This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
License: Apache License 2.0
Looks like the master branch of this action is broken since a couple of days/weeks back?
It ends up failing with RecursionError: maximum recursion depth exceeded while calling a Python object
>Run bridgecrewio/checkov-action@master
/usr/bin/docker run --name a8c818e812cb4c5fb46b54fd280c30ef_8371e9 --label 179394 --workdir /github/workspace --rm -e INPUT_DIRECTORY -e INPUT_QUIET -e INPUT_CHECK -e INPUT_SKIP_CHECK -e INPUT_FRAMEWORK -e INPUT_EXTERNAL_CHECKS_DIRS -e INPUT_EXTERNAL_CHECKS_REPOS -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/ops/ops":"/github/workspace" 179394:a8c818e812cb4c5fb46b54fd280c30ef "." "" "" "true" "" "" ""
running checkov on directory: .
Traceback (most recent call last):
File "/usr/local/bin/checkov", line 5, in <module>
run()
File "/usr/local/lib/python3.9/site-packages/checkov/main.py", line 69, in run
scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir,
File "/usr/local/lib/python3.9/site-packages/checkov/common/runners/runner_registry.py", line 30, in run
scan_report = runner.run(root_folder, external_checks_dir=external_checks_dir, files=files,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/runner.py", line 57, in run
self.parser.parse_directory(directory=root_folder,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 77, in parse_directory
self._parse_directory(dir_filter=lambda d: self._check_process_dir(d))
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 117, in _parse_directory
self._internal_dir_load(sub_dir, module_loader_registry, dir_filter)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 237, in _internal_dir_load
self._process_vars_and_locals(directory, var_value_and_file_map, module_data_retrieval)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 277, in _process_vars_and_locals
if self._process_vars_and_locals_loop(file_data,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 411, in _process_vars_and_locals_loop
return process_items_helper(out_definitions.items, out_definitions, outer_context, False)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 404, in process_items_helper
if process_items_helper(lambda: enumerate(value), value, new_context, True):
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 395, in process_items_helper
if self._process_vars_and_locals_loop(value, eval_map_by_var_name, relative_file_path,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 411, in _process_vars_and_locals_loop
return process_items_helper(out_definitions.items, out_definitions, outer_context, False)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 395, in process_items_helper
if self._process_vars_and_locals_loop(value, eval_map_by_var_name, relative_file_path,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 411, in _process_vars_and_locals_loop
return process_items_helper(out_definitions.items, out_definitions, outer_context, False)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 395, in process_items_helper
if self._process_vars_and_locals_loop(value, eval_map_by_var_name, relative_file_path,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 411, in _process_vars_and_locals_loop
return process_items_helper(out_definitions.items, out_definitions, outer_context, False)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/parser.py", line 404, in process_items_helper
[...]
RecursionError: maximum recursion depth exceeded while calling a Python object
Hello and thank you for providing a Github action for Checkov.
We have been using @master action for a few months now, and it was working perfectly fine with the following setup:
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ./
skip_check: CKV_GCP_49 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: cli # optional: the output format, one of: cli, json, junitxml, github_failed_only
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
log_level: INFO # optional: set log level. Default WARNING
external_checks_dirs: checksWith a few custom checks in the checks directory.
It has been working as expected for a few months, but it fails since 2021-05-03 approximately. (no changes on our repo)
It seems related to the external_checks if I'm not mistaking:
2021-05-06 08:47:06,775 [MainThread ] [INFO ] Resultant set of frameworks (removing skipped frameworks): terraform
Traceback (most recent call last):
File "/usr/local/bin/checkov", line 5, in <module>
exit(run())
File "/usr/local/lib/python3.9/site-packages/checkov/main.py", line 110, in run
scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir,
File "/usr/local/lib/python3.9/site-packages/checkov/common/runners/runner_registry.py", line 34, in run
scan_report = runner.run(root_folder, external_checks_dir=external_checks_dir, files=files,
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/runner.py", line 71, in run
self.load_external_checks(external_checks_dir)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/runner.py", line 119, in load_external_checks
graph_registry.load_external_checks(directory)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/checks_infra/registry.py", line 49, in load_external_checks
self._load_checks_from_dir(dir)
File "/usr/local/lib/python3.9/site-packages/checkov/terraform/checks_infra/registry.py", line 29, in _load_checks_from_dir
checks_dir_content = os.listdir(os.path.dirname(dir))
FileNotFoundError: [Errno 2] No such file or directory: ''
Cleaning up .//.external_modules directory
A few notes:
v12 for a test and the action works (unfortunately, it doesn't support soft_fail etc. which we are relying on)Please let us know if you need more information, or if you need us to run more experiments.
