BUG: --prisma-api-url is ignored, but PRISMA_API_URL works

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.

https://www.checkov.io/

Apache License 2.0

7.17k stars 1.12k forks source link

BUG: --prisma-api-url is ignored, but PRISMA_API_URL works #6673

Open lapkritinis opened 3 months ago

lapkritinis commented 3 months ago

Its not a feature request, but bug report. Didnt found any better fit:

Add this to /etc/hosts: 127.0.0.1 api0.prismacloud.io

Try running checkov on empty json checkov -f empty.json --prisma-api-url "https://api.eu.prismacloud.io"

Gives error...: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api0.prismacloud.io', port=443): Max retries exceeded with url: /bridgecrew/api/v2/guidelines (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fffde2d3ac0>: Failed to establish a new connection: [Errno 111] Connection refused'))

Try export PRISMA_API_URL=https://api.eu.prismacloud.io, run checkov -f empty.json works.

deeps-sf commented 3 months ago

@lapkritinis I don't see any errors while running the checkov command. Could you please verify:

checkov and python version you are running?
Which OS are you running?

lapkritinis commented 3 months ago

Understood. I was running in docker ubuntu 22.04 with python 3.10. Can try building dockerfile which supposedly will replicate the issue.

From memory apt-get install python3-pip and pip3 install checkov

lapkritinis commented 3 months ago

This is Dockerfile which reproduces issue:

FROM ubuntu:22.04
RUN apt-get update && apt-get upgrade -y \
    && apt-get install -y --no-install-recommends \
    python3-pip
RUN pip3 install checkov
RUN echo "{}" > empty.json

CMD echo "127.0.0.1 api0.prismacloud.io" >> /etc/hosts \
    && checkov -f empty.json --prisma-api-url https://api.eu.prismacloud.io

Build and run

deeps-sf commented 3 months ago

@lapkritinis I tested and verified that issue is when you have the host "api0.prismacloud.io" ip set to: 127.0.0.1

If the requirement is to assign an ip to the url; please use the following ips as per nslookup:

Non-authoritative answer:
api0.prismacloud.io canonical name = nlb-api-alb-02f7a7-e9e3bdfafbe3068a.elb.us-east-1.amazonaws.com.
Name:   nlb-api-alb-02f7a7-e9e3bdfafbe3068a.elb.us-east-1.amazonaws.com
Address: 34.192.147.35
Name:   nlb-api-alb-02f7a7-e9e3bdfafbe3068a.elb.us-east-1.amazonaws.com
Address: 3.90.172.209

We don't recommend to set the url to a loopback address as it blocks the connectivity to the api. Checkov scanner is using domain: "api0.prismacloud.io" for open source.

Hope this helps!

lapkritinis commented 3 months ago

Hey, thanks for looking into it, but it doesn't :) point is it should no longer use hardcoded value but take value from argument which API i want to use. But it doesnt. Setting that api0 to loopback is for demonstrating the issue. If it would connect to API i did set - that api0 to loopback would have no effect. Like I mentioned if use export that argument - then it works despite what is set in hosts file.

lapkritinis commented 3 months ago

Run export PRISMA_API_URL=https://api.eu.prismacloud.io and that hosts file setting will no longer have effect as it should be.