security-devops-action Help me with the example of using environment variables with values for checkov and terrascan

I'm getting issues for using below setup

Azure Devops Pipeline: ci.yaml

parameters:
  - name: workingDir
    type: string

stages:
- stage: TerraformContinuousIntegration
  displayName: Terraform - CI
  jobs:
    - job: StaticCodeAnalysis
      displayName: CI - Static Code Analysis 
      pool:
        vmImage: ubuntu-latest
      steps:
      - task: MicrosoftSecurityDevOps@1
        displayName: 'Static Code Analysis - MDFC'
        inputs:
          categories: 'IaC'
          tools: 'checkov,terrascan'
        env:
          GDN_CHECKOV_DIRECTORY:'$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}'
          GDN_CHECKOV_SKIPPATH: '/pipelines,/examples,/archive'
          GDN_CHECKOV_DOWNLOADEXTERNALMODULES: 'true'
          GDN_CHECKOV_CREATECONFIG: 'checkov-config.yaml'
          GDN_CHECKOV_SHOWCONFIG: 'true'
          GDN_CHECKOV_SKIPCHECK: 'CKV_TF_1'

Logs: ------------------------------------------------------------------------------ Clear: Clearing folder: /home/vsts/work/1/s/.gdn/.r Clearing folder: /home/vsts/work/1/s/.gdn/rc Analyze: Using environment variable override: SkipPath=/pipelines,/examples,/archive Using environment variable override: SkipCheck=CKV_TF_1 Using environment variable override: DownloadExternalModules=true Using environment variable override: CreateConfig=checkov-config.yaml Using environment variable override: ShowConfig=true Running Checkov 3.2.199 ------------------------------------------------------------------------------ /home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.CheckovRedist_linux_amd64.3.2.199/tools/dist/checkov --directory ./ --output sarif --soft-fail --show-config --skip-path /pipelines,/examples,/archive --skip-check CKV_TF_1 --download-external-modules true --create-config checkov-config.yaml --output-file-path /home/vsts/work/1/s/.gdn/.r/checkov/001/checkov.sarif ##[error]Wrote config file to checkov-config.yaml Tool run time: 5.4715251 seconds ------------------------------------------------------------------------------ Checkov completed with exit code 0 ------------------------------------------------------------------------------

If you see the logs, the checkov is still using directory as: --directory ./ instead of value from environment variable: GDN_CHECKOV_DIRECTORY

Also let me know, If I'm okay to use this env variable: GDN_CHECKOV_SKIPPATH with values like this: '/pipelines,/examples,/archive'. Because checkov is not skipping this path correctly and checking all the files from this directory as well.

Jul 25 '24 21:07 babuga365

Same issue here.

It looks like the GDN_CHECKOV_DIRECTORY and the GDN_CHECKOV_FILE are not working for me. All other environment variables seem to be working except those two.

Can someone please fix this issue?

Aug 12 '24 12:08 Daan222

We need this too. Can someone please fix this? Ping @chrisnielsen-MS @richardtucker @sethRait or anyone from MS.

Oct 08 '24 11:10 masse-solita

Hi folks,

With regards to the target directory, that one does work but it has a different environment variable: GDN_CHECKOV_TARGETDIRECTORY

I noticed our wiki had GDN_CHECKOV_DIRECTORY as well, so I fixed the documentation there. With regards to the skip paths, Checkov expects multiple values to be specified separately, like --skip-path /pipelines --skip-path /examples. This is currently not supported by our mechanism of passing values through environment variables, but we plan to add proper support for this soon in an upcoming release.

@cndaan -- we currently do not support the GDN_CHECKOV_FILE argument as it is mutually exclusive with --directory, for which we provide a default value. Once we have proper support for skipping subdirectories, would you still be interested in support for scanning a single file? If there is interest in this scenario separate from avoiding unnecessary scanning, I will add it to our backlog as well.

Oct 08 '24 19:10 chrisnielsen-MS

@chrisnielsen-MS To my knowledge Checkov doesn't support scanning Terraform execution plans without the file argument.

From the Checkov documentation: "Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result." https://www.checkov.io/7.Scan%20Examples/Terraform%20Plan%20Scanning.html

Oct 09 '24 05:10 masse-solita

Thank you for confirming @masse-solita we will be addressing this in an upcoming release as well.

Oct 10 '24 20:10 chrisnielsen-MS

Great news @chrisnielsen-MS! Any ETA on the new release? 😄

Oct 11 '24 06:10 masse-solita

Any news about the new release @chrisnielsen-MS?

Nov 27 '24 11:11 masse-solita

@masse-solita - I talked to @chrisnielsen-MS and adding support for GDN_CHECKOV_FILE got missed in our subsequent checkov updates since this was opened. Chris is going to try to get to in within a few weeks.

James (Product Manager)

Mar 04 '25 04:03 jbrotsos

Alright! Thanks a lot!

Mar 04 '25 05:03 masse-solita

@jbrotsos Would you have any update on schedule for this issue?

May 09 '25 05:05 solita-mjarva

hello @chrisnielsen-MS, i also want to skip path and some checkov rules

stages:

stage: AdvancedSecurity_IACS displayName: IaC Scanning with Microsoft Security DevOps (MSDO) jobs:
- job: MSDO displayName: Microsoft Security DevOps Scanning
  
  steps:
  - checkout: self
  - task: MicrosoftSecurityDevOps@1 displayName: 'Static Code Analysis - MDFC' inputs: categories: 'IaC' tools: 'checkov' env: GDN_CHECKOV_SKIPPATH: '/test-scenarios' GDN_CHECKOV_SKIPCHECK: 'CKV_AZURE_35'

But nothing happens on this job. Some help with this please?

May 09 '25 15:05 manuhmm