We de-activated the action for now since it's breaking the build, if you have some easy-workaround waiting for a fix, it'd be really nice, but we can live a few weeks without one.
Thanks again for your work, do not hesitate.
Is there a way to turn off the failure for warnings? So rather than skipping the check, would rather just display the warning.
For example:
Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
FAILED for resource: aws_iam_user_policy.iam_user_policy
Warning: File: /terraform/iam.tf:8-15
Guide: https://docs.bridgecrew.io/docs/iam_16-iam-policy-privileges-1
Id like to be able to upload the output of the runner as a github artifact, and so I need the output as a file.
I'm not sure exactly how you'd do this, so it might be best just done in a README, but the following problem matcher will help parse the output:
{
"problemMatcher": [
{
"owner": "checkov",
"pattern": [
{
"regexp": "^Check: (\\w+: .*)$",
"message": 1
},
{
"regexp": "^\\WFAILED.*$",
},
{
"regexp": "^\\WFile: \/(.+):(\\d+)-(\\d+)$",
"file": 1,
"line": 2
}
]
}
]
}
So that you get annotations like this:
I've added it by making my check look like this:
name: checkov
on: [pull_request]
jobs:
checkov:
runs-on: ubuntu-latest
name: checkov-action
steps:
-
name: Checkout repo
uses: actions/checkout@v2
-
name: Setup Matcher
run: echo "::add-matcher::./checkov/problem-matcher.json"
-
name: Run Checkov action
id: checkov
# I'm using v9, but you might want master or a later version!
uses: bridgecrewio/checkov-action@v9
with:
directory: ./
The json file is placed in ./checkov/problem-matcher.json.
This commit here: actions/toolkit@f90a2dc, suggests that the right way to do it is to copy it out of the docker container, but I think you still have to add it manually in the workflow.
I want to select a particular version of checkov approved by organisation while writing the yaml for checkov-action for terraform.
Master failed on build
ERROR: Could not find a version that satisfies the requirement checkov==2.0.173 (from versions: 0.0.0, 0.0.749, 1.0.27, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.32, 1.0.33, 1.0.37, 1.0.45, 1.0.46, 1.0.47, 1.0.48, 1.0.49, 1.0.50, 1.0.51, 1.0.54, 1.0.55, 1.0.56, 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.62, 1.0.63, 1.0.64, 1.0.66, 1.0.67, 1.0.70, 1.0.71, 1.0.74, 1.0.75, 1.0.76, 1.0.77, 1.0.78, 1.0.79, 1.0.80, 1.0.82, 1.0.83, 1.0.84, 1.0.85, 1.0.86, 1.0.87, 1.0.89, 1.0.90, 1.0.91, 1.0.92, 1.0.93, 1.0.94, 1.0.95, 1.0.96, 1.0.97, 1.0.98, 1.0.99, 1.0.100, 1.0.101, 1.0.102, 1.0.103, 1.0.104, 1.0.105, 1.0.106, 1.0.107, 1.0.109, 1.0.110, 1.0.111, 1.0.112, 1.0.113, 1.0.114, 1.0.115, 1.0.116, 1.0.117, 1.0.118, 1.0.119, 1.0.120, 1.0.121, 1.0.122, 1.0.123, 1.0.124, 1.0.125, 1.0.126, 1.0.127, 1.0.128, 1.0.129, 1.0.130, 1.0.131, 1.0.132, 1.0.133, 1.0.134, 1.0.135, 1.0.136, 1.0.137, 1.0.138, 1.0.139, 1.0.140, 1.0.141, 1.0.142, 1.0.143, 1.0.144, 1.0.145, 1.0.146, 1.0.147, 1.0.148, 1.0.149, 1.0.150, 1.0.151, 1.0.152, 1.0.153, 1.0.15...
2022-01-13 12:52:52,477 [MainThread ] [DEBUG] Cannot read file contents: helm/x/y/z/test-connection.yml - is it a yaml?
files are skipped from being scanned?
webhook:
It could be nice to allow folks to enable the --quiet flag on checkov in this Github Action. That could reduce some of the scrolling through the Github Actions UI for users should they need/want to find what failed the checks.
Hi, since yesterday we get an 403 when trying to use checkov action (-:
- name: Terraform security check
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ${{ matrix.working_directory }}
skip_check: CKV_AWS_65,CKV_AWS_51,CKV_AWS_23,CKV_AWS_85,CKV_AWS_40,CKV_AWS_52,CKV_AWS_21,CKV_AWS_18,CKV_AWS_107
quiet: true # optional: display only failed checks
framework: terraform
continue-on-error: false
Failed to download action 'https://api.github.com/repos/bridgecrewio/checkov-action/tarball/60970bd282ce39baab17ecc3f6ccb67fd8b3bda3'. Error: Response status code does not indicate success: 403 (Forbidden).
