search

microsoft / security-devops-action

Microsoft Security DevOps for GitHub Actions.
MIT License
109 stars 49 forks source link

Help me with the example of using environment variables with values for checkov and terrascan #104

Open babuga365 opened 4 months ago

babuga365 commented 4 months ago

I'm getting issues for using below setup

Azure Devops Pipeline: ci.yaml

parameters:
  - name: workingDir
    type: string

stages:
- stage: TerraformContinuousIntegration
  displayName: Terraform - CI
  jobs:
    - job: StaticCodeAnalysis
      displayName: CI - Static Code Analysis 
      pool:
        vmImage: ubuntu-latest
      steps:
      - task: MicrosoftSecurityDevOps@1
        displayName: 'Static Code Analysis - MDFC'
        inputs:
          categories: 'IaC'
          tools: 'checkov,terrascan'
        env:
          GDN_CHECKOV_DIRECTORY:'$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}'
          GDN_CHECKOV_SKIPPATH: '/pipelines,/examples,/archive'
          GDN_CHECKOV_DOWNLOADEXTERNALMODULES: 'true'
          GDN_CHECKOV_CREATECONFIG: 'checkov-config.yaml'
          GDN_CHECKOV_SHOWCONFIG: 'true'
          GDN_CHECKOV_SKIPCHECK: 'CKV_TF_1'

Logs:

Clear: Clearing folder: /home/vsts/work/1/s/.gdn/.r Clearing folder: /home/vsts/work/1/s/.gdn/rc Analyze: Using environment variable override: SkipPath=/pipelines,/examples,/archive Using environment variable override: SkipCheck=CKV_TF_1 Using environment variable override: DownloadExternalModules=true Using environment variable override: CreateConfig=checkov-config.yaml Using environment variable override: ShowConfig=true Running Checkov 3.2.199

/home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.CheckovRedist_linux_amd64.3.2.199/tools/dist/checkov --directory ./ --output sarif --soft-fail --show-config --skip-path /pipelines,/examples,/archive --skip-check CKV_TF_1 --download-external-modules true --create-config checkov-config.yaml --output-file-path /home/vsts/work/1/s/.gdn/.r/checkov/001/checkov.sarif

[error]Wrote config file to checkov-config.yaml

Tool run time: 5.4715251 seconds
------------------------------------------------------------------------------
Checkov completed with exit code 0
------------------------------------------------------------------------------

If you see the logs, the checkov is still using directory as: --directory ./ instead of value from environment variable: GDN_CHECKOV_DIRECTORY

Also let me know, If I'm okay to use this env variable: GDN_CHECKOV_SKIPPATH with values like this: '/pipelines,/examples,/archive'. Because checkov is not skipping this path correctly and checking all the files from this directory as well.

cndaan commented 3 months ago

Same issue here.

It looks like the GDN_CHECKOV_DIRECTORY and the GDN_CHECKOV_FILE are not working for me. All other environment variables seem to be working except those two.

Can someone please fix this issue?

masse-solita commented 1 month ago

We need this too. Can someone please fix this? Ping @chrisnielsen-MS @richardtucker @sethRait or anyone from MS.

chrisnielsen-MS commented 1 month ago

Hi folks,

With regards to the target directory, that one does work but it has a different environment variable: GDN_CHECKOV_TARGETDIRECTORY

I noticed our wiki had GDN_CHECKOV_DIRECTORY as well, so I fixed the documentation there. With regards to the skip paths, Checkov expects multiple values to be specified separately, like --skip-path /pipelines --skip-path /examples. This is currently not supported by our mechanism of passing values through environment variables, but we plan to add proper support for this soon in an upcoming release.

@cndaan -- we currently do not support the GDN_CHECKOV_FILE argument as it is mutually exclusive with --directory, for which we provide a default value. Once we have proper support for skipping subdirectories, would you still be interested in support for scanning a single file? If there is interest in this scenario separate from avoiding unnecessary scanning, I will add it to our backlog as well.

masse-solita commented 1 month ago

@chrisnielsen-MS To my knowledge Checkov doesn't support scanning Terraform execution plans without the file argument.

From the Checkov documentation: "Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result." https://www.checkov.io/7.Scan%20Examples/Terraform%20Plan%20Scanning.html

chrisnielsen-MS commented 1 month ago

Thank you for confirming @masse-solita we will be addressing this in an upcoming release as well.

masse-solita commented 1 month ago

Great news @chrisnielsen-MS! Any ETA on the new release? 😄

masse-solita commented 4 days ago

Any news about the new release @chrisnielsen-MS?