helpUri for checkov (and maybe others) are broken

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.

https://discord.gg/DCNxzaeUpd

Apache License 2.0

805 stars 111 forks source link

helpUri for checkov (and maybe others) are broken #283

Open xortim opened 3 years ago

xortim commented 3 years ago

The helpUri generated for checkov scans go to https://slscan.io?q=${ruleId}. This page does not redirect to the underlying tool's associated documentation.

Suggestion: Use the helpUris equivalent generated by the tool itself.

prabhu commented 3 years ago

Hi @xortim

Thanks for raising this ticket. The way checkov generates the helpUri was quite troubling. It was hitting a server endpoint to get the url and there by collecting analytics of all findings of all users. scan runs checkov with --no-guide which disables this behavior. So perhaps I will figure out the deeplink used by checkov and generate it directly in the code itself.

xortim commented 3 years ago

That would be great! I didn't even notice that that it was phoning home for this. Resolving the deep links internally would be quite useful. Their approach would be a privacy concern for some users and remove the ability to use the tool offline.