bridgecrewio/checkov

Feature Request / Bug / Integration Issue - checkov environmental variables / feature flags

Opened this issue · 3 comments

timothyclarke commented

Describe the feature

Sorry if this is a little of a rant, Checkov is great... It could be even better.

I'm not sure if this is a Bug, a Feature Request, and Integration Issue or poor design / sloppy implementation. The integration issue is with https://github.com/bridgecrewio/checkov-action, however other tools probably follow a similar approach as the documentation https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html means alot of these features (and debugging issues) are harder than they need to be.

Many checkov features are implemented as ad-hoc environmental variables rather than feature flags as such they are 3rd class citizens. I initially thought this might be addressed by the --var-file cli arg, however that appears to be the terraform / helm environment rather than the checkov environment

I'm specifically referring to the following, however I imagine they are all through out the checkov code. The key issue with all of these is the use of os.getenv deep within code where there would ideally be a more consolidated approach. Examples that come to mind are

Checkov is a really great tool, but when it's not doing what people expect it's really hard to figure out why, and the sad point is that most of the what people expect is available... but they have to dig through issues such as this one, to find things like LOG_LEVEL and then they need an understanding of python to put together where to look in checkov for where the thing they are after might be.

In my specific case I have a private registry that's on an RFC1918 host using boring-registry. It works perfectly fine for terraform source of

module "thing" {
  source = "hostname/namespace/name/system"
  version = "0.0.1"

However this was obviously not downloading. I initially tried to see if checkov had a verbose or debug cli flag (as opposed to the --quiet flag, but no such luck. I then went to checking local http logs, firewall logs and performing curl tests to ensure that I was able to connect to the registry which was fine. It was only after an hour of searching I found the LOG_LEVEL cli arg and then in those logs saw 404 Client Error: Not Found for url: https://registry.terraform.io/vi/modules/hostname/namespace/name/system:0.0.1 and the line above showing the class (Thank You for the log info once I figured out how to expose it)

Now we get to https://github.com/bridgecrewio/checkov-action which doesn't allow ad-hoc environmental variables, I cannot use the var_file arg because it's args passed to Terraform / Helm rather than the environment for checkov itself, I also cannot put this config into the config_file arg because the ad-hoc os.getenv scattered through checkov.

lirshindalman commented

Hi @timothyclarke thank you for reaching out. we will look into it and will keep you updated

  • ❤️1
tsmithv11 commented

@timothyclarke I appreciate the feedback! I want to ask if these two solutions will solve or help your situation:

  1. Better document environment variables in https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html
  2. Allow for arbitrary environment variables in our GitHub Action.

Will this work? Any other suggestions?

timothyclarke commented

@tsmithv11 that sounds good. Thank you