well-configured S3 bucket with encryption, versioning, public access blocked ~2 minor findings
gcp-storage GCP storage bucket for multi-cloud coverage ~2 findings

Test Fixtures

Test fixtures are in boost-sandbox/checkov-tf-plan-testing

Changes to module.yaml

Changed BOOST_TF_TAGS_POLICY: $BOOST_TF_TAGS_POLICY to BOOST_TF_TAGS_POLICY: ${BOOST_TF_TAGS_POLICY:-{}} to:

  • Enable E2E tests to run without requiring the env var
  • Preserve tag validation feature when env var is explicitly set

Test plan

  • Local testing with boost CLI - all three scenarios pass
  • E2E tests via scan-test-action

🤖 Generated with Claude Code

@fproulx-boostsecurity @claude
Add E2E tests for checkov-tf-plan scanner module
f5be66d 
- Add tests.yaml with three test scenarios:
  - aws-security-violations: S3 bucket with security issues
  - aws-compliant: Well-configured S3 bucket
  - gcp-storage: GCP storage bucket for multi-cloud coverage

- Update module.yaml to make BOOST_TF_TAGS_POLICY optional:
  - Use ${BOOST_TF_TAGS_POLICY:-{}} syntax for default empty JSON
  - Enables E2E testing without requiring the env var
  - Tag validation still works when env var is set

Test fixtures are in boost-sandbox/checkov-tf-plan-testing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@fproulx-boostsecurity fproulx-boostsecurity marked this pull request as ready for review January 19, 2026 20:35
@fproulx-boostsecurity fproulx-boostsecurity changed the title Add E2E tests for checkov-tf-plan scanner module BST-18560 - Add E2E tests for checkov-tf-plan scanner module Jan 19, 2026
@fproulx-boostsecurity fproulx-boostsecurity merged commit e8cb18a into main Jan 19, 2026
12 checks passed
@fproulx-boostsecurity fproulx-boostsecurity deleted the add-checkov-tf-plan-e2e-tests branch January 19, 2026 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scott-boost scott-boost scott-boost approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fproulx-boostsecurity @scott-boost