search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.12k stars 1.12k forks source link

Discrepancy Between Homebrew vs pip Installations: CKV2 Checks Not Running with Homebrew #6645

Open katrinajaneczko opened 3 months ago

katrinajaneczko commented 3 months ago

Description

CKV2 checks do not run when Checkov is installed via Homebrew, but they do run when installed via pip. This discrepancy leads to different outputs between local executions and those in a GitHub Actions (GHA) pipeline, which uses pip for installation.

Steps to Reproduce:

Install Checkov via Homebrew:

brew install checkov

Run Checkov with the following command:

checkov -d . --framework terraform

Observation: CKV2 checks do not appear in the output.

Uninstall Checkov via Homebrew:

brew uninstall checkov

Install Checkov via pip:

pip install checkov

Run the same command again:

checkov -d . --framework terraform

Observation: CKV2 checks now appear in the output, matching the results seen in the GHA pipeline.

Expected Behavior:

Checkov should produce consistent outputs, including CKV2 checks, regardless of whether it is installed via Homebrew or pip.

Actual Behavior:

When installed via Homebrew, Checkov does not run CKV2 checks, leading to discrepancies in the results. Installing via pip resolves this issue and allows CKV2 checks to run as expected.

Environment:

OS: macOS 13.4.1 (M2 chip) Homebrew Version: 4.3.14 Python Version: 3.11.5 pip Version: 24.0 Checkov Version via Homebrew: 3.2.219 Checkov Version via pip: 3.2.219

Additional Context:

I discovered this issue when running Checkov locally and comparing the output to that of a GitHub Actions pipeline. I noticed that when running Checkov checks for a Terraform repository remotely in a GitHub Action workflow, the action was failing due to failed CKV2 checks. However, when running locally via a pre-commit hook, there were no failed checks, and in fact no CKV2 checks were even running at all.

The GHA pipeline installs Checkov using pip, and it correctly runs CKV2 checks, whereas my local installation via Homebrew did not.

I am using this GHA: https://github.com/bridgecrewio/checkov-action Which I found uses a Docker image where Checkov is installed using pip: GitHub Actions Dockerfile.

99 commented 3 months ago

I'm experiencing the same issue with the latest versions. I tried a fresh brew install, got 3.2.220, and am seeing the same.

OfekShimko commented 3 months ago

Thank you for reporting this issue. We will work on it next week. In the meantime, we recommend using Pip.

katrinajaneczko commented 3 months ago

Great, thank you!