Howdy, we cannot pull the checkov action (-:
Pull down action image 'bridgecrew/checkov:2.0.417'
/usr/bin/docker pull bridgecrew/checkov:2.0.417
Error response from daemon: manifest for bridgecrew/checkov:2.0.417 not found: manifest unknown: manifest unknown
Warning: Docker pull failed with exit code 1, back off 2.931 seconds before retry.
/usr/bin/docker pull bridgecrew/checkov:2.0.417
Error response from daemon: manifest for bridgecrew/checkov:2.0.417 not found: manifest unknown: manifest unknown
Warning: Docker pull failed with exit code 1, back off 1.172 seconds before retry.
/usr/bin/docker pull bridgecrew/checkov:2.0.417
Error response from daemon: manifest for bridgecrew/checkov:2.0.417 not found: manifest unknown: manifest unknown
Error: Docker pull failed with exit code 1
As a devops build user, I would like to use a config-file checked in to source code to configure checkov instead of specifying values in the GitHub Action workflow step.
Now that checkov support a config-file for loading attributes, I should be able to specify a value for a single config-file parameter in order to configure checkov.
Howdy,
again GitHub Actions failed to Download checkov action (-:
Warning: Failed to download action 'https://api.github.com/repos/bridgecrewio/checkov-action/tarball/3aaa4552f91bedf8255f71770de869a0a8035205'. Error: Response status code does not indicate success: 403 (Forbidden).
Warning: Back off 26.798 seconds before retry.
Current action only allows for specifying the target directory for checkov checks.
Allow passing list of checks to whitelist or blacklist.
Submitted #4 as a proposal of functionality
For the latest version of the action release: https://github.com/bridgecrewio/checkov-action/tree/v12.1345.0
The following error is seen when trying to run the action:
Error: Unable to process command '::add-matcher::bridgecrew-problem-matcher.json' successfully.
Error: Could not find file '/home/runner/work/spacelift/spacelift/bridgecrew-problem-matcher.json'.
We're using it like this:
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
framework: ${{ inputs.framework }}
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
config_file: "${{ inputs.directory }}/${{ inputs.config_file }}"
Using master (85417ae) I'm currently getting an error about a missing problem matcher file:
Error: Unable to process command '::add-matcher::bridgecrew-problem-matcher.json' successfully.
Error: Could not find file '/home/runner/work/terraform-aws-backup-plan/terraform-aws-backup-plan/bridgecrew-problem-matcher.json'.
Checkov still runs but it causes the workflow to show as failed despite all checkov rules passing
My terraform/terragrunt process generates a number of terraform plans as json files.
When I run:
checkov -d applied/accounts/plans/
locally, checkov successfully provides the results of scanning all of those json files
However, when I run:
- name: 'Test Plan (Checkov)'
uses: bridgecrewio/checkov-action@master
with:
directory: applied/accounts/plans/
log_level: DEBUG
from GitHub Actions
I get the following error:
[DEBUG] Failed to load json file applied/accounts/plans/testing/global/plan.json, skipping
[DEBUG] Failure message:
[DEBUG] Expecting value: line 1 column 2 (char 1)
Stack (most recent call last):
File "/usr/local/bin/checkov", line 9, in <module>
sys.exit(run())
File "/usr/local/lib/python3.10/site-packages/checkov/main.py", line 216, in run
scan_reports = runner_registry.run(root_folder=root_folder, external_checks_dir=external_checks_dir,
File "/usr/local/lib/python3.10/site-packages/checkov/common/runners/runner_registry.py", line 67, in run
for scan_report in reports:
File "/usr/local/lib/python3.10/site-packages/checkov/common/parallelizer/parallel_runner.py", line 39, in _run_function_multiprocess
process.start()
File "/usr/local/lib/python3.10/multiprocessing/process.py", line 121, in start
self._popen = self._Popen(self)
File "/usr/local/lib/python3.10/multiprocessing/context.py", line 277, in _Popen
return Popen(process_obj)
File "/usr/local/lib/python3.10/multiprocessing/popen_fork.py", line 19, in __init__
self._launch(process_obj)
File "/usr/local/lib/python3.10/multiprocessing/popen_fork.py", line 71, in _launch
code = process_obj._bootstrap(parent_sentinel=child_r)
File "/usr/local/lib/python3.10/multiprocessing/process.py", line 315, in _bootstrap
self.run()
File "/usr/local/lib/python3.10/multiprocessing/process.py", line 108, in run
self._target(*self._args, **self._kwargs)
File "/usr/local/lib/python3.10/site-packages/checkov/common/parallelizer/parallel_runner.py", line 29, in func_wrapper
result = original_func(item)
File "/usr/local/lib/python3.10/site-packages/checkov/common/runners/runner_registry.py", line 63, in <lambda>
lambda runner: runner.run(root_folder, external_checks_dir=external_checks_dir, files=files,
File "/usr/local/lib/python3.10/site-packages/checkov/terraform/plan_runner.py", line 56, in run
logging.debug(e, stack_info=True)
I have verified that the json plan files are correctly being created in GitHub Actions.
if you set softfaif:false or quiet:false it will treat it the same as if you set it too false.
