search

bridgecrewio / checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
Apache License 2.0
240 stars 101 forks source link

Host key verification failed #94

Open infa-ddeore opened 2 years ago

infa-ddeore commented 2 years ago

getting below error in github action (image used bridgecrew/checkov:2.1.192), what could be the reason?

checkov -d .  --check CKV_OCI_1 --check CKV_OCI_2 --check CKV_OCI_3 --check CKV_OCI_4 --check CKV_OCI_5 --check CKV_OCI_6 --check CKV_OCI_7 --check CKV_OCI_8 --check CKV_OCI_9 --check CKV_OCI_10 --check CKV_OCI_11 --check CKV_OCI_12 --check CKV_OCI_13 --check CKV_OCI_14 --check CKV_OCI_15 --check CKV_OCI_16 --check CKV_OCI_17 --check CKV_OCI_18 --check CKV_OCI_19 --check CKV_OCI_20 --check CKV_OCI_21 --check CKV_OCI_22   --quiet   --output github_failed_only  --download-external-modules true    --framework terraform  
Error: -06 16:53:55,934 [MainThread  ] [ERROR]  failed to get git::ssh://git@github.com/xxxx/yyyy?ref=master because of Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v --depth=1 -b master ssh://git@github.com/xxxx/yyyy /github/workspace/.external_modules/git@github.com/xxxx/yyyy/master
  stderr: 'Cloning into '/github/workspace/.external_modules/git@github.com/xxxxx/yyyy/master'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Saarett commented 2 years ago

Hi @infa-ddeore Sounds like an SSH problem not related to the repository https://www.google.com/search?q=Host+key+verification+failed

bmorrissirromb commented 1 year ago

I see the issue when downloading modules that are in the same organization as my current repo.

The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations.

There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via machine-learning-apps/actions-app-token.

eg. something invoked like this would be ideal:

    - name: Run Checkov Action
      uses: bridgecrewio/checkov-action@master
      with:
        app_token: ${{ steps.get_token.outputs.app_token }}
JamesWoolfenden commented 1 year ago

i don't think there's support for app_token in checkov yet, if you request/contrib (in the checkov repo) then its trivial to update the action.

I see the issue when downloading modules that are in the same organization as my current repo.

The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations.

There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via machine-learning-apps/actions-app-token.

eg. something invoked like this would be ideal:

    - name: Run Checkov Action
      uses: bridgecrewio/checkov-action@master
      with:
        app_token: ${{ steps.get_token.outputs.app_token }}
cbugneac-nex commented 1 year ago

I'm having the same issue when downloading Terraform modules from another private repository using SSH key (URL).

Terraform snippet:

...
module "kms_s3_" {
  source = "git::ssh://git@github.com/Org/modules-repo.git//modules/kms?ref=0.1.0"
...
}

I had to load SSH key into ssh-agent but the problem is that it's not passed by default into checkov container:

GitHub action snippet:

      - name: Configure SSH key for Terraform modules
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Execute Checkov
        uses: bridgecrewio/checkov-action@690d0bd74b5fa92fa780ffcfda77865b514da913
        with:
          output_format: cli,sarif
          output_file_path: console,results.sarif
          config_file: .checkov.yml
          directory: ./path

An workaround I guess would be to pass the SSH_AUTH_SOCK environment variable into container and mount the temporary ssh-agent socker file inside container, e.g. /tmp/ssh-XXXXXXzV0yXD/agent.3007 ?

ArneRiemann4711 commented 1 year ago

Same problem as @cbugneac-nex reported. SSH Key via ssh.agent does not work (Terraform is able to download the modules)

Constantin07 commented 6 months ago

I have tried this approach:

...
      - name: Configure SSH key for Terraform modules
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}
          ssh-auth-sock: ${{ github.workspace }}/ssh-auth.sock

      - name: Copy .gitconfig and .ssh to workspace
        run: |
          cp -r ~/.gitconfig ~/.ssh ${{ github.workspace }}/
          sed -i 's|/home/runner|/github/workspace|g' ${{ github.workspace }}/.ssh/config

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@v12
        env:
          SSH_AUTH_SOCK: /github/workspace/ssh-auth.sock
          GIT_CONFIG: /github/workspace/.gitconfig

but it still doesn't work. Some thoughts about discovered obstacles:

Possible workaround which works:

jobs:
...
  checkov:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11
          cache: pip

      - name: Install Checkov
        run: pip install -r requirements.txt

      - name: Configure SSH key for Terraform components and modules
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: |
            ${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}

      - name: Execute Checkov
        run: |
          checkov -d . \
          --config-file .checkov.yml \
          --output cli \
          --output-file-path console

requirements.txt

checkov==3.2.50
randrusiak commented 6 months ago

@Constantin07 I've tried to use your proposed workaround, but unfortunately it didn't work. Do you have other idea how to resolve this issue?

noizo commented 3 months ago

With slight modification for pipx, i was able to run it this way:

name: Run Checkov
on:
  pull_request:

jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master
        with:
          fetch-depth: 0

      - name: Install Checkov
        run: pipx install checkov

      - name: Configure SSH key for Terraform components and modules
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: |
            ${{ secrets.SSH_KEY }}

      - name: Execute Checkov
        run: |
          checkov -d . \
          --config-file ${{ github.workspace }}/.checkov.yml \
          --output cli \
          --output-file-path console

with this .checkov.yml in repo root

download-external-modules: true
directory: .
evaluate-variables: true
external-modules-download-path: .external_modules
secrets-history-timeout: 12h
secrets-scan-file-type: []
summary-position: top
skip-check: "CKV_TF_1,CKV_TF_2,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV2_AWS_65"
framework: terraform

cc: @randrusiak

Saarett commented 3 months ago

Putting aside checkov-action, how does it work for you using Checkov?

randrusiak commented 2 months ago

@noizo I tried your proposed solution, but the result is the same.

2024-07-17 10:38:40,316 [MainThread  ] [WARNI]  failed to get git::git@github.com:xxx/xxx.git//modules/aws/rds?ref=dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b because of Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v --no-checkout -- git@github.com:xxx/xxx.git /__w/.external_modules/modules/aws/rds/dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b
  stderr: 'Cloning into '/__w/.external_modules/modules/aws/rds/dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b'...
Host key verification failed.
fatal: Could not read from remote repository.