Static Code Analysis Integration
Combine Terraform plan changes with security findings from Checkov, TfLint, and Trivy in one unified report.
tfplan2md natively supports SARIF 2.1.0 format, allowing you to integrate security findings from multiple tools directly into your infrastructure change reports. Findings are automatically mapped to specific resources and attributes, creating a unified view of both changes and security issues.
How It Works
- Run your security tools and export SARIF output from Checkov, TfLint, Trivy, or any SARIF-compatible tool.
- Pass SARIF files to tfplan2md with
--code-analysis-resultsusing explicit paths or wildcard patterns. - Review one unified report where findings are mapped back to the affected resources and attributes.
Example: Unified Security and Plan Report
Each findings table now includes a dedicated Tool column so reviewers can immediately see whether a rule came from Checkov, TfLint, Trivy, or another SARIF producer.
â azurerm_storage_account logs â đ sttfplan2mdlogs in đ rg-tfplan2md-demo đ eastus
đ Security & Quality: â ī¸ 1 High, â ī¸ 1 Medium
| Severity | Rule | Tool | Message | Attribute |
|---|---|---|---|---|
| â ī¸ High | CKV_AZURE_33 |
Checkov | Ensure Storage logging is enabled for Queue service for read, write and delete requests | queue_properties |
| â ī¸ Medium | CKV2_AZURE_38 |
Checkov | Ensure soft-delete is enabled on Azure storage account | blob_properties.delete_retention_policy |
| Attribute | Value |
|---|---|
| account_replication_type | LRS |
| account_tier | Standard |
| location | đ eastus |
| name | đ sttfplan2mdlogs |
| resource_group_name | đ rg-tfplan2md-demo |
đˇī¸ Tags: environment: production managed-by: terraform
<details open style="margin-bottom:12px; border:1px solid rgb(var(--palette-neutral-10, 153, 153, 153)); padding:12px;">
<summary>â azurerm_storage_account <b><code>logs</code></b> â <code>đ sttfplan2mdlogs</code> in <code>đ rg-tfplan2md-demo</code> <code>đ eastus</code></summary>
<br>
đ <strong>Security & Quality:</strong> â ī¸ 1 High, â ī¸ 1 Medium
| Severity | Rule | Tool | Message | Attribute |
| -------- | ---- | ---- | ------- | --------- |
| â ī¸ High | `CKV_AZURE_33` | Checkov | Ensure Storage logging is enabled for Queue service for read, write and delete requests | `queue_properties` |
| â ī¸ Medium | `CKV2_AZURE_38` | Checkov | Ensure soft-delete is enabled on Azure storage account | `blob_properties.delete_retention_policy` |
| Attribute | Value |
| ----------- | ------- |
| account_replication_type | `LRS` |
| account_tier | `Standard` |
| location | `đ eastus` |
| name | `đ sttfplan2mdlogs` |
| resource_group_name | `đ rg-tfplan2md-demo` |
**đˇī¸ Tags:** `environment: production` `managed-by: terraform`
</details>CLI Usage
# Generate Terraform plan
terraform show -json plan.tfplan > plan.json
# Run security tools
checkov -d terraform --framework terraform --output sarif -o checkov.sarif
tflint --format sarif > tflint.sarif
trivy config terraform --format sarif --output trivy.sarif
# Generate unified report
docker run -v $(pwd):/data -i oocx/tfplan2md \
/data/plan.json \
--code-analysis-results "/data/*.sarif" \
--output /data/report.mdCLI Options
| Option | Description |
|---|---|
--code-analysis-results <pattern> |
File path or wildcard pattern for SARIF files, such as *.sarif or **/*.sarif. |
--code-analysis-minimum-level <level> |
Minimum severity to include: none, note, warning, or error. Default: note. |
--fail-on-static-code-analysis-errors |
Exit with a non-zero status if high or critical findings are present. |
Supported Tools
Checkov
Infrastructure security scanning for Terraform, CloudFormation, Kubernetes, and more.
TfLint
Terraform linting with pluggable rule support for major providers.
Trivy
IaC misconfiguration and vulnerability scanning in SARIF format.
Any SARIF Tool
Any SARIF 2.1.0 producer can feed findings into the report.
Summary View
The report also includes a high-level summary so reviewers can assess overall security posture before reading the full plan.
Code Analysis Summary
Status: â ī¸ 2 high findings require attention
| Severity | Count | Resource Types |
|---|---|---|
| đ¨ Critical | 0 | |
| â ī¸ High | 2 | 1 azurerm_key_vault 1 azurerm_storage_account |
| â ī¸ Medium | 4 | 1 azurerm_key_vault 1 azurerm_storage_account |
| âšī¸ Low | 1 | 1 azurerm_virtual_network |
| âšī¸ Informational | 0 |
Tools Used: Checkov 3.2.490, tflint 0.60.0, Trivy 0.50.0
## Code Analysis Summary
**Status:** â ī¸ 2 high findings require attention
| Severity | Count | Resource Types |
| -------- | ----- | -------------- |
| đ¨ Critical | 0 | |
| â ī¸ High | 2 | 1 azurerm_key_vault<br>1 azurerm_storage_account |
| â ī¸ Medium | 4 | 1 azurerm_key_vault<br>1 azurerm_storage_account |
| âšī¸ Low | 1 | 1 azurerm_virtual_network |
| âšī¸ Informational | 0 | |
**Tools Used:** Checkov 3.2.490, tflint 0.60.0, Trivy 0.50.0Benefits
- Unified view: infrastructure changes and security findings are shown together
- Resource mapping: findings are tied back to specific resources and attributes automatically
- Multi-tool support: combine results from multiple SARIF producers in one report
- PR-friendly output: security context appears where reviewers already inspect plan changes
- Fail-fast support: block PRs when critical findings should stop the pipeline
**/*.sarif to automatically include SARIF files from nested directories.