search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.07k stars 1.11k forks source link

--skip-path regexp is sometimes compared to the absolute path #5231

Open izeau opened 1 year ago

izeau commented 1 year ago

Describe the issue

According to the documentation, --skip-path refers to the “Path (file or directory) to skip, using regular expression logic, relative to the current working directory” (emphasis mine). That is indeed the case when using some runners (e.g. dockerfile), but not for others. For instance, the terraform runner uses an absolute path due to the root directory being set using os.path.abspath().

Examples

setup ```bash $ cd $(mktemp -d) $ mkdir -p foo subdir $ echo 'FROM foo' > subdir/Dockerfile $ echo 'resource "aws_instance" "foo" {}' > subdir/main.tf $ cp -r subdir foo $ tree . ├── foo │   └── subdir │   ├── Dockerfile │   └── main.tf └── subdir ├── Dockerfile └── main.tf 4 directories, 4 files $ alias ckv="checkov --check CKV_AWS_79,CKV_DOCKER_2 --skip-download --quiet --compact --directory ." $ ckv terraform scan results: Passed checks: 0, Failed checks: 2, Skipped checks: 0 Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.foo File: /foo/subdir/main.tf:1-1 Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.foo File: /subdir/main.tf:1-1 dockerfile scan results: Passed checks: 0, Failed checks: 2, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /subdir/Dockerfile. File: /subdir/Dockerfile:1-1 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /foo/subdir/Dockerfile. File: /foo/subdir/Dockerfile:1-1 ```
--skip-path subdir skips everything ```bash $ ckv --skip-path subdir ```
--skip-path "^./subdir" leaves duplicate terraform checks ```bash $ ckv --skip-path "^./subdir" terraform scan results: Passed checks: 0, Failed checks: 2, Skipped checks: 0 Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.foo File: /foo/subdir/main.tf:1-1 Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.foo File: /subdir/main.tf:1-1 dockerfile scan results: Passed checks: 0, Failed checks: 1, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /foo/subdir/Dockerfile. File: /foo/subdir/Dockerfile:1-1 ```
--skip-path "${PWD}/subdir" leaves duplicate dockerfile checks ```bash $ ckv --skip-path "${PWD}/subdir" terraform scan results: Passed checks: 0, Failed checks: 1, Skipped checks: 0 Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.foo File: /foo/subdir/main.tf:1-1 dockerfile scan results: Passed checks: 0, Failed checks: 2, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /foo/subdir/Dockerfile. File: /foo/subdir/Dockerfile:1-1 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /subdir/Dockerfile. File: /subdir/Dockerfile:1-1 ```
getting proper results using both --skip-path arguments ```bash ckv --skip-path "^./subdir" --skip-path "${PWD}/subdir" terraform scan results: Passed checks: 0, Failed checks: 1, Skipped checks: 0 Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled" FAILED for resource: aws_instance.foo File: /foo/subdir/main.tf:1-1 dockerfile scan results: Passed checks: 0, Failed checks: 1, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /foo/subdir/Dockerfile. File: /foo/subdir/Dockerfile:1-1 ```

TL;DR:

Desktop (please complete the following information):

stale[bot] commented 10 months ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

izeau commented 10 months ago

This is still happening on macOS 14.1 and Checkov version 3.1.38

stale[bot] commented 4 months ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

izeau commented 4 months ago

This is still happening on macOS 14.3 and Checkov version 3.2.136