search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.72k stars 1.07k forks source link

Enhancement: make suppression work with external modules #4366

Open tschechniker opened 1 year ago

tschechniker commented 1 year ago

Describe the issue As this issue describes Feature request: Support checkov:skip in modules skipping findings inside modules should work now. But when we use external modules it does not work. Checkov seems to test the external modules without any context from the "calling" reference.

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes.

module "test" {
  #checkov:skip=CKV_AZURE_50:this ignore should work but is ignored in the external module
  source = "git::https://github.com/hashicorp/example?ref=tags/0.0.1"
}

Version (please complete the following information):

Additional context We set download-external-modules: true

tarfeef101 commented 1 year ago

this has made many engineers at my org very unhappy with me, would love to see some development on this one.

joebywan commented 1 year ago

+1 for this. Can't modify the external modules.

rjmsilveira commented 1 year ago

+1 for this please :pray:

mission-coliveros commented 11 months ago

+1 on this

neilmca-inc commented 10 months ago

Also +1 for this one please - thanks

BartlomiejKrawczykEviden commented 8 months ago

+1 wasn't that already implemented in https://github.com/bridgecrewio/checkov/issues/777 and https://github.com/bridgecrewio/checkov/pull/1629 ? Does this mean there's a regression?

tim-harpe commented 6 months ago

We have the same problems

module "gitlab_project" {
  source                      = "gitlab.com/my-org/project/gitlab"
  version                     = "16.6.0"

  #checkov:skip=CKV_GLB_4: "Ensure GitLab commits are signed"
  reject_unsigned_commits = false
}

We are using --download-external-modules true and CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES=True

Error:

Check: CKV_GLB_4: "Ensure GitLab commits are signed"

GurayCetin commented 4 months ago

+1

jomora commented 2 months ago

+1

leewoobin789 commented 1 month ago

+1

ghost commented 1 month ago

+1

ChanochShayner commented 3 weeks ago

Can someone please add a full example that doesn't work? thx.

When tested with this test - https://github.com/bridgecrewio/checkov/blob/0197bfc9d5a26c30ff7e2d3186e7866774c1bb1c/tests/terraform/runner/test_runner.py#L618

And added suppression to this module - https://github.com/bridgecrewio/checkov/blob/0197bfc9d5a26c30ff7e2d3186e7866774c1bb1c/tests/terraform/runner/resources/multiple_module_versions/main.tf#L1

(+ changed the source to be "git::https://github.com...." and not "terraform-aws-modules/ec2-instance/aws")

And everything works as expected, the resources with violations are now in the the skipped resources list.

@tsmithv11 FYI