checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

SSL Certificate Error : Skips using BC_* IDs will not work

Open jean-humann opened this issue 4 months ago • 3 comments

Describe the issue When running checkov -d . I have this error

checkov -d .
2025-10-23 18:21:25,927 [MainThread  ] [WARNI]  Failed to get the checkov mappings and guidelines from https://api0.prismacloud.io/bridgecrew/api/v2/guidelines. Skips using BC_* IDs will not work.
Traceback (most recent call last):
  File "urllib3/connectionpool.py", line 716, in urlopen
  File "urllib3/connectionpool.py", line 404, in _make_request
  File "urllib3/connectionpool.py", line 1061, in _validate_conn
  File "urllib3/connection.py", line 419, in connect
  File "urllib3/util/ssl_.py", line 458, in ssl_wrap_socket
  File "urllib3/util/ssl_.py", line 502, in _ssl_wrap_socket_impl
  File "ssl.py", line 501, in wrap_socket
  File "ssl.py", line 1041, in _create
  File "ssl.py", line 1310, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "checkov/common/bridgecrew/platform_integration.py", line 1273, in get_public_run_config
    request = self.http.request("GET", self.guidelines_api_url, headers=headers)  # type:ignore[no-untyped-call]
  File "urllib3/request.py", line 77, in request
  File "urllib3/request.py", line 99, in request_encode_url
  File "urllib3/poolmanager.py", line 376, in urlopen
  File "urllib3/connectionpool.py", line 830, in urlopen
  File "urllib3/connectionpool.py", line 830, in urlopen
  File "urllib3/connectionpool.py", line 830, in urlopen
  File "urllib3/connectionpool.py", line 802, in urlopen
  File "urllib3/util/retry.py", line 594, in increment
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api0.prismacloud.io', port=443): Max retries exceeded with url: /bridgecrew/api/v2/guidelines (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

Version (please complete the following information):

  • Checkov Version 3.2.485

Additional context Checkov is installed through mise cf. @jdx https://github.com/jdx/mise

which checkov
/Users/jean/.local/share/mise/installs/checkov/3.2.486/dist/checkov

jean-humann avatar Oct 23 '25 16:10 jean-humann

Can you run: curl https://api0.prismacloud.io/bridgecrew/api/v2/guidelines and then try: curl --insecure https://api0.prismacloud.io/bridgecrew/api/v2/guidelines? If the latter succeeds but the former does not, you likely have a certificate issue on your machine.

maxamel avatar Oct 23 '25 17:10 maxamel

Both of them are succeeding ! I also check on my browser certificate details of https://api0.prismacloud.io/bridgecrew/api/v2/guidelines For information, I have this error on my local Mac on macOS Version 26.1 Beta (25B5072a)

jean-humann avatar Oct 23 '25 17:10 jean-humann

Then it's probably something with your python environment. If you can configure your python environment to use the same certificates as your system (which is used by curl) there shouldn't be a problem. In any case, it doesn't look like an issue with checkov.

maxamel avatar Oct 23 '25 18:10 maxamel