CKV_AWS_45 false positives

**Describe the issue**
CKV_AWS_45 "Lambda function’s environment variables expose secrets" reports findings even there are no secrets in Lambda environment. 

**Examples**
Example A: (CDK Bucket Deployment)
`{
  "Environment": {
    "Variables": {
      "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"
    }
  }
}`

Debug logs:
`2025-09-23 09:43:54,798 [MainThread  ] [DEBUG]  should_run_check CKV_AWS_45: True
2025-09-23 09:43:54,798 [MainThread  ] [DEBUG]  Running check: Ensure no hard-coded secrets exist in Lambda environment on file /tf/demoStack0668BA2D.template.json
2025-09-23 09:43:54,798 [MainThread  ] [DEBUG]  File /tf/demoStack0668BA2D.template.json, resource "AWS::Lambda::Function.CustomCDKBucketDeployment8693BB64968944B69ACFB0CB9EB8756C81C01536" check "Ensure no hard-coded secrets exist in Lambda environment" Result: {'result': <CheckResult.FAILED: 'FAILED'>, 'evaluated_keys': ['Properties/Environment/Variables/__file__']}`

EXAMPLE B: (Secrets Manager used for secrets handling)
`{
  "Environment": {
    "Variables": {
      "DB_USER": "demo",
      "DB_HOST": {
        "Fn::GetAtt": ["demoDatabaseClusterA918C4BA", "Endpoint.Address"]
      },
      "DB_NAME": "demo",
      "DB_SECRET_NAME": {
        "Fn::Join": [
          "-",
          [
            {
              "Fn::Select": [
                0,
                {
                  "Fn::Split": [
                    "-",
                    {
                      "Fn::Select": [
                        6,
                        {
                          "Fn::Split": [
                            ":",
                            {
                              "Ref": "demoDatabaseSecretB0AB457E"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            },
            {
              "Fn::Select": [
                1,
                {
                  "Fn::Split": [
                    "-",
                    {
                      "Fn::Select": [
                        6,
                        {
                          "Fn::Split": [
                            ":",
                            {
                              "Ref": "demoDatabaseSecretB0AB457E"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        ]
      },
      "DB_PORT": {
        "Fn::GetAtt": ["demoDatabaseClusterA918C4BA", "Endpoint.Port"]
      }
    }
  }
}
`
Debug logs:
`2025-09-23 09:48:51,214 [MainThread  ] [DEBUG]  should_run_check CKV_AWS_45: True
2025-09-23 09:48:51,214 [MainThread  ] [DEBUG]  Running check: Ensure no hard-coded secrets exist in Lambda environment on file /tf/demoStackB73D57F6.template.json
2025-09-23 09:48:51,214 [MainThread  ] [DEBUG]  File /tf/demoStackB73D57F6.template.json, resource "AWS::Lambda::Function.demoPostgreSQLIamUserD2E888BF" check "Ensure no hard-coded secrets exist in Lambda environment" Result: {'result': <CheckResult.FAILED: 'FAILED'>, 'evaluated_keys': ['Properties/Environment/Variables/__file__']}
`


**Version (please complete the following information):**
 - Checkov Version 3.2.439 onwards

**Additional context**



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CKV_AWS_45 false positives #7310

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CKV_AWS_45 false positives #7310

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions