checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Custom YAML Checks against nested directory only showing filename in output

Open mjseid opened this issue 1 year ago • 4 comments

Describe the Issue I have the following folder structure

app
  dev
     dev-file.tf
  qa
     qa-file.tf
checkov
  customcheck1.yaml
  customcheck2.py

I have some custom checks, most written in yaml but a couple written in python, which I want to execute against the top level app directory using a command like the following. In this simplified example, I don't want check1 to be applied to files under the dev folder and I don't want check 2 to be applied to files under the qa folder.

checkov --framework terraform --compact -d app/ --external-checks-dir checkov --skip-check 'CKV2_Company_check1:dev/*.tf,CKV2_company_check2:qa/*.tf'

When I do this, the python checks recognize the full relative path of the files and works as desired. The output is something like:

Check: CKV2_Company_check2: "custom check 2"
	PASSED for resource: kubernetes_manifest.xyz
	File: \dev\dev-file.tf:1-38

However the skips for the yaml checks do not work, and the check looks at all files under all sub-folders of the top-level folder. I believe this is b/c the file path is getting truncated to just the filename as shown in the output

Check: CKV2_Company_check1: "custom check 1"
	PASSED for resource: kubernetes_manifest.xyz
	File: \dev-file.tf:1-38
Check: CKV2_Company_check1: "custom check 1"
	PASSED for resource: kubernetes_manifest.abc
	File: \qa-file.tf:40-77

Is it possible to have custom checks in yaml recognize the full relative path like the checks written in python do?

mjseid avatar Jun 14 '24 16:06 mjseid

Hi @mjseid , thank you for reaching out. I'm not sure it was intended to be used this way, @gruebel @tsmithv11 do you know otherwise?

Saarett avatar Jun 22 '24 15:06 Saarett

I don't believe so. I would recommend running Checkov multiple times, once per subdirectory, with the skips that you want.

tsmithv11 avatar Jun 23 '24 20:06 tsmithv11

Yes running once per subdirectory would work, but isn't ideal since my automation would then be customized for each repo. For now I've just abandoned yaml and written everything in python.

It would be nice for the two methods to work in a similar fashion though. Being able to write custom checks in the yaml was super fast and easy, and I would think that having the yaml checks show the full subdirectory path like python does would be beneficial beyond just the use case I described. For example it is nice to just run checkov once against a top level directory, and have the same file name in multiple sub-directories. It works with yaml but you can't tell which subdirectory contained the file with the failure.

mjseid avatar Jun 24 '24 21:06 mjseid

Yeah, I think it is kind of weird the path for the YAML check finding is only showing the filename and not the whole relative part, like for the Python check.

gruebel avatar Jun 25 '24 06:06 gruebel

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Jan 03 '25 08:01 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

stale[bot] avatar Jan 19 '25 08:01 stale[bot]