Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default --directory parameter overrides directory in .checkov.yml #77

Open
nayoa opened this issue Feb 7, 2022 · 3 comments
Open

Default --directory parameter overrides directory in .checkov.yml #77

nayoa opened this issue Feb 7, 2022 · 3 comments
Assignees
@kartikp10

Comments

@nayoa
Copy link

nayoa commented Feb 7, 2022

.checkov.yml:

directory:
  - infra
evaluate-variables: true
framework: all
output: cli
quiet: true
download-external-modules: false

Action config:

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          config_file: .checkov.yml

Expected outcome:

$ checkov --output sarif   --config-file .checkov.yml

Current outcome:

$ checkov -d .  --output sarif   --config-file .checkov.yml
@kartikp10 kartikp10 self-assigned this Feb 7, 2022
@kartikp10
Copy link
Contributor

Hey @nayoa, if the in-line --directory argument is overriding the config file, that behavior is by design. See the note at the bottom of checkov --help

Args that start with '--' (eg. -v) can also be set in a config file
(/Users/kpande/Downloads/.checkov.yaml or /Users/kpande/Downloads/.checkov.yml
or /Users/kpande/.checkov.yaml or /Users/kpande/.checkov.yml or specified via
--config-file). The config file uses YAML syntax and must represent a YAML
'mapping' (for details, see http://learn.getgrav.org/advanced/yaml). If an arg
is specified in more than one place, then commandline values override
environment variables which override config file values which override
defaults.

Let me know if that is not what you meant.

@ptchau2003
Copy link

@kartikp10 : The action is still on . directory instead of the directory mentioned in config.yaml

..
running checkov on directory: .
checkov -d .     --output sarif   --config-file .github/workflows/checkov_config.yaml  
..

@switchdk
Copy link

Although I experience the same problem and it is driving me nuts, I think the subject/title of this issue should more accurately reflect the problem. This is not about the --directory parameter but about the directory setting in .checkov.yaml being ignored (completely). It makes it impossible to use the checkov-action for larger repos or monorepos. As an example, I need to check Kubernetes manifests created with kustomize. However, if Checkov traverses all directories from . then Checkov will fail with a stacktrace due to how kustomize directory structure is and you can overwrite values. At the moment, the Checkov Action is unusable with kustomize repositories I think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kartikp10 kartikp10

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@switchdk @nayoa @kartikp10 @ptchau2003