Checkov should not warn about downloading external modules if `--download-external-modules` is explicitly set to `false`.

[bgshacklett]

Describe the issue When --download-external-modules is explicitly set to false, Checkov still produces warnings indicating that downloading external modules has failed.

If I am explicitly setting this value to false, it is not useful to produce a warning, and may lead to confusion for those running the output.

Examples

# command
checkov \
  --dir . \
  --download-external-modules false \
  --baseline .checkov.baseline \
  --output-baseline-as-skipped \
  --output cli \
  --output junitxml \
  --output-file-path console,'test-results/checkov.xml'

Warning (sanitized):

2023-11-21 14:01:42,192 [MainThread  ] [WARNI]  Failed to download module <module_path> (for external modules, the --download-external-modules flag is required)

Version (please complete the following information):

• Checkov Version 3.1.8

Additional context Downloading external modules is disabled in our pipeline to avoid performing checks against code that we do not have any control over as part of the CI process.

edit: At present, I am using 2> >(grep -v 'Failed to download module' >&2) to filter this output out of the CI job console.

[gruebel]

hey @bgshacklett thanks for reaching out.

I don't think we can actually differentiate between setting the flag with false or not, because it is the default. I'll keep it open, if someone wants to investigate it further.

[kstevensonnv]

Hi,

Same scenario as raised, I am explicitly turning off checking external modules as I have no control over the code (and have some faith it's not terrible). No need to warn with 20+ lines that an external module is not being downloaded.

[venkat-raman-wday]

Same here. It's counterintuitive to set the the flag to false only for a checkov run to fail. I'm seeing this on version 3.2.22.