search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.04k stars 1.11k forks source link

support GitLab's `!reference tags` #6711

Open elchenberg opened 4 weeks ago

elchenberg commented 4 weeks ago

Describe the feature

Currently (v3.2.249) Checkov does not seem to support GitLab's !reference tags.

https://docs.gitlab.com/ee/ci/yaml/yaml_optimization.html#reference-tags

I have a .gitlab-ci.yml file and when I run Checkov I see the following warning in the output:

2024-09-09 17:05:56,984 [MainThread  ] [WARNI]  Fail to load yaml content, could not determine a constructor for the tag '!reference'
  in "<unicode string>", line 8, column 13:
              - !reference [checkov, image]
                ^

Examples

trivy:
  image: docker.io/aquasec/trivy:0.55.0@sha256:35e972d4c97895711cb2de6594cc1774b61e6b9dc7661ef73a76dd649f006c8d
  script:
    - trivy image "${IMAGE:?}"
  parallel:
    matrix:
      - IMAGE:
          - !reference [checkov, image]
          - !reference [trivy, image]

checkov:
  image: docker.io/bridgecrew/checkov:3.2.249@sha256:87a82f290af394b7432fa6858efb88c7b65785df8493567794c2ce97120ef228
  script:
    - checkov --directory .
zagr0 commented 6 days ago

It doesn't respect helm templates also

2024-10-02 10:55:49,688 [MainThread  ] [WARNI]  Fail to load yaml content, while parsing a flow node
expected the node content, but found '-'
  in "<unicode string>", line 6, column 7:
        {{- include "cronjob.labels" . | n ... 
          ^