search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.12k stars 1.12k forks source link

Support to define global and local checks/skip-checks #2201

Closed hugomcfonseca closed 2 years ago

hugomcfonseca commented 2 years ago

Describe the issue

In my repository, I have a complex IaC with multiple stacks from different projects, and I implemented GitOps using Atlantis w/ checkov using terraform-plan framework to run static analysis on pull-requests. In order to ease management of checkov configurations, I would like to want to define global configurations that would affect all tfstate and, optionally, that can be overridden locally per tfstate.

However, when trying to use options --config-file with declared skip-check along with --skip-check, this ends with no skip-checks defined.

Is this intended by design or can this be considered a feature to be implemented?

A possible solution is to have another configs such --default-skip-check or --default-check that can be used in a global configuration file for checkov.

Examples

As an expectation, I would like to run checkov with a similar command such:

$ checkov --config-file $CHECKOV_CONFIG/global-config.yml --config-file local-config.yml --compact --quiet -f tfplan.json

# or, for a specific use case, if I want to add extra skip-checks to the ones defined in $CHECKOV_CONFIG/global-config.yml
$ checkov --config-file $CHECKOV_CONFIG/global-config.yml --skip-check CKV_AWS_91 --compact --quiet -f tfplan.json

For the sake of context, this is my $CHECKOV_CONFIG/global-config.yml:

framework:
  - terraform_plan
skip-check:
  - CKV_AWS_18
  - CKV_AWS_37
  - CKV_AWS_79
  - CKV_AWS_86
  - CKV_AWS_91
  - CKV_AWS_118
  - CKV_AWS_129
  - CKV_AWS_130
  - CKV_AWS_144

Version (please complete the following information):

kartikp10 commented 2 years ago

Hey @hugomcfonseca, thanks for the detailed explanation. I will address this in 2 parts:

  1. Current argument precedence behavior The default behavior in checkov is that in-line args override config file args if there is a conflict. This is explained in a note at the bottom when you run checkov --help.

If an arg is specified in more than one place, then commandline values override environment variables which override config file values which override defaults.

Taking the example you have provided, you can check what the effective list of args would be for any command by adding the --show-config flag. For example:

# case 1: since --skip-check is present in the config file and in-line, the in-line arg takes precedence

❯ checkov --config-file /tmp/global-config.yml --skip-check CKV_AWS_91 --compact --quiet -f tfplan.json --show-config
Command Line Args:   --config-file /tmp/global-config.yml --skip-check CKV_AWS_91 --compact --quiet -f tfplan.json --show-config
Config File (/tmp/global-config.yml):
  framework:         ['terraform_plan']
Defaults:
  --branch:          master
  --download-external-modules:False
  --external-modules-download-path:.external_modules
  --evaluate-variables:True

# case 2: since --skip-check is NOT present in-line, the config file is used for that arg

❯ checkov --config-file /tmp/global-config.yml --compact --quiet -f tfplan.json --show-config
Command Line Args:   --config-file /tmp/global-config.yml --compact --quiet -f tfplan.json --show-config
Config File (/tmp/global-config.yml):
  framework:         ['terraform_plan']
  skip-check:        ['CKV_AWS_18', 'CKV_AWS_37', 'CKV_AWS_79', 'CKV_AWS_86', 'CKV_AWS_91', 'CKV_AWS_118', 'CKV_AWS_129', 'CKV_AWS_130', 'CKV_AWS_144']
Defaults:
  --branch:          master
  --download-external-modules:False
  --external-modules-download-path:.external_modules
  --evaluate-variables:True
  1. In-line skip checks not working

However, when trying to use options --config-file with declared skip-check along with --skip-check, this ends with no skip-checks defined.

I tested this out for terraform and in-line checks do get skipped as expected. Are you seeing that checks do not get skipped for plan files? If yes, that is a bug which we will need to address separately.

As for the feature request, I do think it would be nice if checkov can merge config files ( one or more ) and in-line args :)

stale[bot] commented 2 years ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] commented 2 years ago

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!