checkov-action icon indicating copy to clipboard operation
checkov-action copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Monorepo support

Open btilford opened this issue 4 years ago • 4 comments

Would adding support for autodiscovery of terraform projects within a monrepo root or subdirectory be possible? Currently I've got 3 or 4 projects where I have to write several hundreds lines of yaml to manually add each project (also remembering to update yaml when a new project is added).

btilford avatar Dec 19 '20 01:12 btilford

I'm basically looking for something that includes directories/files to check. Maybe an excludes would be easier to implement at least then things can run a bit faster and dependencies/libs aren't being scanned recursively.

On Mon, Feb 8, 2021 at 5:36 PM Matt Johnson [email protected] wrote:

Hi Ben,

Would something like the following allow you to just get the failed checks section of the json without a new flag?

checkov -o json -f terraform/aws/ec2.tf | jq .results.failed_checks

checkov -o json -f terraform/aws/ec2.tf | jq .results.failed_checks > just_failed.json

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/bridgecrewio/checkov-action/issues/22#issuecomment-775564640, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB4XFKYHTRTQD2N5VM2KDTS6B7RHANCNFSM4VB4PVVQ .

btilford avatar Feb 09 '21 19:02 btilford

Hello @btilford

I think we may be able to satisfy what you're after as-is. I'm not sure about excluding dirs yet. But checkout below:

I use this action configuration to run a recursive checkov scan only in the 'modules' directory. By specifying 'framework: terraform' I am only running terraform scans.

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: modules/
          quiet: false
          soft_fail: false
          framework: terraform
          output_format: cli

Will this do what you want? You could do things like use several blocks if you want to choose different specific dirs and subdirs to scan.

njgibbon avatar Feb 27 '21 17:02 njgibbon

Did not test, but directory: dir1/ -d dir2/ -d dir3/ might do the trick to scan selected set of directories.

While we're at it, can we enable Checkov GH actions to take multiple directories?

Edit: Alternative could be to run Checkov multiple times by changing directory variable from matrix which is dynamically built based on extracted changed directories in the repository. Similar to: https://tomasvotruba.com/blog/2020/11/16/how-to-make-dynamic-matrix-in-github-actions/

alen-z avatar Jan 14 '22 10:01 alen-z

@alen-z I'm using .checkov.yaml to work around more options than the GitHub Action supports, such as a list of directories to skip using skip-path.

Here is my working template that I use in this and other repos:

https://github.com/HariSekhon/Templates/blob/master/.checkov.yaml

HariSekhon avatar Feb 22 '22 10:02 HariSekhon