Commit f3884134 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch '62-tf-checkov-job-args-pitfall' into 'master' 

tf-checkov: usability improvement for checkov args

Closes #62

See merge request to-be-continuous/terraform!92
parents 6b83a168 371b5838

README.md

+10 −5
Original line number Diff line number Diff line
@@ -453,10 +453,15 @@ In addition to a textual report in the console, this job produces the following 
[checkov](https://github.com/bridgecrewio/checkov) is a static code analysis tool for infrastructure-as-code and uses the following variables:



| Name                 | description                              | default value                                |

| -------------------- | ------------------------------------------------------------------------------------------ | -------------------- |

| -------------------- | ---------------------------------------- | -------------------------------------------- |

| `TF_CHECKOV_IMAGE`   | the Docker image used to run checkov     | `registry.hub.docker.com/bridgecrew/checkov` |

| `TF_CHECKOV_ENABLED` | Set to `true` to enable checkov          | _none_ (disabled)                            |

| `TF_CHECKOV_ARGS`    | checkov [options and args](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html) | `--directory .`      |

| `TF_CHECKOV_ARGS`    | additional checkov [options and args][1] | `--framework terraform`                      |



[1]: https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html



Command line arguments for `checkov` are the result of the concatenation of `--directory .` and  `$TF_CHECKOV_ARGS`.

As a consequence additional `--directory` or `--file` arguments will be ignored.



In addition to a textual report in the console, this job produces the following reports, kept for one day:

kicker.json

+1 −1
Original line number Diff line number Diff line
@@ -99,7 +99,7 @@ 
        {

          "name": "TF_CHECKOV_ARGS",

          "description": "checkov [options and args](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html)",

          "default": "--directory .",

          "default": "--framework terraform",

          "advanced": true

        }

      ]

templates/gitlab-ci-terraform.yml

+4 −4
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ variables: 
  TF_TFLINT_IMAGE: "ghcr.io/terraform-linters/tflint-bundle:latest"

  TF_TFLINT_ARGS: "--enable-plugin=google --enable-plugin=azurerm --enable-plugin=aws --recursive"

  TF_CHECKOV_IMAGE: "registry.hub.docker.com/bridgecrew/checkov"

  TF_CHECKOV_ARGS: "--framework terraform --directory ."

  TF_CHECKOV_ARGS: "--framework terraform"

  TF_INFRACOST_IMAGE: "registry.hub.docker.com/infracost/infracost"

  TF_INFRACOST_ARGS: "breakdown"

  TF_INFACOST_USAGE_FILE: "infracost-usage.yml"
@@ -793,13 +793,13 @@ tf-checkov: 
    # checkov allows generating several report formats at once using multiple --output options

    # and --output-file-path but the option defines an output directory, and report filenames

    # can't be chosen ("results_junitxml.xml" and "results_cli.txt")

    - checkov --soft-fail --output junitxml $TF_CHECKOV_ARGS > "reports/checkov.xunit.xml"

    - checkov --soft-fail --output junitxml --directory . $TF_CHECKOV_ARGS > "reports/checkov.xunit.xml"

    - |

      if [[ "$DEFECTDOJO_CHECKOV_REPORTS" ]]

      then

        checkov --soft-fail --output json $TF_CHECKOV_ARGS > "reports/checkov.native.json"

        checkov --soft-fail --output json --directory . $TF_CHECKOV_ARGS > "reports/checkov.native.json"

      fi

    - checkov $TF_CHECKOV_ARGS

    - checkov --directory . $TF_CHECKOV_ARGS

  artifacts:

    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"

    reports: