search

bridgecrewio / checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
Apache License 2.0
238 stars 101 forks source link

Monorepo support #22

Open btilford opened 3 years ago

btilford commented 3 years ago

Would adding support for autodiscovery of terraform projects within a monrepo root or subdirectory be possible? Currently I've got 3 or 4 projects where I have to write several hundreds lines of yaml to manually add each project (also remembering to update yaml when a new project is added).

btilford commented 3 years ago

I'm basically looking for something that includes directories/files to check. Maybe an excludes would be easier to implement at least then things can run a bit faster and dependencies/libs aren't being scanned recursively.

On Mon, Feb 8, 2021 at 5:36 PM Matt Johnson notifications@github.com wrote:

Hi Ben,

Would something like the following allow you to just get the failed checks section of the json without a new flag?

checkov -o json -f terraform/aws/ec2.tf | jq .results.failed_checks

checkov -o json -f terraform/aws/ec2.tf | jq .results.failed_checks > just_failed.json

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/bridgecrewio/checkov-action/issues/22#issuecomment-775564640, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB4XFKYHTRTQD2N5VM2KDTS6B7RHANCNFSM4VB4PVVQ .

njgibbon commented 3 years ago

Hello @btilford

I think we may be able to satisfy what you're after as-is. I'm not sure about excluding dirs yet. But checkout below:

I use this action configuration to run a recursive checkov scan only in the 'modules' directory. By specifying 'framework: terraform' I am only running terraform scans.

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: modules/
          quiet: false
          soft_fail: false
          framework: terraform
          output_format: cli

Will this do what you want? You could do things like use several blocks if you want to choose different specific dirs and subdirs to scan.

alen-z commented 2 years ago

Did not test, but directory: dir1/ -d dir2/ -d dir3/ might do the trick to scan selected set of directories.

While we're at it, can we enable Checkov GH actions to take multiple directories?

Edit: Alternative could be to run Checkov multiple times by changing directory variable from matrix which is dynamically built based on extracted changed directories in the repository. Similar to: https://tomasvotruba.com/blog/2020/11/16/how-to-make-dynamic-matrix-in-github-actions/

HariSekhon commented 2 years ago

@alen-z I'm using .checkov.yaml to work around more options than the GitHub Action supports, such as a list of directories to skip using skip-path.

Here is my working template that I use in this and other repos:

https://github.com/HariSekhon/Templates/blob/master/.checkov.yaml