Default --directory parameter overrides directory in .checkov.yml

bridgecrewio / checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

Apache License 2.0

240 stars 101 forks source link

Default --directory parameter overrides directory in .checkov.yml #77

Open nayoa opened 2 years ago

nayoa commented 2 years ago

.checkov.yml:

directory:
  - infra
evaluate-variables: true
framework: all
output: cli
quiet: true
download-external-modules: false

Action config:

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          config_file: .checkov.yml

Expected outcome:

$ checkov --output sarif   --config-file .checkov.yml

Current outcome:

$ checkov -d .  --output sarif   --config-file .checkov.yml

kartikp10 commented 2 years ago

Hey @nayoa, if the in-line --directory argument is overriding the config file, that behavior is by design. See the note at the bottom of checkov --help

Args that start with '--' (eg. -v) can also be set in a config file
(/Users/kpande/Downloads/.checkov.yaml or /Users/kpande/Downloads/.checkov.yml
or /Users/kpande/.checkov.yaml or /Users/kpande/.checkov.yml or specified via
--config-file). The config file uses YAML syntax and must represent a YAML
'mapping' (for details, see http://learn.getgrav.org/advanced/yaml). If an arg
is specified in more than one place, then commandline values override
environment variables which override config file values which override
defaults.

Let me know if that is not what you meant.

ptchau2003 commented 2 years ago

@kartikp10 : The action is still on . directory instead of the directory mentioned in config.yaml

..
running checkov on directory: .
checkov -d .     --output sarif   --config-file .github/workflows/checkov_config.yaml  
..

switchdk commented 2 years ago

Although I experience the same problem and it is driving me nuts, I think the subject/title of this issue should more accurately reflect the problem. This is not about the --directory parameter but about the directory setting in .checkov.yaml being ignored (completely). It makes it impossible to use the checkov-action for larger repos or monorepos. As an example, I need to check Kubernetes manifests created with kustomize. However, if Checkov traverses all directories from . then Checkov will fail with a stacktrace due to how kustomize directory structure is and you can overwrite values. At the moment, the Checkov Action is unusable with kustomize repositories I think.