search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.04k stars 1.11k forks source link

Checkov should not warn about downloading external modules if `--download-external-modules` is explicitly set to `false`. #5782

Open bgshacklett opened 10 months ago

bgshacklett commented 10 months ago

Describe the issue When --download-external-modules is explicitly set to false, Checkov still produces warnings indicating that downloading external modules has failed.

If I am explicitly setting this value to false, it is not useful to produce a warning, and may lead to confusion for those running the output.

Examples

# command
checkov \
  --dir . \
  --download-external-modules false \
  --baseline .checkov.baseline \
  --output-baseline-as-skipped \
  --output cli \
  --output junitxml \
  --output-file-path console,'test-results/checkov.xml'

Warning (sanitized):

2023-11-21 14:01:42,192 [MainThread  ] [WARNI]  Failed to download module <module_path> (for external modules, the --download-external-modules flag is required)

Version (please complete the following information):

Additional context Downloading external modules is disabled in our pipeline to avoid performing checks against code that we do not have any control over as part of the CI process.

edit: At present, I am using 2> >(grep -v 'Failed to download module' >&2) to filter this output out of the CI job console.

gruebel commented 10 months ago

hey @bgshacklett thanks for reaching out.

I don't think we can actually differentiate between setting the flag with false or not, because it is the default. I'll keep it open, if someone wants to investigate it further.

kstevensonnv commented 9 months ago

Hi,

Same scenario as raised, I am explicitly turning off checking external modules as I have no control over the code (and have some faith it's not terrible). No need to warn with 20+ lines that an external module is not being downloaded.

venkat-raman-wday commented 7 months ago

Same here. It's counterintuitive to set the the flag to false only for a checkov run to fail. I'm seeing this on version 3.2.22.

stale[bot] commented 1 month ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

bgshacklett commented 1 month ago

Still an open issue