这是indexloc提供的服务,不要输入任何密码
Skip to content

feat(terraform_plan): support scanning deleted resources #7367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(terraform_plan): support scanning deleted resources #7367

wants to merge 2 commits into from

Conversation

@exitcode0
Copy link

@exitcode0 exitcode0 commented Nov 11, 2025

Description

Checkov's Terraform plan scanning previously only processed resources from planned_values, which excludes resources being purely deleted (action ["delete"]).
This prevented custom checks from validating deletion conditions (e.g., ensuring a resource is in an acceptable state before removal).

This PR extends the plan parser to extract resources with pure delete actions from resource_changes and make them available to policy checks.
The resource's "before" state is used as the configuration, with __change_actions__ set to ["delete"].

This would allow a policy to enforce specific resources attribute values before resource deletion.

Fixes #5587

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

@exitcode0
feat(terraform_plan): support scanning deleted resources
1716188 
Previously, it was not possible to check a resource's configuration when
the plan indicated the resource would be deleted entirely. This prevented
custom checks from enforcing conventions around deletions.

We now process pure delete actions from resource_changes. The "before"
state is made available as the resource configuration, with __change_actions__
set to ["delete"].
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Checkov does not run checks, issues no errors, when deleting resources in Terraform plan.

1 participant

@exitcode0