Which does indicate that the entrypoint.sh is getting the setting correctly, but it just doesn't feedback a failure.
version: v12.1478.0
Error: Unable to process command '::add-matcher::checkov-problem-matcher.json' successfully.
Error: Could not find file '/home/runner/_work/XXXX/checkov-problem-matcher.json'.
Error parsing file bridgecrew-problem-matcher-warning.jsonֿ
Error parsing file bridgecrew-problem-matcher.jsonֿ
Run bridgecrewio/[email protected]
with:
directory: .
output_format: sarif
log_level: WARNING
container_user: 0
/usr/bin/docker run --name bridgecrewcheckov201067_478f7b --label b1cbc5 --workdir /github/workspace --rm -e INPUT_DIRECTORY -e INPUT_CHECK -e INPUT_SKIP_CHECK -e INPUT_QUIET -e INPUT_API-KEY -e INPUT_SOFT_FAIL -e INPUT_FRAMEWORK -e INPUT_EXTERNAL_CHECKS_DIRS -e INPUT_EXTERNAL_CHECKS_REPOS -e INPUT_OUTPUT_FORMAT -e INPUT_DOWNLOAD_EXTERNAL_MODULES -e INPUT_LOG_LEVEL -e INPUT_CONFIG_FILE -e INPUT_BASELINE -e INPUT_SOFT_FAIL_ON -e INPUT_HARD_FAIL_ON -e INPUT_CONTAINER_USER -e API_KEY_VARIABLE -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_RUN_ATTEMPT -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_REF_PROTECTED -e GITHUB_REF_TYPE -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e GITHUB_STEP_SUMMARY -e RUNNER_OS -e RUNNER_ARCH -e RUNNER_NAME -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/_work/_temp/_github_home":"/github/home" -v "/home/runner/_work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/_work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/_work/XXXXX":"/github/workspace" bridgecrew/checkov:2.0.1067 "." "" "" "" "" "" "" "" "sarif" "" "WARNING" "" "" "" "" "--user 0"
Error: Unable to process command '::add-matcher::checkov-problem-matcher.json' successfully.
Error: Could not find file '/home/runner/_work/XXXX/checkov-problem-matcher.json'.
BC_FROM_BRANCH=actions
BC_TO_BRANCH=master
BC_PR_ID=106
BC_PR_URL=https://XXXXX/pull/106
.....
check_suite_focus=true#step:4:13)a71a8
....
BC_RUN_ID=8
....
running checkov on directory: .
checkov -d . --output sarif
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.0.1067
Update available 2.0.1067 -> 2.0.1068
Run pip3 install -U checkov to update
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 2
Error parsing file bridgecrew-problem-matcher-warning.jsonֿ
Error parsing file bridgecrew-problem-matcher.jsonֿ
Wrote output in SARIF format to the file 'results.sarif'
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.0.1067
Update available 2.0.1067 -> 2.0.1068
Run pip3 install -U checkov to update
terraform_plan scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 2
Error parsing file bridgecrew-problem-matcher-warning.jsonֿ
Error parsing file bridgecrew-problem-matcher.jsonֿ
Wrote output in SARIF format to the file 'results.sarif'
Needs the support to save scan results to a file corresponding to output format such as cli to txt, or github_failed_only to txt or junitxml to a xml file and upload to artifactory or repo itself.
At the minute the checkov version is tied to the Github action version, and there's no correlation in the tags so if you want to pin a specific checkov version it's quite awkward.
It would be nice to change this to an input in the action, similar to how this tflint action works: https://github.com/marketplace/actions/setup-tflint#tflint_version
This allows more configurable functionality, and also allows the Github action features to progress without forcing a checkov version update at the same time.
