checkov
checkov copied to clipboard
bridgecrewio
Pre-commit should scan non-Terraform files
Is your feature request related to a problem? Please describe.
Running Checkov by hand will scan .tf, .yml, .yaml, and .json files for ARM templates, Cloudformation files, and Kubernetes files as well as Terraform files. The pre-commit hook only scans .tf files.
Describe the solution you'd like
I'd like to use checkov as a pre-commit hook the same way we can in our pipeline.
Describe alternatives you've considered
Since checkov is just running on the current directory via checkov -d ., the scan works on the other file types as is. But the hook will be skipped if no .tf files are changed,
Also, the analysis runs on the entire repo if any file (currently any .tf file) is changed, failing checks in files that were unchanged. Only changed files should be analyzed. Between pass_filenames: true in .pre-commit-hooks.yaml and providing multiple --file/-f arguments to checkov, it seems like it should be doable.
+1 to only running against files that have changed. It currently takes 8 minutes for Checkov to run against one of our repo's with only a single tf file updated.
Hi @OtherDevOpsGene and @sc-steven ! I believe the maintainers are using a separate related repo, https://github.com/bridgecrewio/checkov-action
for improvements/issues on the GitHub action.
@libertyy This issue and my comments are regarding the pre-commit hook, not the GitHub action. I'm not clear on what the connection is.
hi @OtherDevOpsGene, sounds usefull :) we will accept a PR on that topic. would you like to?
@OtherDevOpsGene did you resolve this issue? I have a similar desire.
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!
Thanks for reopening this. I am interested in contributing. I tried to setup a pre-commit hook locally in one of my dev environment where I need to scan Docker and Kubernetes manifests along with Terraform manifests.
- repo: https://github.com/bridgecrewio/checkov
rev: '2.1.98' # change to tag or sha
hooks:
- id: checkov
files: '' # Check all files, not just *.tf
# Skip checks for testing, will review once the agent is running
entry: checkov -d . --skip-check CKV_K8S_14,CKV_K8S_29,CKV_K8S_31,CKV_K8S_38,CKV_K8S_43
I can scan all files like this, however as was mentioned in earlier comments, this forces checkov to scan everything including unchanged files; which can take some time in a large repo. I believe checkov should be able to handle multiple -f flags already, so I checked how pre-commit passes the changed files.
Pre-commit appears to pass the filenames as a space delimited string, so we should to be able to make a wrapper script to process the filenames as input and prefix a -f flag before each filename, and use that script in place of checkov in .pre-commit-hooks.yaml. We should check each file's existence as well to avoid filenames with spaces or other special characters causing any issues and generate a nice error message for the pre-commit log if anything breaks in the wrapper.
I've just come across this issue, and keen to hear how this progresses for helm charts in particular. Would be a great addition!
@tspearconquest looks like a good approach. It should be clear that results for multi file frameworks, like Terraform, will vary and introduce false positives, if connected resources are in different files.
Does it make sense to make a separate hook which works slightly differently for those frameworks?
I could keep this hook as it is for terraform and make separate hooks for docker and kubernetes manifests. I am afraid I don't have the option to test it against helm as we don't use helm in our org except in very rare cases we will template a helm chart out to plain manifests, and then throw away the chart.
This is doable by
- repo: https://github.com/bridgecrewio/checkov
rev: 2.2.21
hooks:
- id: checkov
files: ^(kubernetes|infrastructure)/
types_or: [yaml, terraform]
or if you want to specify args for each
- repo: https://github.com/bridgecrewio/checkov
rev: 2.2.21
hooks:
- id: checkov
files: ^kubernetes/
types_or: [yaml]
- repo: https://github.com/bridgecrewio/checkov
rev: 2.2.21
hooks:
- id: checkov
files: ^infrastructure/
types_or: [terraform]
or even just do it on all files
- repo: https://github.com/bridgecrewio/checkov
rev: 2.2.21
hooks:
- id: checkov
files: .
I dont know the implication of passing all the files to checkov so im not confident in creating a pull request. You can do more filtering following the https://pre-commit.com/#filtering-files-with-types guide
The hook already does target non terraform files: A hook configured like this 👍 `
- repo: https://github.com/bridgecrewio/checkov
rev: 2.3.96
hooks:
- id: checkov files: . verbose: true entry: checkov -d . --external-checks-dir checkov --download-external-modules true --compact`
Will detect everything including the GHA i have in .github. Whether its run directly with pre-commit - pre-commit run -a or via an actual checkin commit.
