Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform_checkov hook fails in Docker container since version v1.83.5 #633

Closed
ClaudioWaldvogel opened this issue Feb 22, 2024 · 5 comments · Fixed by #635
Closed

terraform_checkov hook fails in Docker container since version v1.83.5 #633

ClaudioWaldvogel opened this issue Feb 22, 2024 · 5 comments · Fixed by #635
Labels
area/arm64 area/docker area/macOS bug Something isn't working

Comments

@ClaudioWaldvogel
Copy link

Describe the bug

Hi,
I want use terraform_checkov pre-commit in a CI Pipeline.
The following config is used.

repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.86.1
    hooks:
      - id: terraform_checkov
        args:
          - --args=--quiet

If I use version v1.83.4 the container output is as follows:

$ TAG=v1.83.4
$ docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Checkov..................................................................Failed
- hook id: terraform_checkov
- exit code: 1

terraform scan results:

Passed checks: 110, Failed checks: 8, Skipped checks: 2

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"

Since version v1.83.5 the output is as follows:

$ TAG=v1.83.5
$ docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a

[INFO] Initializing environment for https://github.com/antonbabenko/pre-commit-terraform.
Checkov..................................................................Failed
- hook id: terraform_checkov
- exit code: 127

/homerun503/.cache/pre-commit/repo_x74_52x/hooks/terraform_checkov.sh: line 66: checkov: command not found

How can we reproduce it?

Execute the commands as shown above.

Environment information

  • OS: MacOs

  • Docker image tag/git commit:

  • Tools versions. Don't forget to specify right tag in command -

TAG=v1.83.4 && docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
pre-commit 3.4.0
Terraform v1.5.7
checkov 2.4.48
Infracost v0.10.29
terraform-docs version v0.16.0 1f686b1 linux/arm64
terragrunt version v0.51.4
terrascan version: v1.18.3
TFLint version 0.48.0
+ ruleset.terraform (0.4.0-bundled)
tfsec v1.28.4
tfupdate 0.7.2
hcledit 0.2.10

## Checkov version is missing
TAG=v1.83.5 && docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
pre-commit 3.4.0
Terraform v1.6.1
checkov
Infracost v0.10.29
terraform-docs version v0.16.0 1f686b1 linux/arm64
terragrunt version v0.52.1
terrascan version: v1.18.3
TFLint version 0.48.0
+ ruleset.terraform (0.4.0-bundled)
tfsec v1.28.4
tfupdate 0.8.0
hcledit 0.2.10

TAG=latest && docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
pre-commit 3.6.2
Terraform v1.7.3
checkov
Infracost v0.10.33
terraform-docs version v0.17.0 795d369 linux/arm64
terragrunt version v0.55.3
terrascan version: v1.18.11
TFLint version 0.50.3
+ ruleset.terraform (0.5.0-bundled)
tfsec v1.28.5
trivy Version: 0.49.1
tfupdate 0.8.1
hcledit 0.2.10
  • .pre-commit-config.yaml:
file content 
repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.86.1
    hooks:
      - id: terraform_checkov
        args:
          - --args=--quiet
@ClaudioWaldvogel ClaudioWaldvogel added area/docker bug Something isn't working labels Feb 22, 2024
@MaxymVlasov
Copy link
Collaborator

MaxymVlasov commented Feb 22, 2024
edited
Loading

Not reproduced in

repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.87.1
    hooks:
      - id: terraform_checkov
        args:
          - --args=--quiet
TAG=v1.87.1
docker run -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG run -a

=> If something was wrong with previous versions, it was already fixed.
Please update to latest version

@MaxymVlasov MaxymVlasov closed this as not planned Won't fix, can't repro, duplicate, stale Feb 22, 2024
@MaxymVlasov
Copy link
Collaborator

MaxymVlasov commented Feb 22, 2024
edited
Loading

Also, see /homerun503 in your error?

/homerun503/.cache/pre-commit/repo_x74_52x/hooks/terraform_checkov.sh: line 66: checkov: command not found

That's come not from the container. Looks like it tries to execute hook directly on the Ci instance

And by

docker run -ti --entrypoint=bash -e "USERID=$(id -u):$(id -g)" -v $(pwd):/lint -w /lint ghcr.io/antonbabenko/pre-commit-terraform:$TAG 

$ checkov -v

You can check is checkov included in image

➜ TAG=v1.87.1 && docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
pre-commit 3.6.2
Terraform v1.7.3
checkov 3.2.22
Infracost v0.10.33
terraform-docs version v0.17.0 795d369 linux/amd64
terragrunt version v0.55.3
terrascan version: v1.18.11
TFLint version 0.50.3
+ ruleset.terraform (0.5.0-bundled)
tfsec v1.28.5
trivy Version: 0.49.1
tfupdate 0.8.1
hcledit 0.2.10

@MaxymVlasov
Copy link
Collaborator

btw, I can't reproduce your issue at all.

TAG=v1.83.5 && docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
pre-commit 3.4.0
Terraform v1.6.1
checkov 2.5.6
Infracost v0.10.29
terraform-docs version v0.16.0 1f686b1 linux/amd64
terragrunt version v0.52.1
terrascan version: v1.18.3
TFLint version 0.48.0
+ ruleset.terraform (0.4.0-bundled)
tfsec v1.28.4
tfupdate 0.8.0
hcledit 0.2.10

TAG=latest && docker run --entrypoint cat ghcr.io/antonbabenko/pre-commit-terraform:$TAG /usr/bin/tools_versions_info
Unable to find image 'ghcr.io/antonbabenko/pre-commit-terraform:latest' locally
latest: Pulling from antonbabenko/pre-commit-terraform
Digest: sha256:db88473f769b725508ced7522f4c6ed4351ca13774d2d48eb282ac2d6ba110c5
Status: Downloaded newer image for ghcr.io/antonbabenko/pre-commit-terraform:latest
pre-commit 3.6.2
Terraform v1.7.3
checkov 3.2.22
Infracost v0.10.33
terraform-docs version v0.17.0 795d369 linux/amd64
terragrunt version v0.55.3
terrascan version: v1.18.11
TFLint version 0.50.3
+ ruleset.terraform (0.5.0-bundled)
tfsec v1.28.5
trivy Version: 0.49.1
tfupdate 0.8.1
hcledit 0.2.10

@MaxymVlasov
Copy link
Collaborator

MaxymVlasov commented Feb 22, 2024
edited
Loading

It could be related to arm64, but the binary's names were not changed. And I can't find anything about changes in the pip3 installation method

https://github.com/bridgecrewio/checkov/releases/tag/2.4.48
https://github.com/bridgecrewio/checkov/releases/tag/2.5.6

image

And changes in code between v1.83.4..v1.83.5 not affect anything related to checkov or docker image at all
v1.83.4...v1.83.5

So, currently, I think that there are no issues from our side.

@yermulnik yermulnik mentioned this issue Feb 23, 2024
Closed
@MaxymVlasov MaxymVlasov mentioned this issue Feb 23, 2024
Merged
4 tasks
@antonbabenko
Copy link
Owner

This issue has been resolved in version 1.88.1 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/arm64 area/docker area/macOS bug Something isn't working
Projects
None yet
Milestone
No milestone
3 participants
@antonbabenko @MaxymVlasov @ClaudioWaldvogel