Feature Request:
action.yml to support --external-checks-dir and --external-checks-git
Howdy,
checkov -d terraform/demo --skip-check CKV_AWS_65,CKV_AWS_51,CKV_AWS_23,CKV_AWS_85,CKV_AWS_40,CKV_AWS_52,CKV_AWS_21,CKV_AWS_18,CKV2_AWS_5 --quiet --framework terraform
Traceback (most recent call last):
File "/usr/local/bin/checkov", line 8, in <module>
exit(run())
File "/usr/local/lib/python3.7/site-packages/checkov/main.py", line 175, in run
files=file, guidelines=guidelines)
File "/usr/local/lib/python3.7/site-packages/checkov/common/runners/runner_registry.py", line 54, in run
collect_skip_comments=collect_skip_comments,
File "/usr/local/lib/python3.7/site-packages/checkov/terraform/runner.py", line 77, in run
vars_files=runner_filter.var_files)
File "/usr/local/lib/python3.7/site-packages/checkov/terraform/graph_manager.py", line 18, in build_graph_from_source_directory
self.parser.parse_hcl_module(source_dir, self.source, download_external_modules, parsing_errors, excluded_paths=excluded_paths, vars_files=vars_files)
File "/usr/local/lib/python3.7/site-packages/checkov/terraform/parser.py", line 455, in parse_hcl_module
vars_files=vars_files)
File "/usr/local/lib/python3.7/site-packages/checkov/terraform/parser.py", line 101, in parse_directory
self._parse_directory(dir_filter=lambda d: self._check_process_dir(d), vars_files=vars_files)
File "/usr/local/lib/python3.7/site-packages/checkov/terraform/parser.py", line 141, in _parse_directory
_filter_ignored_paths(sub_dir, d_names, self.excluded_paths)
File "/usr/local/lib/python3.7/site-packages/checkov/terraform/parser.py", line 42, in _filter_ignored_paths
filter_ignored_paths(root, paths, excluded_paths)
File "/usr/local/lib/python3.7/site-packages/checkov/common/runners/base_runner.py", line 104, in filter_ignored_paths
names.remove(path)
ValueError: list.remove(x): x not in list
Any ideas?
Tried:
It appears there is a security or configuration that changed about four days ago that is preventing the github action to update to newer versions of checkov.
[master 0d30735] update checkov version to '2.0.214'
1 file changed, 1 insertion(+), 1 deletion(-)
remote: The repository owner has an IP allow list enabled, and 52.232.192.212 is not permitted to access this repository.
fatal: unable to access 'https://github.com/bridgecrewio/checkov-action/': The requested URL returned error: 403
Error: Process completed with exit code 128.
Would adding support for autodiscovery of terraform projects within a monrepo root or subdirectory be possible? Currently I've got 3 or 4 projects where I have to write several hundreds lines of yaml to manually add each project (also remembering to update yaml when a new project is added).
Since commit bb8d383 (bb8d383) the github actions is broken. The 2.0.743 tag isn't published in the docker hub (https://hub.docker.com/r/bridgecrew/checkov/tags?page=1&name=2.0.743). Is it meant to be 2.0.742?
Hi,
We're using Dependabot for GitHub Actions and it keeps wanting to update to bridgecrewio/checkov-action@v13, which is tagged as latest in GitHub and the Marketplace, (and/or is the highest, not sure what Dependabot looks for), when in fact it is from June 2020.
Is it possible to remove this tag? Or at least update the latest with each new release?
Not a blocker since we can always tell Dependabot not to update or set a version constraint, however.
Thanks for the great work!
Describe the issue
Running checkov in github action (runs docker image bridgecrew/checkov:2.0.756) ignores the baseline, outputs all errors, and exits with non-zero status code.
Test 1
The path to the baseline file is defined in checkov config file. Test is KO. Checkov runs, but reports all errors, as-if the baseline did not exist, and Github action fails due to non-zero status.
Content of the config file is:
branch: master
baseline: charts/cardano/.checkov.baseline
directory:
- charts/cardano
download-external-modules: false
evaluate-variables: true
external-modules-download-path: .external_modules
framework:
- helm
output:
- github_failed_only
skip-check:
- CKV_K8S_21
- CKV_K8S_10
- CKV_K8S_11
- CKV_K8S_12
- CKV_K8S_13
skip-path:
- /cardano/templates/tests/*
- /redis/*
Github Action Logs (truncated):
running checkov on directory: charts/cardano
checkov -d charts/cardano --quiet --output sarif --config-file charts/cardano/.checkov
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.0.756
helm scan results:
Passed checks: 0, Failed checks: 24, Skipped checks: 0
Test 2
The path to the baseline is set in github action YAML settings. Test is KO. Checkov runs, but reports all errors, as-if the baseline did not exist, and Github action fails due to non-zero status.
