search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.08k forks source link

Custom YAML Checks against nested directory only showing filename in output #6450

Open mjseid opened 2 weeks ago

mjseid commented 2 weeks ago

Describe the Issue I have the following folder structure

app
  dev
     dev-file.tf
  qa
     qa-file.tf
checkov
  customcheck1.yaml
  customcheck2.py

I have some custom checks, most written in yaml but a couple written in python, which I want to execute against the top level app directory using a command like the following. In this simplified example, I don't want check1 to be applied to files under the dev folder and I don't want check 2 to be applied to files under the qa folder.

checkov --framework terraform --compact -d app/ --external-checks-dir checkov --skip-check 'CKV2_Company_check1:dev/*.tf,CKV2_company_check2:qa/*.tf'

When I do this, the python checks recognize the full relative path of the files and works as desired. The output is something like:

Check: CKV2_Company_check2: "custom check 2"
    PASSED for resource: kubernetes_manifest.xyz
    File: \dev\dev-file.tf:1-38

However the skips for the yaml checks do not work, and the check looks at all files under all sub-folders of the top-level folder. I believe this is b/c the file path is getting truncated to just the filename as shown in the output

Check: CKV2_Company_check1: "custom check 1"
    PASSED for resource: kubernetes_manifest.xyz
    File: \dev-file.tf:1-38
Check: CKV2_Company_check1: "custom check 1"
    PASSED for resource: kubernetes_manifest.abc
    File: \qa-file.tf:40-77

Is it possible to have custom checks in yaml recognize the full relative path like the checks written in python do?

Saarett commented 1 week ago

Hi @mjseid , thank you for reaching out. I'm not sure it was intended to be used this way, @gruebel @tsmithv11 do you know otherwise?

tsmithv11 commented 1 week ago

I don't believe so. I would recommend running Checkov multiple times, once per subdirectory, with the skips that you want.

mjseid commented 6 days ago

Yes running once per subdirectory would work, but isn't ideal since my automation would then be customized for each repo. For now I've just abandoned yaml and written everything in python.

It would be nice for the two methods to work in a similar fashion though. Being able to write custom checks in the yaml was super fast and easy, and I would think that having the yaml checks show the full subdirectory path like python does would be beneficial beyond just the use case I described. For example it is nice to just run checkov once against a top level directory, and have the same file name in multiple sub-directories. It works with yaml but you can't tell which subdirectory contained the file with the failure.

gruebel commented 5 days ago

Yeah, I think it is kind of weird the path for the YAML check finding is only showing the filename and not the whole relative part, like for the Python check.