Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

does not work to specify multiple external-checks-git and external-checks-dir #6159

Open
krizi opened this issue Apr 10, 2024 · 1 comment
Open

does not work to specify multiple external-checks-git and external-checks-dir #6159

krizi opened this issue Apr 10, 2024 · 1 comment
Labels
checks Check additions or changes

Comments

@krizi
Copy link

krizi commented Apr 10, 2024
edited

Describe the issue
i have issues running checkov with multiple external checks. right now only the first reference is picked up and used. the others are ignored.
all sources which are used works if they're the only source, but if all are referenced at the same time only the first is working the other are ignored.

Examples

framework:
- kubernetes
external-checks-git:
  - ssh://[email protected]/common-checks.git//base
  - ssh://[email protected]/common-checks.git//specific
external-checks-dir:
  - checks
quiet: true
compact: true

Version (please complete the following information):

  • Checkov Version: 3.2.50

Additional context
this is one of these checks i used to verify if all sources are used.

from __future__ import annotations

from typing import Any

from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.kubernetes.checks.resource.base_spec_check import BaseK8Check


class VerifyNamespace(BaseK8Check):
    def __init__(self) -> None:
        name = "Namespace must start with 'my-'"
        id = "MY_ID_1"
        supported_kind = ("Namespace",)
        categories = (CheckCategories.KUBERNETES,)
        super().__init__(name=name, id=id, categories=categories, supported_entities=supported_kind)

    def scan_spec_conf(self, conf: dict[str, Any]) -> CheckResult:
        metadata = conf.get("metadata")
        if metadata:
            name = metadata["name"]
            if name.lower().startswith("my-"):
                return CheckResult.PASSED
            else:
                return CheckResult.FAILED
        return CheckResult.UNKNOWN


check = VerifyNamespace()

command used to execute:

CHECKOV_OPTS="\
--soft-fail
--skip-download
--directory $configroot/rendered
--output junitxml
--config-file checkov.yaml"

checkov $CHECKOV_OPTS --baseline $configroot/.checkov.baseline --output-baseline-as-skipped --create-baseline | tee checkov-$testname.xml
@krizi krizi added the checks Check additions or changes label Apr 10, 2024
@gruebel
Copy link
Contributor

gruebel commented Apr 12, 2024

hey @krizi this is not possible as written in the CLI documentation

--external-checks-dir EXTERNAL_CHECKS_DIR -> Directory for custom checks to be loaded. Can be repeated

--external-checks-git EXTERNAL_CHECKS_GIT -> GitHub URL of external checks to be added. you can specify a subdirectory after a double-slash //. possible to use ?ref=tags/tagName or ?ref=heads/branchName or ?ref=commit_id. Cannot be used together with --external-checks-dir

both together can't be used, the --external-checks-git will overwrite the --external-checks-dir. Only the --external-checks-dir is repeatable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krizi @gruebel