Description
Describe the issue
When using Checkov to scan Kubernetes manifests that include environment-style placeholders like ${K8S_APP_NAME} in critical fields (e.g. metadata.name, labels, etc.), the files are silently skipped during scanning. No warning is shown, and the kubernetes framework reports 0 resources.
This is misleading and causes security checks to be completely bypassed without notice.
To Reproduce
Steps to reproduce the behavior:
# file: base/deploy.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ${K8S_APP_NAME}-deployment
spec:
replicas: 1
selector:
matchLabels:
app: ${K8S_APP_NAME}
template:
metadata:
labels:
app: ${K8S_APP_NAME}
spec:
containers:
- name: ${K8S_APP_NAME}
image: my/image:latest
checkov --file base/deploy.yml --framework kubernetes
Actual behavior
The output shows only:
[ kubernetes framework ]: 100%|████████████████████|[1/1], Current File Scanned=base/deploy.yml
But there is no kubernetes scan results block, and no indication that the resource was skipped due to invalid syntax.
Version:
- Checkov Version 3.2.440
Additional context
- If we manually replace ${K8S_APP_NAME} with a hardcoded value like my-app, the checks run and the scan results are shown correctly.
- This behavior is confusing because the scan appears to run successfully but silently skips resources.