search

microsoft / security-devops-action

Microsoft Security DevOps for GitHub Actions.
MIT License
104 stars 46 forks source link

Help me with the example of using environment variables with values for checkov and terrascan #104

Open babuga365 opened 1 month ago

babuga365 commented 1 month ago

I'm getting issues for using below setup

Azure Devops Pipeline: ci.yaml

parameters:
  - name: workingDir
    type: string

stages:
- stage: TerraformContinuousIntegration
  displayName: Terraform - CI
  jobs:
    - job: StaticCodeAnalysis
      displayName: CI - Static Code Analysis 
      pool:
        vmImage: ubuntu-latest
      steps:
      - task: MicrosoftSecurityDevOps@1
        displayName: 'Static Code Analysis - MDFC'
        inputs:
          categories: 'IaC'
          tools: 'checkov,terrascan'
        env:
          GDN_CHECKOV_DIRECTORY:'$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}'
          GDN_CHECKOV_SKIPPATH: '/pipelines,/examples,/archive'
          GDN_CHECKOV_DOWNLOADEXTERNALMODULES: 'true'
          GDN_CHECKOV_CREATECONFIG: 'checkov-config.yaml'
          GDN_CHECKOV_SHOWCONFIG: 'true'
          GDN_CHECKOV_SKIPCHECK: 'CKV_TF_1'

Logs:

Clear: Clearing folder: /home/vsts/work/1/s/.gdn/.r Clearing folder: /home/vsts/work/1/s/.gdn/rc Analyze: Using environment variable override: SkipPath=/pipelines,/examples,/archive Using environment variable override: SkipCheck=CKV_TF_1 Using environment variable override: DownloadExternalModules=true Using environment variable override: CreateConfig=checkov-config.yaml Using environment variable override: ShowConfig=true Running Checkov 3.2.199

/home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.CheckovRedist_linux_amd64.3.2.199/tools/dist/checkov --directory ./ --output sarif --soft-fail --show-config --skip-path /pipelines,/examples,/archive --skip-check CKV_TF_1 --download-external-modules true --create-config checkov-config.yaml --output-file-path /home/vsts/work/1/s/.gdn/.r/checkov/001/checkov.sarif

[error]Wrote config file to checkov-config.yaml

Tool run time: 5.4715251 seconds
------------------------------------------------------------------------------
Checkov completed with exit code 0
------------------------------------------------------------------------------

If you see the logs, the checkov is still using directory as: --directory ./ instead of value from environment variable: GDN_CHECKOV_DIRECTORY

Also let me know, If I'm okay to use this env variable: GDN_CHECKOV_SKIPPATH with values like this: '/pipelines,/examples,/archive'. Because checkov is not skipping this path correctly and checking all the files from this directory as well.

cndaan commented 1 month ago

Same issue here.

It looks like the GDN_CHECKOV_DIRECTORY and the GDN_CHECKOV_FILE are not working for me. All other environment variables seem to be working except those two.

Can someone please fix this issue?