checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

Support for SSL Inspection: Allow CA Cert Loading or Disable SSL Verification for External Module Downloads

Open Ben-the-golfer opened this issue 6 months ago • 2 comments

Our company operates behind an SSL inspection proxy for all egress traffic. When using Checkov to scan Terraform configurations that include external modules from the Terraform Registry, the download fails due to SSL certificate verification errors.

Currently, Checkov does not appear to support:

  • Loading a custom CA certificate file to trust our internal proxy
  • Disabling SSL verification for these external module downloads

This limitation prevents us from using Checkov effectively in our environment. We've attempted workarounds such as setting REQUESTS_CA_BUNDLE and --no_cert_verify, but these do not resolve the issue when Checkov attempts to fetch modules from the registry.

Example error: SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate'))

We believe this is a common scenario for enterprises with strict network controls. It would be extremely helpful if Checkov could:

  • Accept a path to a custom CA bundle for external requests
  • Provide a flag to disable SSL verification for module downloads

Please let us know if there are any existing workarounds or if this feature is on the roadmap. Thanks!

Ben-the-golfer avatar Aug 20 '25 01:08 Ben-the-golfer

Can you try using the env vars: PROXY_URL and PROXY_CA_PATH to set the needed parameters? Unfortunately disabling ssl verification is not supported.

maxamel avatar Oct 11 '25 13:10 maxamel

@maxamel There is an issue with checkov.terraform.module_loading.loaders.RegistryLoader which is using prepared request flow, but it does not call merge_environment_settings as described in https://requests.readthedocs.io/en/latest/user/advanced

When you are using the prepared request flow, keep in mind that it does not take into account the environment. This can cause problems if you are using environment variables to change the behaviour of requests. For example: Self-signed SSL certificates specified in REQUESTS_CA_BUNDLE will not be taken into account. As a result an SSL: CERTIFICATE_VERIFY_FAILED is thrown. You can get around this behaviour by explicitly merging the environment settings into your session:

from requests import Request, Session

s = Session()
req = Request('GET', url)

prepped = s.prepare_request(req)

# Merge environment settings into session
settings = s.merge_environment_settings(prepped.url, {}, None, None, None)
resp = s.send(prepped, **settings)

print(resp.status_code)

dirgapeter avatar Nov 11 '25 14:11 dirgapeter