Github Action Logs (truncated):
running checkov on directory: charts/cardano
checkov -d charts/cardano --quiet --output sarif --config-file charts/cardano/.checkov --baseline charts/cardano/.checkov.baseline
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.0.756
helm scan results:
Passed checks: 0, Failed checks: 24, Skipped checks: 0
Test 3 (running the command line locally)
$ checkov -d charts/cardano --baseline charts/cardano/.checkov.baseline --config-file charts/cardano/.checkov
| check_id | file | resource | check_name | guideline |
|------------|--------|------------|--------------|-------------|
---
$ checkov --version
2.0.735
Feature
Ensure that any files / folders that get touched by this action in the mounted workspace have thier permissions fixed back to their original owner (probably the owner of the $GITHUB_WORKSPACE)
Problem
As it stands when you use this action the .terraform folder will have its owner set to root root as the container makes changes to the files (as well as any other file or folder the container creates / updates). This then results in the next run of the workflow failing as the checkout action fails to delete the .terraform folder due to it being owned by root root rather than the user running the actions service.
To wokraround this you can use the action peter-murray/reset-workspace-ownership-action to reset the permissions on the repository code.
- name: Get Actions user id
id: get_uid
run: |
actions_user_id=`id -u $USER`
echo $actions_user_id
echo ::set-output name=uid::$actions_user_id
- name: Correct Ownership in GITHUB_WORKSPACE directory
uses: peter-murray/reset-workspace-ownership-action@v1
with:
user_id: ${{ steps.get_uid.outputs.uid }}This is faff though and needs to be done in any workflow that uses this action, it should be handled natively or there be an input that can solve this.
https://vsupalov.com/docker-shared-permissions/ Basically support this problem.
EDIT For posterity's sake this is the type of error you'll get due to docker messing with the permission bits of files / folders it touches:
Run actions/checkout@v2
Syncing repository: owner/repo
Getting Git version info
Deleting the contents of '/actions-runner/_work/repo/repo'
Error: Command failed: rm -rf "/actions-runner/_work/repo/repo/.terraform"
rm: cannot remove '/actions-runner/_work/repo/repo/.terraform/modules/modules.json': Permission denied
SARIF is supported but not documented in the action.yml documentation of the output_format parameter:
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@master
with:
directory: .
output_format: sarifI think SARIF should be the default and the results should be uploaded to GitHub by the action so that the results show up under Security | Code scanning alerts. Right now you have to perform the upload manually:
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
if: always()Feature request:
Support out of the box the ability to report only on files modified within a Pull Request.
In the event of a Pull Request, do not scan the entire target directory. Instead, invoke checkov only against those files modified within the PR.
Hi,
I'd like to be able to specify to ignore a path in the action.
My terraform modules have the following directory structure:
./main.tf
./examples/default/main.tf
I'd like to run checkov on the root directory, but exclude the examples directory.
Cheers
.checkov.yml:
directory:
- infra
evaluate-variables: true
framework: all
output: cli
quiet: true
download-external-modules: falseAction config:
- name: Run Checkov
uses: bridgecrewio/checkov-action@master
with:
config_file: .checkov.ymlExpected outcome:
$ checkov --output sarif --config-file .checkov.ymlCurrent outcome:
$ checkov -d . --output sarif --config-file .checkov.ymlAs a developer, I would like to specify the format of the checkov output. The checkov cli already supports the --output attribute.
output_format
This enabled the Action to integrate with GitHub Security.
Some folks may wish to opt-in to checkov package updates within in CI pipelines on their own timeline. Some sort of version pin mechanism in this action would likely be appreciated by that crowd.
Please integrate Checkov with Reviewdog below, they host a template to make it easy to host the action. Using a tool like this allows you to run checks against changes as the workflow action runs on pull requests and will allow issues to be address and resolved on the entirety of the repository separately. Without this pull requests may fail for errors not relates to changes that are being pushed.
https://github.com/reviewdog/reviewdog
https://github.com/reviewdog/action-template
also please allow these flags as this makes it easier to centralize rules within one repo and allows for deployment to workflows without having to update yaml files. It would great to reference a set folder of static rules via the --external-checks-dir and bypass the main scan all together.
--external-checks-git
--external-checks-dir
Major tag v12 is not updated and pointed to very old commit https://github.com/bridgecrewio/checkov-action/commits/v12
Regarding to official GitHub recommendations and here
Make the new release available to those binding to the major version tag: Move the major version tag (v1, v2, etc.) to point to the ref of the current release. This will act as the stable release for that major version. You should keep this tag updated to the most recent stable minor/patch release.
Because of that I can't use v12 tag and should point it to specific tag like v12.939.0 but it's updated quite frequently
- name: Checkov action
id: checkov
uses: bridgecrewio/checkov-action@v12
Only way I can see it right now is use master branch which is not good for production usage
- name: Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
It would be great if checkov provided a problem matcher with this action so end users could receive a richer error output experience in GitHub Actions by allowing test failures and their reasoning to bubble up to the UI as detected by the problem matcher https://github.com/jsoref/actions-runner/blob/main/docs/adrs/0276-problem-matchers.md.
