search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.72k stars 1.08k forks source link

[Helm] Issue when pulling chart dependency from OCI registry #6350

Open Farfaday opened 1 month ago

Farfaday commented 1 month ago

Describe the issue When running checkov on a chart, pulling dependencies out of a public OCI repository like

dependencies:
  - name: common
    repository: oci://registry-1.docker.io/bitnamicharts
    tags:
      - bitnami-common
    version: 2.x.x

then checkov fails with 

LOG_LEVEL=DEBUG checkov -d .
[...]
2024-05-14 16:10:56,667 [MainThread  ] [WARNI]  Failed processing helm chart mychart at dir: .. Working dir: /tmp/tmpr6umnbn6. Failure details: Pulled: registry-1.docker.io/bitnamicharts/common:2.19.2

The dependency chart is correctly pulled (files are there) but checkov fails and does not check the chart. Running checkov again is then successful.

When changing the repository to https, it works without issue.

Desktop (please complete the following information):

Farfaday commented 1 month ago

Looks like helm template --dependency-update . incorrectly writes out to stderr:

helm template --dependency-update . 2>err 1>/dev/null ; cat err Pulled: registry-1.docker.io/bitnamicharts/common:2.19.3 Digest: sha256:a42f1c81728d2b4b7766f83e1f8d1cfd17d4897819274b4a248629dfaa8ab4a3

Looks like this is kind of a - weird - wanted behavior on helm's side, see: https://github.com/helm/helm/pull/11480 https://github.com/helm/helm/issues/12609