Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

platform(general): Add no upload flag and report contributors for all API key runs #5052

Merged
merged 21 commits into from
Jun 1, 2023
Merged

platform(general): Add no upload flag and report contributors for all API key runs #5052

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
73d51fc
add skip results upload flag
mikeurbanski1 Apr 27, 2023
6a79f97
Merge branch 'main' into add-no-upload-flag
mikeurbanski1 May 5, 2023
f658862
skip results upload with flag
mikeurbanski1 May 5, 2023
a90d4fa
add integration tests for skip upload
mikeurbanski1 May 5, 2023
15b6eca
fix intg test
mikeurbanski1 May 5, 2023
8088946
update CLI command docs
mikeurbanski1 May 5, 2023
94174ed
add default for .get(url)
mikeurbanski1 May 5, 2023
e02f212
add positive use of report_has_url for validation
mikeurbanski1 May 5, 2023
f26a0ad
remove source-based contributor metrics and use API key instead
mikeurbanski1 May 5, 2023
db9ba97
move integration test to proper place
mikeurbanski1 May 5, 2023
b8cb141
expect report path to not exist
mikeurbanski1 May 5, 2023
75d36fb
move integration test to proper place
mikeurbanski1 May 5, 2023
998efb0
--amend
mikeurbanski1 May 5, 2023
39cc2b7
remove unused test function
mikeurbanski1 May 5, 2023
0cfeec7
Merge branch 'main' into add-no-upload-flag
mikeurbanski1 May 8, 2023
3521fa8
merge main, resolve conflicts
mikeurbanski1 May 17, 2023
cee6070
Merge branch 'add-no-upload-flag' of github.com:bridgecrewio/checkov …
mikeurbanski1 May 17, 2023
2c606a3
Merge branch 'main' into add-no-upload-flag
mikeurbanski1 May 30, 2023
bbefad2
upload contributors after saving results
mikeurbanski1 May 30, 2023
16abc74
remove commented test code
mikeurbanski1 May 31, 2023
f487082
Merge branch 'main' into add-no-upload-flag
mikeurbanski1 Jun 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 6 additions & 7 deletions checkov/common/bridgecrew/bc_source.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,11 @@


class SourceType:
__slots__ = ("name", "upload_results", "report_contributor_metrics")
__slots__ = ("name", "upload_results")

def __init__(self, name: str, upload_results: bool, report_contributor_metrics: bool = False):
def __init__(self, name: str, upload_results: bool):
self.name = name
self.upload_results = upload_results
self.report_contributor_metrics = report_contributor_metrics


@dataclass
Expand All @@ -30,10 +29,10 @@ class BCSourceType:
BCSourceType.CLI: SourceType(BCSourceType.CLI, True),
BCSourceType.KUBERNETES_WORKLOADS: SourceType(BCSourceType.KUBERNETES_WORKLOADS, True),
BCSourceType.DISABLED: SourceType(BCSourceType.VSCODE, False),
BCSourceType.GITHUB_ACTIONS: SourceType(BCSourceType.GITHUB_ACTIONS, True, report_contributor_metrics=True),
BCSourceType.CODEBUILD: SourceType(BCSourceType.CODEBUILD, True, report_contributor_metrics=True),
BCSourceType.JENKINS: SourceType(BCSourceType.JENKINS, True, report_contributor_metrics=True),
BCSourceType.CIRCLECI: SourceType(BCSourceType.CIRCLECI, True, report_contributor_metrics=True),
BCSourceType.GITHUB_ACTIONS: SourceType(BCSourceType.GITHUB_ACTIONS, True),
BCSourceType.CODEBUILD: SourceType(BCSourceType.CODEBUILD, True),
BCSourceType.JENKINS: SourceType(BCSourceType.JENKINS, True),
BCSourceType.CIRCLECI: SourceType(BCSourceType.CIRCLECI, True),
BCSourceType.ADMISSION_CONTROLLER: SourceType(BCSourceType.ADMISSION_CONTROLLER, False)
}

Expand Down
6 changes: 6 additions & 0 deletions checkov/common/util/ext_argument_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,12 @@ def add_parser_args(self) -> None:
help="The Prisma Cloud API URL (see: https://prisma.pan.dev/api/cloud/api-urls). "
"Requires --bc-api-key to be a Prisma Cloud Access Key in the following format: <access_key_id>::<secret_key>",
)
self.add(
"--skip-results-upload",
action='store_true',
help="Do not upload scan results to the platform to view in the console. Results are only available locally. "
"If you use the --support flag, logs will still get uploaded.",
Comment on lines +316 to +317
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

