From f5be66d2325a490f0180795a6b336fbedb87d520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Proulx?= <francois@boostsecurity.io>
Date: Mon, 19 Jan 2026 15:30:30 -0500
Subject: [PATCH] Add E2E tests for checkov-tf-plan scanner module

- Add tests.yaml with three test scenarios:
  - aws-security-violations: S3 bucket with security issues
  - aws-compliant: Well-configured S3 bucket
  - gcp-storage: GCP storage bucket for multi-cloud coverage

- Update module.yaml to make BOOST_TF_TAGS_POLICY optional:
  - Use ${BOOST_TF_TAGS_POLICY:-{}} syntax for default empty JSON
  - Enables E2E testing without requiring the env var
  - Tag validation still works when env var is set

Test fixtures are in boost-sandbox/checkov-tf-plan-testing

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../checkov-tf-plan/module.yaml               |  2 +-
 .../checkov-tf-plan/tests.yaml                | 25 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 scanners/boostsecurityio/checkov-tf-plan/tests.yaml

diff --git a/scanners/boostsecurityio/checkov-tf-plan/module.yaml b/scanners/boostsecurityio/checkov-tf-plan/module.yaml
index fe478993..68b74b57 100644
--- a/scanners/boostsecurityio/checkov-tf-plan/module.yaml
+++ b/scanners/boostsecurityio/checkov-tf-plan/module.yaml
@@ -24,4 +24,4 @@ steps:
           command: process
           workdir: /src
           environment:
-            BOOST_TF_TAGS_POLICY: $BOOST_TF_TAGS_POLICY
+            BOOST_TF_TAGS_POLICY: ${BOOST_TF_TAGS_POLICY:-{}}
diff --git a/scanners/boostsecurityio/checkov-tf-plan/tests.yaml b/scanners/boostsecurityio/checkov-tf-plan/tests.yaml
new file mode 100644
index 00000000..b79a61ff
--- /dev/null
+++ b/scanners/boostsecurityio/checkov-tf-plan/tests.yaml
@@ -0,0 +1,25 @@
+version: "1.0"
+tests:
+  - name: "aws-security-violations"
+    type: "source-code"
+    source:
+      url: "https://github.com/boost-sandbox/checkov-tf-plan-testing.git"
+      ref: "main"
+    scan_paths:
+      - "aws-security-violations"
+
+  - name: "aws-compliant"
+    type: "source-code"
+    source:
+      url: "https://github.com/boost-sandbox/checkov-tf-plan-testing.git"
+      ref: "main"
+    scan_paths:
+      - "aws-compliant"
+
+  - name: "gcp-storage"
+    type: "source-code"
+    source:
+      url: "https://github.com/boost-sandbox/checkov-tf-plan-testing.git"
+      ref: "main"
+    scan_paths:
+      - "gcp-storage"