fix(secrets): fix secrets omit crash when value is not string (#5260)

fix secrets omit crash when value is not string

checkov/common/util/secrets.py

@@ -4,8 +4,6 @@
 import json
 import logging
 import re
-
-# secret categories for use as constants
 from typing import Any, TYPE_CHECKING
 
 from checkov.common.models.enums import CheckCategories, CheckResult
@@ -17,7 +15,7 @@
     from checkov.common.typing import _CheckResult, ResourceAttributesToOmit
     from pycep.typing import ParameterAttributes, ResourceAttributes
 
-
+# secret categories for use as constants
 AWS = 'aws'
 AZURE = 'azure'
 GCP = 'gcp'
@@ -163,6 +161,10 @@ def omit_secret_value_from_checks(
             if key not in resource_masks:
                 continue
             if isinstance(secret, list) and secret:
+                if not isinstance(secret[0], str):
+                    logging.debug(f"Secret value can't be masked, has type {type(secret)}")
+                    continue
+
                 secrets.add(secret[0])
 
     if not secrets:
@@ -207,6 +209,10 @@ def omit_secret_value_from_graph_checks(
             for attribute, secret in entity_config.items():
                 if attribute in resource_masks:
                     if isinstance(secret, list) and secret:
+                        if not isinstance(secret[0], str):
+                            logging.debug(f"Secret value can't be masked, has type {type(secret)}")
+                            continue
+
                         secrets.add(secret[0])
 
     if not secrets:

tests/common/utils/test_secrets_utils.py

@@ -114,6 +114,70 @@ def test_omit_secret_value_from_graph_checks_by_attribute(
     assert result == tfplan_resource_lines_without_secrets
 
 
+def test_omit_secret_value_from_graph_checks_by_attribute_skip_non_string():
+    # given
+    check = BaseGraphCheck()
+    check.resource_types = ['aws_ssm_parameter']
+    check_result = {'result': CheckResult.FAILED}
+    entity_code_lines = [
+        (22, 'resource "aws_ssm_parameter" "aws_ssm_parameter_foo" {\n'),
+        (23, '  name        = "foo"\n'),
+        (24, '  description = "Parameter foo"\n'),
+        (25, '  type        = "String"\n'),
+        (26, '  tier        = "Advanced"\n'),
+        (27, "  value = jsonencode({\n"),
+        (28, '    "foo" : {\n'),
+        (29, '      "hello" : "world",\n'),
+        (30, '      "answer " : 42\n'),
+        (31, "     }\n"),
+        (32, "  })\n"),
+        (33, "}\n"),
+    ]
+    entity_config = {
+        "__address__": "aws_ssm_parameter.aws_ssm_parameter_foo",
+        "__end_line__": 33,
+        "__start_line__": 22,
+        "description": ["Parameter foo"],
+        "name": ["foo"],
+        "tier": ["Advanced"],
+        "type": ["String"],
+        "value": [
+            {
+                "foo": {
+                    "answer ": 42,
+                    "hello": "world",
+                }
+            }
+        ],
+    }
+    resource_attributes_to_omit = {'aws_ssm_parameter': {'value'}}
+
+    # when
+    result = omit_secret_value_from_graph_checks(
+        check=check,
+        check_result=check_result,
+        entity_code_lines=entity_code_lines,
+        entity_config=entity_config,
+        resource_attributes_to_omit=resource_attributes_to_omit
+    )
+
+    # then
+    assert result == [
+        (22, 'resource "aws_ssm_parameter" "aws_ssm_parameter_foo" {\n'),
+        (23, '  name        = "foo"\n'),
+        (24, '  description = "Parameter foo"\n'),
+        (25, '  type        = "String"\n'),
+        (26, '  tier        = "Advanced"\n'),
+        (27, "  value = jsonencode({\n"),
+        (28, '    "foo" : {\n'),
+        (29, '      "hello" : "world",\n'),
+        (30, '      "answer " : 42\n'),
+        (31, "     }\n"),
+        (32, "  })\n"),
+        (33, "}\n"),
+    ]
+
+
 def test_omit_secret_value_from_checks_by_attribute_runner_filter_resource_config(
         tfplan_resource_lines_with_secrets,
         tfplan_resource_config_with_secrets,