checkov-action
checkov-action copied to clipboard
bridgecrewio
Host key verification failed
getting below error in github action (image used bridgecrew/checkov:2.1.192), what could be the reason?
checkov -d . --check CKV_OCI_1 --check CKV_OCI_2 --check CKV_OCI_3 --check CKV_OCI_4 --check CKV_OCI_5 --check CKV_OCI_6 --check CKV_OCI_7 --check CKV_OCI_8 --check CKV_OCI_9 --check CKV_OCI_10 --check CKV_OCI_11 --check CKV_OCI_12 --check CKV_OCI_13 --check CKV_OCI_14 --check CKV_OCI_15 --check CKV_OCI_16 --check CKV_OCI_17 --check CKV_OCI_18 --check CKV_OCI_19 --check CKV_OCI_20 --check CKV_OCI_21 --check CKV_OCI_22 --quiet --output github_failed_only --download-external-modules true --framework terraform
Error: -06 16:53:55,934 [MainThread ] [ERROR] failed to get git::ssh://[email protected]/xxxx/yyyy?ref=master because of Cmd('git') failed due to: exit code(128)
cmdline: git clone -v --depth=1 -b master ssh://[email protected]/xxxx/yyyy /github/workspace/.external_modules/[email protected]/xxxx/yyyy/master
stderr: 'Cloning into '/github/workspace/.external_modules/[email protected]/xxxxx/yyyy/master'...
Host key verification failed.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Hi @infa-ddeore Sounds like an SSH problem not related to the repository https://www.google.com/search?q=Host+key+verification+failed
I see the issue when downloading modules that are in the same organization as my current repo.
The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations.
There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via machine-learning-apps/actions-app-token.
eg. something invoked like this would be ideal:
- name: Run Checkov Action
uses: bridgecrewio/checkov-action@master
with:
app_token: ${{ steps.get_token.outputs.app_token }}
i don't think there's support for app_token in checkov yet, if you request/contrib (in the checkov repo) then its trivial to update the action.
I see the issue when downloading modules that are in the same organization as my current repo.
The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations.
There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via
machine-learning-apps/actions-app-token.eg. something invoked like this would be ideal:
- name: Run Checkov Action uses: bridgecrewio/checkov-action@master with: app_token: ${{ steps.get_token.outputs.app_token }}
I'm having the same issue when downloading Terraform modules from another private repository using SSH key (URL).
Terraform snippet:
...
module "kms_s3_" {
source = "git::ssh://[email protected]/Org/modules-repo.git//modules/kms?ref=0.1.0"
...
}
I had to load SSH key into ssh-agent but the problem is that it's not passed by default into checkov container:
GitHub action snippet:
- name: Configure SSH key for Terraform modules
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Execute Checkov
uses: bridgecrewio/checkov-action@690d0bd74b5fa92fa780ffcfda77865b514da913
with:
output_format: cli,sarif
output_file_path: console,results.sarif
config_file: .checkov.yml
directory: ./path
An workaround I guess would be to pass the SSH_AUTH_SOCK environment variable into container and mount the temporary ssh-agent socker file inside container, e.g. /tmp/ssh-XXXXXXzV0yXD/agent.3007 ?
Same problem as @cbugneac-nex reported. SSH Key via ssh.agent does not work (Terraform is able to download the modules)
I have tried this approach:
...
- name: Configure SSH key for Terraform modules
uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}
ssh-auth-sock: ${{ github.workspace }}/ssh-auth.sock
- name: Copy .gitconfig and .ssh to workspace
run: |
cp -r ~/.gitconfig ~/.ssh ${{ github.workspace }}/
sed -i 's|/home/runner|/github/workspace|g' ${{ github.workspace }}/.ssh/config
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
env:
SSH_AUTH_SOCK: /github/workspace/ssh-auth.sock
GIT_CONFIG: /github/workspace/.gitconfig
but it still doesn't work. Some thoughts about discovered obstacles:
- The
chekovGH actions runs in container as root user so the SSH config file from workspace directory is not picked up automatically - it needs to be in/rootdirectory to which there is no access. https://linux.die.net/man/5/ssh_config. It seems there is no environment variable which allows to override the location of SSH config file. - GH docker action, which
checkovaction uses doesn't allow to mount additional volumes from host system (at least I haven't found a simple solution). Here is what's mapped by default:
-v "/var/run/docker.sock":"/var/run/docker.sock" \
-v "/home/runner/work/_temp/_github_home":"/github/home" \
-v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
-v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" \
-v "/home/runner/work/terraform-components/terraform-components":"/github/workspace" \
Possible workaround which works:
jobs:
...
checkov:
runs-on: ubuntu-22.04
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: 3.11
cache: pip
- name: Install Checkov
run: pip install -r requirements.txt
- name: Configure SSH key for Terraform components and modules
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}
- name: Execute Checkov
run: |
checkov -d . \
--config-file .checkov.yml \
--output cli \
--output-file-path console
requirements.txt
checkov==3.2.50
@Constantin07 I've tried to use your proposed workaround, but unfortunately it didn't work. Do you have other idea how to resolve this issue?
With slight modification for pipx, i was able to run it this way:
name: Run Checkov
on:
pull_request:
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@master
with:
fetch-depth: 0
- name: Install Checkov
run: pipx install checkov
- name: Configure SSH key for Terraform components and modules
uses: webfactory/[email protected]
with:
ssh-private-key: |
${{ secrets.SSH_KEY }}
- name: Execute Checkov
run: |
checkov -d . \
--config-file ${{ github.workspace }}/.checkov.yml \
--output cli \
--output-file-path console
with this .checkov.yml in repo root
download-external-modules: true
directory: .
evaluate-variables: true
external-modules-download-path: .external_modules
secrets-history-timeout: 12h
secrets-scan-file-type: []
summary-position: top
skip-check: "CKV_TF_1,CKV_TF_2,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV2_AWS_65"
framework: terraform
cc: @randrusiak
@noizo I tried your proposed solution, but the result is the same.
2024-07-17 10:38:40,316 [MainThread ] [WARNI] failed to get git::[email protected]:xxx/xxx.git//modules/aws/rds?ref=dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b because of Cmd('git') failed due to: exit code(128)
cmdline: git clone -v --no-checkout -- [email protected]:xxx/xxx.git /__w/.external_modules/modules/aws/rds/dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b
stderr: 'Cloning into '/__w/.external_modules/modules/aws/rds/dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b'...
Host key verification failed.
fatal: Could not read from remote repository.