{% if checkov_data %}
{% set runs = checkov_data.runs | default([]) %} {% set findings = runs[0].results | default([]) if runs else [] %} {# ----- Quick rollups ----- #} {% set sev_counts = {'critical':0,'high':0,'medium':0,'low':0,'info':0,'unknown':0} %} {% set file_counts = {} %} {% set rule_ids = {} %} {% for f in findings %} {% set location = f.locations[0] if f.locations and f.locations|length > 0 else {} %} {% set physical_location = location.physicalLocation if location.physicalLocation is defined else {} %} {% set artifact_location = physical_location.artifactLocation if physical_location.artifactLocation is defined else {} %} {% set path = artifact_location.uri | default('') %} {% if path %} {% set _ = file_counts.__setitem__(path, (file_counts.get(path, 0) + 1)) %} {% endif %} {% set rid = f.ruleId | default('') %} {% if rid %} {% set _ = rule_ids.__setitem__(rid, True) %} {% endif %} {# Extract severity from SARIF level and security-severity #} {% set level = (f.level | default('error')) | lower %} {% set sev = 'high' %} {% if level == 'error' %} {% set sev = 'high' %} {% elif level == 'warning' %} {% set sev = 'medium' %} {% elif level == 'note' %} {% set sev = 'low' %} {% elif level == 'none' %} {% set sev = 'info' %} {% endif %} {# Check for security-severity in rule properties #} {% set rule_index = f.ruleIndex | default(-1) %} {% if rule_index >= 0 and runs and runs[0].tool and runs[0].tool.driver and runs[0].tool.driver.rules %} {% set rules = runs[0].tool.driver.rules %} {% if rule_index < rules|length %} {% set rule = rules[rule_index] %} {% set props = rule.properties | default({}) %} {% if 'security-severity' in props %} {% set sec_severity = props['security-severity'] %} {% if sec_severity >= 9.0 %} {% set sev = 'critical' %} {% elif sec_severity >= 7.0 %} {% set sev = 'high' %} {% elif sec_severity >= 4.0 %} {% set sev = 'medium' %} {% else %} {% set sev = 'low' %} {% endif %} {% endif %} {% endif %} {% endif %} {% if sev in sev_counts %} {% set _ = sev_counts.__setitem__(sev, sev_counts[sev] + 1) %} {% else %} {% set _ = sev_counts.__setitem__('unknown', sev_counts['unknown'] + 1) %} {% endif %} {% endfor %}

Checkov — IaC Findings

{% if findings %}
Total: {{ findings|length }} Files: {{ file_counts|length }} Rules: {{ rule_ids|length }} Critical: {{ sev_counts.critical }} High: {{ sev_counts.high }} Medium: {{ sev_counts.medium }} Low: {{ sev_counts.low }} Info: {{ sev_counts.info }} Unknown: {{ sev_counts.unknown }}
{% endif %}
{% if findings %}
{# Optional: quick "top offenders" blurb #} {% set top_files = file_counts.items() | list | sort(attribute=1, reverse=True) %} {% if top_files and top_files|length > 0 %}

Heaviest files: {% for kv in top_files[:3] %} {{ kv[0] | e }} ({{ kv[1] }}){% if not loop.last %}, {% endif %} {% endfor %}

