Checkov report ingestion doesn't work


I’m trying to ingest Chekov reports in my Sonarqube Enterprise 9.9, but whatever I try never seems to work.

I run a GitlabCI job that generates the report, using this command :

# in
checkov \
        --framework terraform  \
        --directory iac \
        -o cli -o json \
        --output-file-path console,"reports/checkov.json"

I then export the report as an artifact of the job in the .gitlab-ci.yml file :

  stage: checkov
    entrypoint: [""]
    - ./
      - reports/checkov.json
    when: always
  allow_failure: true

I have another job that then performs Sonar scan :

  stage: test:technical:post
    - ./

And just performs a sonar-scanner, using a that contains :


In the sonar-scanner logs I see this :

INFO: Sensor Cloudformation Check [cloudformation]
INFO: Process iac reports
WARN: Missing property:sonar.cfn.nag.reportFiles
INFO: sonar.checkov.reportFiles=reports/checkov.json
INFO: Processing  checkov :reports/checkov.json
WARN: Processing checkov:reports/checkov.json missing
INFO: Process iac reports (done) | time=6ms
INFO: Sensor Cloudformation Check [cloudformation] (done) | time=6ms

But I’ve checked many times and the checkov.json file does exist ! Is Sonar not able to read it for some reason ? Or am I missing something ?

Thanks for the help.

Hi @fcloud,

Welcome to the community. SonarQube itself does not support Checkov reports out of the box. It looks like you are using a third party plugin (sonar-cloudformation-plugin). I would recommend contacting the plugin maintainer, but it looks like the plugin is already EOL.

However, SonarQube does allow you to import generic reports or reports in SARIF format. Checkov can export results in SARIF format. So please refer to this documentation to import problems from checkov.


Hi Nils,

Thanks for the feedback. I followed your advice and switched to using the sarifReportPaths parameter.

The Sonar scan logs looked encouraging :

INFO: Sensor Import external issues report from SARIF file.
INFO: File services/app-iac/reports/checkov.sarif: successfully imported 13 vulnerabilities spread in 1 runs. 0 failed run(s).
INFO: Sensor Import external issues report from SARIF file. (done) | time=30ms

But nothing ever appeared in my SonarQube dashboard, either under Vulnerabilites or anywhere else.

At least, while I was working on a feature branch. When I merged to my main branch, all the issues suddenly appeared in Vulnerabilities in the main branch dashboard of my project.

Is there some kind of limitation, or am I missing some extra configuration ? I didn’t see anything related in the link you sent.


Was this actually a branch analysis, or a PR analysis? When the issues showed up, did they show up in New Code or in Overall Code?


Hi Ann,

It was actually a PR analysis, yes. And when merged on the main branch it showed up on the Overall code view.


Hi Fabien,

PR analysis only shows issues in New Code, so what you experienced is expected behavior.


Hi Ann,

Ok thanks for the feedback.