This would be especially nice as it's common to upload your checkov output to something else like Datadog. To do this you would want checkov to output in something machine friendly like XML. To then get nice output for humans in the pipeline you currently would need to run checkov a second time with something human friendly as the output. This second run could be avoided by having a problem matcher bubble the errors up to the GitHub UI meaning checkov only needs to be ran once.
Here is an example of a project that provides a problem matcher https://github.com/rhysd/actionlint/blob/main/.github/actionlint-matcher.json
We've noticed our use of the checkov GitHub Action has started failing. The reason being that v13 doesn't exist.
I can see in the releases there is no v13 - but it definitely used to work.
Am I going loopy or has v13 disappeared?
Here's what we had in our GitHub Action:
bridgecrewio/checkov-action@v13
And here's an example line from a successful run of a GitHub Action with it in:
home/runner/work/_actions/bridgecrewio/checkov-action/v13/Dockerfile
Same reasons as bridgecrewio/yor-action#5, a conversion would also fix #58 properly without the user having to set anything by avoiding the permission issue entirely.
I would like to configure which failing checks do not cause the action to fail. For instance, to whitelist the rule CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
Hello! When i try to use your action - it cannot make dockerfile image with this error:
Step 2/5 : RUN pip install -r requirements.txt
75
---> Running in 5f522fb0712e
76
ERROR: Could not open requirements file: [Errno 2] No such file or directory: 'requirements.txt'
77
The command '/bin/sh -c pip install -r requirements.txt' returned a non-zero code: 1
The Action currently lacks support for "compact" output, that is available in CLI (using "--compact" flag).
Adding the option requires following feature to be implemented bridgecrewio/checkov#2919
Repository name is different in the example usage template for the action, shows cmavr8/checkov-action
Hello Team,
Here is the my current checkov_scan.yml file
name: Run Checkov action serverless
id: checkov1
uses: bridgecrewio/checkov-action@master
with:
#skip_check: CKV_AWS_23 # optional: skip a specific check_id
#quiet: true # optional: display only failed checks
#log_level: DEBUG # optional: set log level. Default WARNING
output_format: cli # optional: the output format, one of: cli, json, junitxml, github_failed_only
framework: serverless
I have not mentioned directory path so that checkov scan both my terraform files and serverless.yml as well
but there are two files in the root directory serverless.yml and serverless-nonprod.yml
checkov is skipping the one of the file "serverless-nonprod.yml " if Irename the file from "serverless-nonprod.yml " to "serverless.yml" checkov is scanning.
is there way from github actions to pass a specific list of files to scan
I see there is an option checkov -f file name
but if i use github actions "bridgecrewio/checkov-action@master" i don't have any documentation to pass a file
can anyone please let me know how accomplish this.
When using checkov github action, check results are reported twice.
This issue is reproducible every time.
version: 2.0.977
*edit detailed version information in comment #80 (comment)
Github action part
- name: Analyze infra code with Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: ./terraform
framework: terraform
Test resource in terraform
resource "google_storage_bucket" "my_terraform_bucket" {
name = "my-terraform-bucket"
location = "EU"
force_destroy = true
uniform_bucket_level_access = true
versioning {
enabled = true
}
}
Action logs
2022-03-20T15:50:03.6271686Z checkov -d ./terraform --output sarif --framework terraform
2022-03-20T15:50:07.0771132Z
2022-03-20T15:50:07.0771668Z _ _
2022-03-20T15:50:07.0772064Z ___| |__ ___ ___| | _______ __
2022-03-20T15:50:07.0775188Z / __| '_ \ / _ \/ __| |/ / _ \ \ / /
2022-03-20T15:50:07.0775835Z | (__| | | | __/ (__| < (_) \ V /
2022-03-20T15:50:07.0776461Z \___|_| |_|\___|\___|_|\_\___/ \_/
