[Bug/Feature Request]: Fails to run using Rancher Desktop - Rancher Desktop Support?

[syserr0r]

Python Version

n/a

Checkov Installation Method

docker

CheckovPrismaless Version

1.0.107

VSCode Version

1.93.1

Operating System

Windows 10

Description of the Bug

CheckovPrismaless fails to run the docker command - every file save where Checkov would be called results in a "Any troubles? We can help you figure out what happened" notification.

Enabling debugging and looking at the logs I can see CheckovPrismaless does not correctly get the version from docker, see the following output when calling the "Install or Update" command:

[info]: Trying to install Checkov using Docker. 
[debug]: Testing docker installation with command: docker pull bridgecrew/checkov:latest 
[info]: Checkov installed successfully using Docker. {"checkovPath":"docker"}
[info]: Checkov installation:  {"checkovInstallationMethod":"docker","checkovPath":"docker"}
[debug]: Version command: docker run --rm bridgecrew/checkov:latest -v 
[debug]: Response from version command:  
[debug]: Previously installed checkov version matches the newly installed one 

When CheckovPrismaless then tries to run it attempts to docker run with the previously found empty version string, resulting in trying to run the image bridgecrew/checkov: which is invalid, this can be seen as follows:

[debug]: Getting cached results for hash 36cdc7e38193da3bec85a6b5240412ec 
[debug]: Today: 1727305200000 
[debug]: Cache date: 1727305200000 
[debug]: Cache date (1727305200000) is not stale 
[debug]: useCache is true, but did not find cached results for file: /path/to/project/file.py, hash: 36cdc7e38193da3bec85a6b5240412ec 
[debug]: Getting cached results for hash 36cdc7e38193da3bec85a6b5240412ec 
[debug]: Today: 1727305200000 
[debug]: Cache date: 1727305200000 
[debug]: Cache date (1727305200000) is not stale 
[debug]: useCache is true, but did not find cached results for file: /path/to/project/file.py, hash: 36cdc7e38193da3bec85a6b5240412ec 
[info]: Starting to scan. 
[debug]: Output:
origin  git@gitlab.com:project/project.git (fetch)
origin  git@gitlab.com:project/project.git (push)

[info]: repo urlgit@gitlab.com:project/project.git 
[info]: repo nameproject/project 
[info]: Running checkov: 
[info]: docker run --rm --tty --name vscode-checkov-1727358015878 --env LOG_LEVEL=DEBUG --env BC_SOURCE=vscode --env BC_SOURCE_VERSION=unknown -v "/path/to/project:/checkovScan" -w /checkovScan bridgecrew/checkov: -f "file.py" -s --repo-id project/project --skip-check BC_LIC* -o json 
[warn]: Checkov stderr: docker: invalid reference format.
See 'docker run --help'.

[debug]: Checkov scan process exited with code 125 
[debug]: Checkov task output: {"stdout":""}
[error]: Error occurred while running a checkov scan {"error":"Checkov exited with code 125"}
[info]: Cancellation token invoked, aborting checkov run. 
[debug]: Getting cached results for hash 36cdc7e38193da3bec85a6b5240412ec 
[debug]: Today: 1727305200000 
[debug]: Cache date: 1727305200000 
[debug]: Cache date (1727305200000) is not stale 
[debug]: useCache is true, but did not find cached results for file: /path/to/project/file.py, hash: 36cdc7e38193da3bec85a6b5240412ec 
[info]: not deleting container vscode-checkov-1727358015878 as it was already removed 
[info]: Starting to scan. 
[debug]: Output:
origin  git@gitlab.com:project/project.git (fetch)
origin  git@gitlab.com:project/project.git (push)

[info]: repo urlgit@gitlab.com:project/project.git 
[info]: repo nameproject/project 
[info]: Running checkov: 
[info]: docker run --rm --tty --name vscode-checkov-1727358018440 --env LOG_LEVEL=DEBUG --env BC_SOURCE=vscode --env BC_SOURCE_VERSION=unknown -v "/home/tony/git-dev/project/project:/checkovScan" -w /checkovScan bridgecrew/checkov: -f "file.py" -s --repo-id project/project --skip-check BC_LIC* -o json 
[warn]: Checkov stderr: docker: invalid reference format.
See 'docker run --help'.

[debug]: Checkov scan process exited with code 125 
[debug]: Checkov task output: {"stdout":""}
[error]: Error occurred while running a checkov scan {"error":"Checkov exited with code 125"}
[info]: Cancellation token invoked, aborting checkov run. 
[info]: not deleting container vscode-checkov-1727358018440 as it was already removed 

Running the command manually in the WSL2 terminal we can see no output:

user@debian:~$ docker run --rm bridgecrew/checkov:latest -v
user@debian:~$

Re-running the command with the -it flags gives us the correct output:

user@debian:~$ docker run --rm -it bridgecrew/checkov:latest -v
3.2.255

Running both commands on a linux VM with docker installed we can see they both output the version string (so no adverse affects to adding the -it flag and explains why it would work with docker):

root@debian-vm:~# docker run --rm -it bridgecrew/checkov:latest -v
3.2.255
root@debian-vm:~# docker run --rm bridgecrew/checkov:latest -v
3.2.255

Steps to Reproduce

• Install WSL2
• Install Rancher Desktop
• Install Debian WSL2 distro
• Enable WSL2 integration in Rancher Desktop settings
• Install VSCode with CheckovPrismaless and WSL support extensions
• Open VSCode using a project from WSL
• Observe "Any troubles? We can help you figure out what happened" notifications on every save and failures in logs

[syserr0r]

For reference this appears to be caused by this upstream issue: https://github.com/rancher-sandbox/rancher-desktop/issues/3239

[XargsUK]

Thanks for flagging this @syserr0r, and for the details reproduction steps!

I was able to replicate the issue you reported, and found that there were two areas that needed adjusting. First of all, I replaced the --tty argument with --interactive, which allowed for the version to be returned when using Rancher Desktop. I added the same flag through to the is passed through in the runVersionCommand in src/utils.ts.

Please could you let me know if this resolves it for you?

• Clone this repo in your WSL environment
• Switch branch: git switch fix-docker-version
• Perform a npm install . in the project root
• Open VSCode (usually code .)
• Press F5, which should open an extension development host.

If so, I'll perform a bit more testing in some different environments, but should be able to get this pushed out asap.

Thanks again!

From there, you can open a repo with something supported by Checkov, and see if you get any errors.

Edit: In testing for myself, --tty/-t was not required, and actually created some noise