checkov
checkov copied to clipboard
bridgecrewio
Prisma Policy Labels not working
Description
At the company I work at we are using Checkov together with Prisma Cloud Code Security, and I'm having trouble using the policy labels in Prisma to filter checks.
On Prisma's side, I've added a label to the "Default namespace is used" policy check called "mikko-testaa".
Filtering on Prisma via this label works, as it only shows the namespace policy check.
Execution and Results
With that in mind these are the checkov commands that I used both locally and on Jenkins; checkov -d . --framework helm -o json --output-file-path . --prisma-api-url [PRISMAURL] --bc-api-key [PRISMAUSER::PRISMAKEY]] --policy-metadata-filter policy.label=mikko-testaa
I tried running as-is and also running via a config file, both returning the same result;
Have I misunderstood the policy-metadata-filter parameter? What am I doing wrong?
Version Checkov version 2.1.179
The fact that the Available options: shows empty makes me think there is something wrong with getting policies from prisma?
Hey @MikkoMyllyniemi I haven't been able to reproduce this issue. I applied a similar label to the poicy and it worked as expected.
❯ ckv -l --policy-metadata-filter policy.label=kartik-test --bc-api-key "$PC_ACCESS_KEY::$PC_SECRET_KEY"
| | Id | Type | Entity | Policy | IaC |
|----|------------|----------|-----------------------------------|---------------------------|-----------|
| 0 | CKV_K8S_21 | resource | kubernetes_config_map | Default namespace is used | Terraform |
| 1 | CKV_K8S_21 | resource | kubernetes_cron_job | Default namespace is used | Terraform |
| 2 | CKV_K8S_21 | resource | kubernetes_daemonset | Default namespace is used | Terraform |
| 3 | CKV_K8S_21 | resource | kubernetes_deployment | Default namespace is used | Terraform |
| 4 | CKV_K8S_21 | resource | kubernetes_ingress | Default namespace is used | Terraform |
| 5 | CKV_K8S_21 | resource | kubernetes_job | Default namespace is used | Terraform |
| 6 | CKV_K8S_21 | resource | kubernetes_pod | Default namespace is used | Terraform |
| 7 | CKV_K8S_21 | resource | kubernetes_replication_controller | Default namespace is used | Terraform |
| 8 | CKV_K8S_21 | resource | kubernetes_role_binding | Default namespace is used | Terraform |
| 9 | CKV_K8S_21 | resource | kubernetes_secret | Default namespace is used | Terraform |
| 10 | CKV_K8S_21 | resource | kubernetes_service | Default namespace is used | Terraform |
| 11 | CKV_K8S_21 | resource | kubernetes_service_account | Default namespace is used | Terraform |
| 12 | CKV_K8S_21 | resource | kubernetes_stateful_set | Default namespace is used | Terraform |
---
Can you please share debug logs? You can enable debug logging by setting the env var LOG_LEVEL=DEBUG. Please be sure to redact any sensitive data from the logs.
Never mind, I found the issue. It appears that GET https://api.prismacloud.io/filter/policy/suggest returns only "recently used" filters and therefore a new label may or may not be returned. I'll fix this to use this method instead https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filter-options