Enhancement: make suppression work with external modules

[tschechniker]

trafficstars

Describe the issue As this issue describes Feature request: Support checkov:skip in modules skipping findings inside modules should work now. But when we use external modules it does not work. Checkov seems to test the external modules without any context from the "calling" reference.

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes.

module "test" {
  #checkov:skip=CKV_AZURE_50:this ignore should work but is ignored in the external module
  source = "git::https://github.com/hashicorp/example?ref=tags/0.0.1"
}

Version (please complete the following information):

• 2.2.312

Additional context We set download-external-modules: true

[tarfeef101]

this has made many engineers at my org very unhappy with me, would love to see some development on this one.

[joebywan]

+1 for this. Can't modify the external modules.

[rjmsilveira]

+1 for this please :pray:

[mission-coliveros]

+1 on this

[neilmca-inc]

Also +1 for this one please - thanks

[BartlomiejKrawczykEviden]

+1 wasn't that already implemented in https://github.com/bridgecrewio/checkov/issues/777 and https://github.com/bridgecrewio/checkov/pull/1629 ? Does this mean there's a regression?

[tim-harpe]

We have the same problems

module "gitlab_project" {
  source                      = "gitlab.com/my-org/project/gitlab"
  version                     = "16.6.0"

  #checkov:skip=CKV_GLB_4: "Ensure GitLab commits are signed"
  reject_unsigned_commits = false
}

We are using --download-external-modules true and CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES=True

Error:

Check: CKV_GLB_4: "Ensure GitLab commits are signed"

[GurayCetin]

+1

[jomora]

+1

[leewoobin789]

+1

[ghost]

+1

[ChanochShayner]

Can someone please add a full example that doesn't work? thx.

When tested with this test - https://github.com/bridgecrewio/checkov/blob/0197bfc9d5a26c30ff7e2d3186e7866774c1bb1c/tests/terraform/runner/test_runner.py#L618

And added suppression to this module - https://github.com/bridgecrewio/checkov/blob/0197bfc9d5a26c30ff7e2d3186e7866774c1bb1c/tests/terraform/runner/resources/multiple_module_versions/main.tf#L1

(+ changed the source to be "git::https://github.com...." and not "terraform-aws-modules/ec2-instance/aws")

And everything works as expected, the resources with violations are now in the the skipped resources list.

@tsmithv11 FYI

[lapkritinis]

ChanochShayner This is full test case, but we use private module registry and obviously I cannot share that one.

module "kms-test" {
  #checkov:skip=CKV_AWS_33:Ensure KMS key policy does not contain wildcard (*) principal:Restricted with condition

  source  = "artifactory.company-internal.net/joined-terraform__terraform-aws-modules/kms/aws"
  version = "3.1.0"

  key_usage               = "ENCRYPT_DECRYPT"
  deletion_window_in_days = 7
  enable_key_rotation     = true

  enable_default_policy = true
  source_policy_documents = [
    data.aws_iam_policy_document.kms.json,
  ]
}

data "aws_iam_policy_document" "kms" {
  statement {
    sid = "BAD policy"
    actions = [
      "kms:Encrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey",
      "kms:CreateGrant",
      "kms:Decrypt",
    ]

    effect = "Allow"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    resources = ["*"]
  }
}

It gives:

Check: CKV_AWS_33: "Ensure KMS key policy does not contain wildcard (*) principal"
	FAILED for resource: module.kms-test.aws_kms_key.this[0]
	File: /plan.json:0-0
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-kms-key-policy-does-not-contain-wildcard-principal