Help me with the example of using environment variables with values for checkov and terrascan

[babuga365]

I'm getting issues for using below setup

Azure Devops Pipeline: ci.yaml

parameters:
  - name: workingDir
    type: string

stages:
- stage: TerraformContinuousIntegration
  displayName: Terraform - CI
  jobs:
    - job: StaticCodeAnalysis
      displayName: CI - Static Code Analysis 
      pool:
        vmImage: ubuntu-latest
      steps:
      - task: MicrosoftSecurityDevOps@1
        displayName: 'Static Code Analysis - MDFC'
        inputs:
          categories: 'IaC'
          tools: 'checkov,terrascan'
        env:
          GDN_CHECKOV_DIRECTORY:'$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}'
          GDN_CHECKOV_SKIPPATH: '/pipelines,/examples,/archive'
          GDN_CHECKOV_DOWNLOADEXTERNALMODULES: 'true'
          GDN_CHECKOV_CREATECONFIG: 'checkov-config.yaml'
          GDN_CHECKOV_SHOWCONFIG: 'true'
          GDN_CHECKOV_SKIPCHECK: 'CKV_TF_1'

Logs:
------------------------------------------------------------------------------
Clear:
Clearing folder: /home/vsts/work/1/s/.gdn/.r
Clearing folder: /home/vsts/work/1/s/.gdn/rc
Analyze:
Using environment variable override: SkipPath=/pipelines,/examples,/archive
Using environment variable override: SkipCheck=CKV_TF_1
Using environment variable override: DownloadExternalModules=true
Using environment variable override: CreateConfig=checkov-config.yaml
Using environment variable override: ShowConfig=true
Running Checkov 3.2.199
------------------------------------------------------------------------------
/home/vsts/work/_msdo/packages/nuget/Microsoft.Guardian.CheckovRedist_linux_amd64.3.2.199/tools/dist/checkov --directory ./ --output sarif --soft-fail --show-config --skip-path /pipelines,/examples,/archive --skip-check CKV_TF_1 --download-external-modules true --create-config checkov-config.yaml --output-file-path /home/vsts/work/1/s/.gdn/.r/checkov/001/checkov.sarif
##[error]Wrote config file to checkov-config.yaml
Tool run time: 5.4715251 seconds
------------------------------------------------------------------------------
Checkov completed with exit code 0
------------------------------------------------------------------------------

If you see the logs, the checkov is still using directory as: --directory ./ instead of value from environment variable: GDN_CHECKOV_DIRECTORY

Also let me know, If I'm okay to use this env variable: GDN_CHECKOV_SKIPPATH with values like this: '/pipelines,/examples,/archive'. Because checkov is not skipping this path correctly and checking all the files from this directory as well.

[Daan222]

Same issue here.

It looks like the GDN_CHECKOV_DIRECTORY and the GDN_CHECKOV_FILE are not working for me. All other environment variables seem to be working except those two.

Can someone please fix this issue?

[masse-solita]

We need this too. Can someone please fix this? Ping @chrisnielsen-MS @richardtucker @sethRait or anyone from MS.

[chrisnielsen-MS]

Hi folks,

With regards to the target directory, that one does work but it has a different environment variable: GDN_CHECKOV_TARGETDIRECTORY

I noticed our wiki had GDN_CHECKOV_DIRECTORY as well, so I fixed the documentation there. With regards to the skip paths, Checkov expects multiple values to be specified separately, like --skip-path /pipelines --skip-path /examples. This is currently not supported by our mechanism of passing values through environment variables, but we plan to add proper support for this soon in an upcoming release.

@cndaan -- we currently do not support the GDN_CHECKOV_FILE argument as it is mutually exclusive with --directory, for which we provide a default value. Once we have proper support for skipping subdirectories, would you still be interested in support for scanning a single file? If there is interest in this scenario separate from avoiding unnecessary scanning, I will add it to our backlog as well.

[masse-solita]

@chrisnielsen-MS To my knowledge Checkov doesn't support scanning Terraform execution plans without the file argument.

From the Checkov documentation: "Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result." https://www.checkov.io/7.Scan%20Examples/Terraform%20Plan%20Scanning.html

[chrisnielsen-MS]

Thank you for confirming @masse-solita we will be addressing this in an upcoming release as well.

[masse-solita]

Great news @chrisnielsen-MS! Any ETA on the new release? 😄

[masse-solita]

Any news about the new release @chrisnielsen-MS?

[jbrotsos]

@masse-solita - I talked to @chrisnielsen-MS and adding support for GDN_CHECKOV_FILE got missed in our subsequent checkov updates since this was opened. Chris is going to try to get to in within a few weeks.

James (Product Manager)

[masse-solita]

Alright! Thanks a lot!

[solita-mjarva]

@jbrotsos Would you have any update on schedule for this issue?

[manuhmm]

hello @chrisnielsen-MS, i also want to skip path and some checkov rules

stages:

• stage: AdvancedSecurity_IACS
  displayName: IaC Scanning with Microsoft Security DevOps (MSDO)
  jobs:

  • job: MSDO
    displayName: Microsoft Security DevOps Scanning

    steps:

    • checkout: self

    • task: MicrosoftSecurityDevOps@1
      displayName: 'Static Code Analysis - MDFC'
      inputs:
      categories: 'IaC'
      tools: 'checkov'
      env:
      GDN_CHECKOV_SKIPPATH: '/test-scenarios'
      GDN_CHECKOV_SKIPCHECK: 'CKV_AZURE_35'

But nothing happens on this job. Some help with this please?