2022-03-20T15:50:07.0776957Z
2022-03-20T15:50:07.0777328Z By bridgecrew.io | version: 2.0.977
2022-03-20T15:50:07.0777718Z terraform scan results:
2022-03-20T15:50:07.0777973Z
2022-03-20T15:50:07.0778175Z Passed checks: 2, Failed checks: 1, Skipped checks: 0
2022-03-20T15:50:07.0778459Z
2022-03-20T15:50:07.0785654Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2022-03-20T15:50:07.0786275Z PASSED for resource: google_storage_bucket.my_terraform_bucket
2022-03-20T15:50:07.0786808Z File: /main.tf:22-31
2022-03-20T15:50:07.0787224Z Guide: https://docs.bridgecrew.io/docs/bc_gcp_gcs_2
2022-03-20T15:50:07.0787738Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2022-03-20T15:50:07.0788224Z PASSED for resource: google_storage_bucket.my_terraform_bucket
2022-03-20T15:50:07.0788999Z File: /main.tf:22-31
2022-03-20T15:50:07.0789386Z Check: CKV_GCP_62: "Bucket should log access"
2022-03-20T15:50:07.0790735Z FAILED for resource: google_storage_bucket.my_terraform_bucket
2022-03-20T15:50:07.0807017Z ##[error] File: /main.tf:22-31
2022-03-20T15:50:07.0838109Z Guide: https://docs.bridgecrew.io/docs/bc_gcp_logging_2
2022-03-20T15:50:07.0839206Z
2022-03-20T15:50:07.0839524Z 22 | resource "google_storage_bucket" "my_terraform_bucket" ***
2022-03-20T15:50:07.0841661Z 23 | name = "my-terraform-bucket"
2022-03-20T15:50:07.0842186Z 24 | location = "EU"
2022-03-20T15:50:07.0845079Z 25 | force_destroy = true
2022-03-20T15:50:07.0845415Z 26 |
2022-03-20T15:50:07.0845749Z 27 | uniform_bucket_level_access = true
2022-03-20T15:50:07.0846151Z 28 | versioning ***
2022-03-20T15:50:07.0846479Z 29 | enabled = true
2022-03-20T15:50:07.0846794Z 30 | ***
2022-03-20T15:50:07.0847090Z 31 | ***
2022-03-20T15:50:07.0847255Z
2022-03-20T15:50:07.0847285Z
2022-03-20T15:50:07.0847291Z
2022-03-20T15:50:07.0847636Z Wrote output in SARIF format to the file 'results.sarif'
2022-03-20T15:50:07.0848536Z _ _
2022-03-20T15:50:07.0848889Z ___| |__ ___ ___| | _______ __
2022-03-20T15:50:07.0849274Z / __| '_ \ / _ \/ __| |/ / _ \ \ / /
2022-03-20T15:50:07.0849594Z | (__| | | | __/ (__| < (_) \ V /
2022-03-20T15:50:07.0849951Z \___|_| |_|\___|\___|_|\_\___/ \_/
2022-03-20T15:50:07.0850271Z
2022-03-20T15:50:07.0850615Z By bridgecrew.io | version: 2.0.977
2022-03-20T15:50:07.0850982Z terraform scan results:
2022-03-20T15:50:07.0851188Z
2022-03-20T15:50:07.0851379Z Passed checks: 2, Failed checks: 1, Skipped checks: 0
2022-03-20T15:50:07.0851636Z
2022-03-20T15:50:07.0852075Z Check: CKV_GCP_29: "Ensure that Cloud Storage buckets have uniform bucket-level access enabled"
2022-03-20T15:50:07.0853310Z PASSED for resource: google_storage_bucket.my_terraform_bucket
2022-03-20T15:50:07.0853848Z File: /main.tf:22-31
2022-03-20T15:50:07.0854252Z Guide: https://docs.bridgecrew.io/docs/bc_gcp_gcs_2
2022-03-20T15:50:07.0854750Z Check: CKV_GCP_78: "Ensure Cloud storage has versioning enabled"
2022-03-20T15:50:07.0855233Z PASSED for resource: google_storage_bucket.my_terraform_bucket
2022-03-20T15:50:07.0855682Z File: /main.tf:22-31
2022-03-20T15:50:07.0856058Z Check: CKV_GCP_62: "Bucket should log access"
2022-03-20T15:50:07.0856752Z FAILED for resource: google_storage_bucket.my_terraform_bucket
2022-03-20T15:50:07.0857715Z ##[error] File: /main.tf:22-31
2022-03-20T15:50:07.0858546Z Guide: https://docs.bridgecrew.io/docs/bc_gcp_logging_2
2022-03-20T15:50:07.0858825Z
2022-03-20T15:50:07.0859078Z 22 | resource "google_storage_bucket" "my_terraform_bucket" ***
2022-03-20T15:50:07.0859595Z 23 | name = "my-terraform-bucket"
2022-03-20T15:50:07.0859965Z 24 | location = "EU"
2022-03-20T15:50:07.0860304Z 25 | force_destroy = true
2022-03-20T15:50:07.0860628Z 26 |
2022-03-20T15:50:07.0860953Z 27 | uniform_bucket_level_access = true
2022-03-20T15:50:07.0861316Z 28 | versioning ***
2022-03-20T15:50:07.0861636Z 29 | enabled = true
2022-03-20T15:50:07.0861946Z 30 | ***
2022-03-20T15:50:07.0862234Z 31 | ***
2022-03-20T15:50:07.0862410Z
2022-03-20T15:50:07.0862416Z
2022-03-20T15:50:07.0862423Z
2022-03-20T15:50:07.0862700Z Wrote output in SARIF format to the file 'results.sarif'
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.