search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.98k stars 1.1k forks source link

Pre-Commit hook checkov_secrets fails with commits without file changes #5593

Closed LOCHOV closed 11 months ago

LOCHOV commented 11 months ago

Describe the issue When using checkov_secrets Pre-Commit Hook there is a crash every time a commit without file changes is run. When working with submodules it is often necessary to run commits that will not cause any files to be changed in the branch. The error happenes because of the -f parameter on the pre-commit that requires files to be changed on the branch.

https://github.com/bridgecrewio/checkov/blob/main/.pre-commit-hooks.yaml

Examples Our pre-commit-config.yaml looks like this:

  - repo: https://github.com/bridgecrewio/checkov.git
    rev: '2.4.29'
    hooks:
      - id: checkov_secrets 
        name: checkov-secret-scan

Install the pre-commit hook: pre-commit install

Then configure a submodule or, as a POC a commit without any file changes: git commit -m "test-checkov-crash" --allow-empty

This will create the error below. The expected behavior would be that the check is passed.

Exception Trace

checkov-secret-scan......................................................Failed
- hook id: checkov_secrets
- exit code: 2

usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check]
               [-f FILE [FILE ...]] [--skip-path SKIP_PATH]
               [--external-checks-dir EXTERNAL_CHECKS_DIR]
               [--external-checks-git EXTERNAL_CHECKS_GIT] [-l]
               [-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}]
               [--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids]
               [--include-all-checkov-policies] [--quiet] [--compact]
               [--framework {ansible,argo_workflows,arm,azure_pipelines,bicep,bitbucket_pipelines,circleci_pipelines,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_json,terraform_plan,3d_policy,all} [{ansible,argo_workflows,arm,azure_pipelines,bicep,bitbucket_pipelines,circleci_pipelines,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_json,terraform_plan,3d_policy,all} ...]]
               [--skip-framework {ansible,argo_workflows,arm,azure_pipelines,bicep,bitbucket_pipelines,circleci_pipelines,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_json,terraform_plan,3d_policy} [{ansible,argo_workflows,arm,azure_pipelines,bicep,bitbucket_pipelines,circleci_pipelines,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_json,terraform_plan,3d_policy} ...]]
               [-c CHECK] [--skip-check SKIP_CHECK]
               [--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON]
               [--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY]
               [--prisma-api-url PRISMA_API_URL] [--skip-results-upload]
               [--docker-image DOCKER_IMAGE]
               [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID]
               [-b BRANCH] [--skip-download] [--use-enforcement-rules]
               [--no-guide] [--skip-suppressions] [--skip-policy-download]
               [--skip-fixes]
               [--download-external-modules DOWNLOAD_EXTERNAL_MODULES]
               [--var-file VAR_FILE]
               [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH]
               [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE]
               [--no-cert-verify]
               [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
               [--config-file CONFIG_FILE] [--create-config CREATE_CONFIG]
               [--show-config] [--create-baseline] [--baseline BASELINE]
               [--output-baseline-as-skipped]
               [--skip-cve-package SKIP_CVE_PACKAGE]
               [--policy-metadata-filter POLICY_METADATA_FILTER]
               [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE]
               [--enable-secret-scan-all-files]
               [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN]
               [--summary-position {top,bottom}]
               [--skip-resources-without-violations] [--deep-analysis]
               [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history]
               [--secrets-history-timeout SECRETS_HISTORY_TIMEOUT]
               [--openai-api-key OPENAI_API_KEY]
checkov: error: argument -f/--file: expected at least one argument

Desktop (please complete the following information):

gruebel commented 11 months ago

hey @LOCHOV thanks for reaching out.

The observation is correct. You can use the original one, which will scan the whole folder. I'm currently hesitant to adjust the logic around the --file argument and don't see it is actually worth it for the use case, which is quite rare and looks more like something pre-commit should handle. You can the field files: and limit it to the files you want to scan, then the hook shouldn't be triggered for an empty commit.

LOCHOV commented 11 months ago

Hi @gruebel, thanks a lot for the quick answer. What exactly do you mean by using the "original one"? We would like to just run the secret scan on all files.