security-devops-action icon indicating copy to clipboard operation
security-devops-action copied to clipboard
verified publisher icon microsoft

This version of checkov is flagging nuget-built files

Open llourensenvision opened this issue 10 months ago • 1 comments

Please see this issue in the repo that provides an azure devops task wrapper, I believe I filed it in the incorrect project: https://github.com/microsoft/security-devops-azdevops/issues/130

Please see https://github.com/bridgecrewio/checkov/issues/6984#issuecomment-2633056268 as well, I've been trying to bring attention to this for a week or so..

Can we convince y'all to update to that newer version of checkov? Or can we override it ourselves somehow?

Every repo we have is flagging sha512 checksums as high vulnerabilities.

Further information: the version of checkov that we are getting with the MicrosoftSecurityDevOps@1 task is version 3.2.358, and this version is flagging these checksums. Checkov is currently on version 3.6.362, and the issue appears to have been fixed by 3.6.360. We cannot be the only user whose nuget-build projects are getting flagged by this - any fix or guidance is very much appreciated.

llourensenvision avatar Feb 06 '25 15:02 llourensenvision

Hello @llourensenvision , I'm the Product Manager for this GH Action. While we wait response from the dev team, I'm hoping you can help me gather some feedback on your experience using this action. If you don't mind taking this 3 minute anonymous survey, it would be greatly appreciated!

https://forms.microsoft.com/r/tciV74znSh

James Brotsos - [email protected]

jbrotsos avatar Feb 19 '25 04:02 jbrotsos