search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
67 stars 19 forks source link

Unable to Authenticate to Private Terraform Module Registry with Checkov #117

Open isaacoluwade opened 4 months ago

isaacoluwade commented 4 months ago

I am encountering an issue with the Microsoft Security DevOps task (microsoftsecuritydevops@1) when trying to authenticate to our private Terraform module registry using the Checkov. Although Checkov supports authentication via the "TF_REGISTRY_TOKEN" environment variable, this method does not seem to work within the microsoftsecuritydevops@1 task.

Could you please provide guidance on how to successfully authenticate to a private module registry while using Checkov in this context?

Thank you.

I have tried: - task: MicrosoftSecurityDevOps@1 displayName: 'Checkov Policy Scanner' inputs: command: run policy: azuredevops tools: checkov break: true publish: true artifactName: CodeAnalysisLogs env: TF_REGISTRY_TOKEN: $(TF_REGISTRY_TOKEN) TF_HOST_NAME: $(TF_HOST_NAME) GDN_CHECKOV_FRAMEWORK: "terraform" GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"

and also tried: - task: MicrosoftSecurityDevOps@1 displayName: 'Checkov Policy Scanner' inputs: command: run policy: azuredevops tools: checkov break: true publish: true artifactName: CodeAnalysisLogs env: GDN_CHECKOV_TF_REGISTRY_TOKEN: $(TF_REGISTRY_TOKEN) GDN_CHECKOV_TF_HOST_NAME: $(TF_HOST_NAME) GDN_CHECKOV_FRAMEWORK: "terraform" GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"

But nothing seems to work. If Checkov is replacing Terrascan as the default IaC code analysis tool for microsoftsecuritydevops@1, then this feature is extremely important.

Terrascan has the GDN_TERRASCAN_USETERRAFORMCACHE to authenticate using the terraform init cache for remote modules.

t3hprofit commented 1 month ago

How are you referencing your external modules? Check out the InstallSSHKey@0 task. We run this prior to running the MSDO task. There are some decent tutorials on getting it to work around the internet. https://dev.to/pwd9000/connect-terraform-to-azure-devops-git-repos-over-ssh-163c#:~:text=When%20using%20an%20Azure%20DevOps%20pipeline%20to%20execute may be a good starting point.

You'll need to add the SSH keys to your pipeline library Secure files, and you'll also need some other variables for the knownHostsEntry, and passphrase (if you set on).