feat(kustomize): Add origin annotations to calculate bases of kustomize checks

checkov/common/typing.py

@@ -107,3 +107,4 @@ class _EntityContext(TypedDict, total=False):
     policy: str
     code_lines: list[tuple[int, str]]
     skipped_checks: list[_SkippedCheck]
+    origin_relative_path: str

checkov/kubernetes/kubernetes_utils.py

@@ -138,34 +138,25 @@ def build_definitions_context(
             resource_id = get_resource_id(resource)
             if not resource_id:
                 continue
-            start_line = resource[START_LINE]
-            end_line = min(resource[END_LINE], len(definitions_raw[file_path]))
-            first_line_index = 0
-            # skip empty lines
-            while not str.strip(definitions_raw[file_path][first_line_index][1]):
-                first_line_index += 1
-            # check if the file is a json file
-            if str.strip(definitions_raw[file_path][first_line_index][1])[0] == "{":
-                start_line += 1
-                end_line += 1
-            else:
-                # add resource comments to definition lines
-                current_line = str.strip(definitions_raw[file_path][start_line - 1][1])
-                while not current_line or current_line[0] == YAML_COMMENT_MARK:
-                    start_line -= 1
-                    current_line = str.strip(definitions_raw[file_path][start_line - 1][1])
-
-                # remove next resource comments from definition lines
-                current_line = str.strip(definitions_raw[file_path][end_line - 1][1])
-                while not current_line or current_line[0] == YAML_COMMENT_MARK:
-                    end_line -= 1
-                    current_line = str.strip(definitions_raw[file_path][end_line - 1][1])
-
-            code_lines = definitions_raw[file_path][start_line - 1: end_line]
+
+            relative_resource_path = None
+            if 'metadata' in resource:
+                metadata = resource['metadata']
+                if 'annotations' in metadata and metadata['annotations'] is not None\
+                        and 'config.kubernetes.io/origin' in metadata['annotations']:
+                    metadata_path = metadata['annotations']['config.kubernetes.io/origin']
+                    if 'path:' in metadata_path:
+                        relative_resource_path = metadata_path.split('path:')[1].strip()
+
+            resource_start_line = resource[START_LINE]
+            resource_end_line = min(resource[END_LINE], len(definitions_raw[file_path]))
+            raw_code = definitions_raw[file_path]
+            code_lines, start_line, end_line = calculate_code_lines(raw_code, resource_start_line, resource_end_line)
             dpath.new(
                 definitions_context,
                 [file_path, resource_id],
-                {"start_line": start_line, "end_line": end_line, "code_lines": code_lines},
+                {"start_line": start_line, "end_line": end_line, "code_lines": code_lines,
+                 "origin_relative_path": relative_resource_path},
             )
 
             skipped_checks = get_skipped_checks(resource)
@@ -177,6 +168,32 @@ def build_definitions_context(
     return definitions_context
 
 
+def calculate_code_lines(raw_code: list[tuple[int, str]], start_line: int, end_line: int) \
+        -> tuple[list[tuple[int, str]], int, int]:
+    first_line_index = 0
+    # skip empty lines
+    while not str.strip(raw_code[first_line_index][1]):
+        first_line_index += 1
+    # check if the file is a json file
+    if str.strip(raw_code[first_line_index][1])[0] == "{":
+        start_line += 1
+        end_line += 1
+    else:
+        # add resource comments to definition lines
+        current_line = str.strip(raw_code[start_line - 1][1])
+        while not current_line or current_line[0] == YAML_COMMENT_MARK:
+            start_line -= 1
+            current_line = str.strip(raw_code[start_line - 1][1])
+
+        # remove next resource comments from definition lines
+        current_line = str.strip(raw_code[end_line - 1][1])
+        while not current_line or current_line[0] == YAML_COMMENT_MARK:
+            end_line -= 1
+            current_line = str.strip(raw_code[end_line - 1][1])
+    code_lines = raw_code[start_line - 1: end_line]
+    return code_lines, start_line, end_line
+
+
 def is_invalid_k8_definition(definition: Dict[str, Any]) -> bool:
     return (
         not isinstance(definition, dict)

checkov/kubernetes/runner.py

@@ -174,7 +174,8 @@ def check_definitions(
                 # TODO? - Variable Eval Message!
                 variable_evaluations: "dict[str, Any]" = {}
 
-                report = self.mutate_kubernetes_results(results, report, k8_file, k8_file_path, file_abs_path, entity_conf, variable_evaluations)
+                report = self.mutate_kubernetes_results(results, report, k8_file, k8_file_path, file_abs_path,
+                                                        entity_conf, variable_evaluations, root_folder)
             self.pbar.update()
         self.pbar.close()
         return report
@@ -194,6 +195,7 @@ def mutate_kubernetes_results(
         file_abs_path: str,
         entity_conf: dict[str, Any],
         variable_evaluations: dict[str, Any],
+        root_folder: str | None = None
     ) -> Report:
         # Moves report generation logic out of run() method in Runner class.
         # Allows function overriding of a much smaller function than run() for other "child" frameworks such as Kustomize, Helm