search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.13k stars 1.12k forks source link

Sarif output ignores --quiet flag and ignores checkov inline skips. #5925

Closed afterdesign closed 10 months ago

afterdesign commented 10 months ago

When using -o sarif the results.sarif file ignores --quiet and rules that were inline ignored. Results and expectations showed in examples below:

How to replicate

Example test.tf:

resource "aws_security_group" "test" {
  # checkov:skip=CKV2_AWS_5:Attached in another resource
  vpc_id = "test"

  name        = "test"
  description = "test"
}

docker run --pull missing --tty --volume "$PWD:/tf" --workdir /tf bridgecrew/checkov:latest --quiet -o cli -f test.tf produces:

terraform scan results:

Passed checks: 5, Failed checks: 0, Skipped checks: 1

docker run --pull missing --tty --volume "$PWD:/tf" --workdir /tf bridgecrew/checkov:latest --quiet -o json -f test.tf produces:

{
    "check_type": "terraform",
    "results": {
        "failed_checks": []
    },
    "summary": {
        "passed": 5,
        "failed": 0,
        "skipped": 1,
        "parsing_errors": 0,
        "resource_count": 1,
        "checkov_version": "3.1.55"
    }
}

docker run --pull missing --tty --volume "$PWD:/tf" --workdir /tf bridgecrew/checkov:latest --quiet -o sarif -f test.tf produces cli output:


       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  

By Prisma Cloud | version: 3.1.55 
terraform scan results:

Passed checks: 5, Failed checks: 0, Skipped checks: 1

Wrote output in SARIF format to the file 'results.sarif'

And results.sarif file has this:

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "Checkov",
          "version": "3.1.55",
          "informationUri": "https://checkov.io",
          "rules": [
            {
              "id": "CKV2_AWS_5",
              "name": "Ensure that Security Groups are attached to another resource",
              "shortDescription": {
                "text": "Ensure that Security Groups are attached to another resource"
              },
              "fullDescription": {
                "text": "Ensure that Security Groups are attached to another resource"
              },
              "help": {
                "text": "Ensure that Security Groups are attached to another resource\nResource: aws_security_group.test"
              },
              "defaultConfiguration": {
                "level": "error"
              },
              "helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis"
            }
          ],
          "organization": "bridgecrew"
        }
      },
      "results": [
        {
          "ruleId": "CKV2_AWS_5",
          "ruleIndex": 0,
          "level": "warning",
          "attachments": [],
          "message": {
            "text": "Ensure that Security Groups are attached to another resource"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "test.tf"
                },
                "region": {
                  "startLine": 1,
                  "endLine": 8,
                  "snippet": {
                    "text": "resource \"aws_security_group\" \"test\" {\n  # checkov:skip=CKV2_AWS_5:Attached in another resource\n  vpc_id = \"test\"\n\n  name        = \"test\"\n  description = \"test\"\n\n}\n"
                  }
                }
              }
            }
          ],
          "suppressions": [
            {
              "kind": "inSource",
              "justification": "Attached in another resource"
            }
          ]
        }
      ]
    }
  ]
}
gruebel commented 10 months ago

hey @afterdesign thanks for reaching out.

The CLI flag help text clearly mentions it is only for CLI output and not for SARIF or any other output. Implementing it would mean a breaking change, so it needs to be properly timed.

--quiet in case of CLI output, display only failed checks. Also disables progress bars

afterdesign commented 10 months ago

@gruebel 🤔 So why does --quiet work with -o json also ? Is there a way that sarif report can have only errors so I can use it with reviewdog ?