{% endif %}
{% for finding in findings %} {% set location = finding.locations[0] if finding.locations and finding.locations|length > 0 else {} %} {% set physical_location = location.physicalLocation if location.physicalLocation is defined else {} %} {% set artifact_location = physical_location.artifactLocation if physical_location.artifactLocation is defined else {} %} {% set path = artifact_location.uri | default('') %} {% set region = physical_location.region if physical_location.region is defined else {} %} {% set line = region.startLine | default('') %} {% set rid = finding.ruleId | default('') %} {% set message = finding.message if finding.message is defined else {} %} {% set msg = message.text if message.text is defined else (message if message is string else '') %} {% set level = (finding.level | default('error')) | lower %} {# Determine severity #} {% set sev = 'medium' %} {% if level == 'error' %} {% set sev = 'high' %} {% elif level == 'warning' %} {% set sev = 'medium' %} {% elif level == 'note' %} {% set sev = 'low' %} {% elif level == 'none' %} {% set sev = 'info' %} {% endif %} {# Check for security-severity in rule properties #} {% set rule_index = finding.ruleIndex | default(-1) %} {% if rule_index >= 0 and runs and runs[0].tool and runs[0].tool.driver and runs[0].tool.driver.rules %} {% set rules = runs[0].tool.driver.rules %} {% if rule_index < rules|length %} {% set rule = rules[rule_index] %} {% set props = rule.properties | default({}) %} {% if 'security-severity' in props %} {% set sec_severity = props['security-severity'] %} {% if sec_severity >= 9.0 %} {% set sev = 'critical' %} {% elif sec_severity >= 7.0 %} {% set sev = 'high' %} {% elif sec_severity >= 4.0 %} {% set sev = 'medium' %} {% else %} {% set sev = 'low' %} {% endif %} {% endif %} {% endif %} {% endif %} {% set sev_chip = 'chip--bad' if sev in ['critical','high'] else ('chip--neutral' if sev == 'medium' else ('chip--ok' if sev in ['low','info'] else '')) %} {% set snippet = region.snippet.text if region.snippet and region.snippet.text is defined else '' %} {% set fingerprints = finding.fingerprints if finding.fingerprints is defined else {} %} {% set fingerprint_list = [] %} {% if fingerprints.rule %}{% set _ = fingerprint_list.append(('rule', fingerprints.rule)) %}{% endif %} {% if fingerprints.ctx %}{% set _ = fingerprint_list.append(('ctx', fingerprints.ctx)) %}{% endif %} {% if fingerprints.exact %}{% set _ = fingerprint_list.append(('exact', fingerprints.exact)) %}{% endif %} {% set default_fp = '' %} {# Default to ctx fingerprint if available, otherwise first available #} {% if fingerprints.ctx %} {% set default_fp = fingerprints.ctx %} {% elif fingerprint_list|length > 0 %} {% set default_fp = fingerprint_list[0][1] %} {% endif %} {# Get rule details if available #} {% set rule_name = '' %} {% set rule_help_uri = '' %} {% if rule_index >= 0 and runs and runs[0].tool and runs[0].tool.driver and runs[0].tool.driver.rules %} {% set rules = runs[0].tool.driver.rules %} {% if rule_index < rules|length %} {% set rule = rules[rule_index] %} {% set rule_name = rule.name | default('') %} {% set rule_help_uri = rule.helpUri | default('') %} {% endif %} {% endif %} 0 %}data-fingerprints='{{ fingerprint_list|map(attribute=1)|list|tojson }}'{% endif %}> {% endfor %}
File Line Rule ID Message Severity Waiver
{{ path | e }} {{ line | e }} {{ rid | e }} {{ msg | e }} {{ sev | title | e }} {% if fingerprint_list|length > 0 %}
{% else %} — {% endif %}
{% if snippet %}

Code Context

{{ snippet | e }}
{% endif %} {% if msg %}

Description

{{ msg | e }}

{% endif %}

Details

{% if rid %}
Rule ID:
{{ rid | e }}
{% endif %} {% if rule_name %}
Rule Name:
{{ rule_name | e }}
{% endif %} {% if path %}
File:
{{ path | e }}
{% endif %} {% if line %}
Line:
{{ line | e }}
{% endif %} {% if level %}
SARIF Level:
{{ level | title | e }}
{% endif %}
{% if rule_help_uri %}

References

Help URI:
{{ rule_help_uri | e }}
{% endif %} {% if fingerprints %}

Fingerprints

{% if fingerprints.rule %}
Rule Fingerprint:
{{ fingerprints.rule | e }}
{% endif %} {% if fingerprints.exact %}
Exact Fingerprint:
{{ fingerprints.exact | e }}
{% endif %} {% if fingerprints.ctx %}
Context Fingerprint:
{{ fingerprints.ctx | e }}
{% endif %}

Fingerprint Types:
RULE: Rule-based identifier derived from rule ID and normalized file path. Stable across file moves and commits.
EXACT: Location-bound identifier derived from rule ID, normalized file path, and line numbers. Binds tightly to a specific file revision.
CTX: Contextual identifier derived from rule ID, normalized relative file path, and code snippet hash. Remains valid through small edits.

{% endif %}
{% else %}
No IaC findings.
{% endif %}
{% endif %}