Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help me with the example of using environment variables with values for checkov and terrascan #104

Open
babuga365 opened this issue Jul 25, 2024 · 7 comments
Open

Help me with the example of using environment variables with values for checkov and terrascan #104

babuga365 opened this issue Jul 25, 2024 · 7 comments

Comments

@babuga365
Copy link

babuga365 commented Jul 25, 2024
edited
Loading

I'm getting issues for using below setup

Azure Devops Pipeline: ci.yaml

parameters:
  - name: workingDir
    type: string

stages:
- stage: TerraformContinuousIntegration
  displayName: Terraform - CI
  jobs:
    - job: StaticCodeAnalysis
      displayName: CI - Static Code Analysis 
      pool:
        vmImage: ubuntu-latest
      steps:
      - task: MicrosoftSecurityDevOps@1
        displayName: 'Static Code Analysis - MDFC'
        inputs:
          categories: 'IaC'
          tools: 'checkov,terrascan'
        env:
          GDN_CHECKOV_DIRECTORY:'$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}'
          GDN_CHECKOV_SKIPPATH: '/pipelines,/examples,/archive'
          GDN_CHECKOV_DOWNLOADEXTERNALMODULES: 'true'
          GDN_CHECKOV_CREATECONFIG: 'checkov-config.yaml'
          GDN_CHECKOV_SHOWCONFIG: 'true'
          GDN_CHECKOV_SKIPCHECK: 'CKV_TF_1'

Logs:
------------------------------------------------------------------------------
Clear:
Clearing folder: /home/vsts/work/1/s/.gdn/.r
Clearing folder: /home/vsts/work/1/s/.gdn/rc
Analyze:
Using environment variable override: SkipPath=/pipelines,/examples,/archive
Using environment variable override: SkipCheck=CKV_TF_1
Using environment variable override: DownloadExternalModules=true
Using environment variable override: CreateConfig=checkov-config.yaml
Using environment variable override: ShowConfig=true
Running Checkov 3.2.199
------------------------------------------------------------------------------
/home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.CheckovRedist_linux_amd64.3.2.199/tools/dist/checkov --directory ./ --output sarif --soft-fail --show-config --skip-path /pipelines,/examples,/archive --skip-check CKV_TF_1 --download-external-modules true --create-config checkov-config.yaml --output-file-path /home/vsts/work/1/s/.gdn/.r/checkov/001/checkov.sarif
##[error]Wrote config file to checkov-config.yaml
Tool run time: 5.4715251 seconds
------------------------------------------------------------------------------
Checkov completed with exit code 0
------------------------------------------------------------------------------

If you see the logs, the checkov is still using directory as: --directory ./ instead of value from environment variable: GDN_CHECKOV_DIRECTORY

Also let me know, If I'm okay to use this env variable: GDN_CHECKOV_SKIPPATH with values like this: '/pipelines,/examples,/archive'. Because checkov is not skipping this path correctly and checking all the files from this directory as well.
@cndaan
Copy link

cndaan commented Aug 12, 2024

Same issue here.

It looks like the GDN_CHECKOV_DIRECTORY and the GDN_CHECKOV_FILE are not working for me. All other environment variables seem to be working except those two.

Can someone please fix this issue?

@masse-solita
Copy link

We need this too. Can someone please fix this? Ping @chrisnielsen-MS @richardtucker @sethRait or anyone from MS.

@chrisnielsen-MS
Copy link
Contributor

Hi folks,

With regards to the target directory, that one does work but it has a different environment variable: GDN_CHECKOV_TARGETDIRECTORY

I noticed our wiki had GDN_CHECKOV_DIRECTORY as well, so I fixed the documentation there. With regards to the skip paths, Checkov expects multiple values to be specified separately, like --skip-path /pipelines --skip-path /examples. This is currently not supported by our mechanism of passing values through environment variables, but we plan to add proper support for this soon in an upcoming release.

@cndaan -- we currently do not support the GDN_CHECKOV_FILE argument as it is mutually exclusive with --directory, for which we provide a default value. Once we have proper support for skipping subdirectories, would you still be interested in support for scanning a single file? If there is interest in this scenario separate from avoiding unnecessary scanning, I will add it to our backlog as well.

@masse-solita
Copy link

@chrisnielsen-MS To my knowledge Checkov doesn't support scanning Terraform execution plans without the file argument.

From the Checkov documentation: "Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result." https://www.checkov.io/7.Scan%20Examples/Terraform%20Plan%20Scanning.html

@chrisnielsen-MS
Copy link
Contributor

Thank you for confirming @masse-solita we will be addressing this in an upcoming release as well.

@masse-solita
Copy link

Great news @chrisnielsen-MS! Any ETA on the new release? 😄

@masse-solita
Copy link

Any news about the new release @chrisnielsen-MS?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@masse-solita @chrisnielsen-MS @cndaan @babuga365