)
self.add(
"--docker-image",
"--image",
Expand Down
29 changes: 18 additions & 11 deletions checkov/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
repo_branch=self.config.branch,
prisma_api_url=self.config.prisma_api_url)

should_run_contributor_metrics = source.report_contributor_metrics and self.config.repo_id and self.config.prisma_api_url
should_run_contributor_metrics = bc_integration.bc_api_key and self.config.repo_id and self.config.prisma_api_url
logger.debug(f"Should run contributor metrics report: {should_run_contributor_metrics}")
if should_run_contributor_metrics:
try: # collect contributor info and upload
Expand Down Expand Up @@ -469,7 +469,11 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
self.exit_run()
if baseline:
baseline.compare_and_reduce_reports(self.scan_reports)
if bc_integration.is_integration_configured() and bc_integration.bc_source and bc_integration.bc_source.upload_results:

if bc_integration.is_integration_configured() \
and bc_integration.bc_source \
and bc_integration.bc_source.upload_results \
and not self.config.skip_results_upload:
included_paths = [self.config.external_modules_download_path]
for r in runner_registry.runners:
included_paths.extend(r.included_paths())
Expand Down Expand Up @@ -521,14 +525,14 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
logger.error(f"SCA image runner returned {len(self.scan_reports)} reports; expected 1")

integration_feature_registry.run_post_runner(self.scan_reports[0])
bc_integration.persist_repository(os.path.dirname(self.config.dockerfile_path), files=files)
bc_integration.persist_scan_results(self.scan_reports)
bc_integration.persist_image_scan_results(runner.raw_report, self.config.dockerfile_path,
self.config.docker_image,
self.config.branch)

bc_integration.persist_run_metadata(self.run_metadata)
self.url = self.commit_repository()
if not self.config.skip_results_upload:
bc_integration.persist_repository(os.path.dirname(self.config.dockerfile_path), files=files)
bc_integration.persist_scan_results(self.scan_reports)
bc_integration.persist_image_scan_results(runner.raw_report, self.config.dockerfile_path,
self.config.docker_image,
self.config.branch)
bc_integration.persist_run_metadata(self.run_metadata)
self.url = self.commit_repository()
exit_code = self.print_results(runner_registry=runner_registry, url=self.url)
return exit_code
elif self.config.file:
Expand All @@ -551,7 +555,10 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
with open(created_baseline_path, 'w') as f:
json.dump(overall_baseline.to_dict(), f, indent=4)

if bc_integration.is_integration_configured():
if bc_integration.is_integration_configured() \
and bc_integration.bc_source \
and bc_integration.bc_source.upload_results \
and not self.config.skip_results_upload:
files = [os.path.abspath(file) for file in self.config.file]
root_folder = os.path.split(os.path.commonprefix(files))[0]

Expand Down
1 change: 1 addition & 0 deletions docs/2.Basics/CLI Command Reference.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ nav_order: 2
| `--hard-fail-on HARD_FAIL_ON` | Exits with a non-zero exit code for specified checks. Enter one or more items separated by commas. Each item may be either a Checkov check ID (CKV_AWS_123), a BCcheck ID (BC_AWS_GENERAL_123), or a severity (LOW, MEDIUM, HIGH, CRITICAL). If you use a severity, then any severity equal to or greater than the lowest severity in the list will result in a hard fail. This option can be used with --soft-fail-on, using the same priority logic described in --check and --skip-check options above, with --hard-fail-on taking precedence in a tie. |
| `--bc-api-key BC_API_KEY` | Bridgecrew API key or Prisma Cloud Access Key (see--prisma-api-url) [env var: BC_API_KEY] |
| `--prisma-api-url PRISMA_API_URL` | The Prisma Cloud API URL (see:https://prisma.pan.dev/api/cloud/api-urls). Requires --bc-api-key to be a Prisma Cloud Access Key in the following format: <access_key_id>::<secret_key> [env var: PRISMA_API_URL] |
| `--skip-results-upload` | Do not upload scan results to the platform. Use this to download configs, but only view results in the local output. |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

| `--image, --docker-image DOCKER_IMAGE` | Scan docker images by name or ID. Only works with --bc-api-key flag |
| `--dockerfile-path DOCKERFILE_PATH` | Path to the Dockerfile of the scanned docker image |
| `--repo-id REPO_ID` | Identity string of the repository, with form <repo_owner>/<repo_name> |
Expand Down
1 change: 1 addition & 0 deletions integration_tests/prepare_data.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ if [[ "$2" == "3.7" && "$1" == "ubuntu-latest" ]]
then
pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt
pipenv run checkov -s -d terragoat/terraform/azure/ --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt
pipenv run checkov -s -d terragoat/terraform/azure/ --skip-results-upload --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat_no_upload.txt
echo "running image referencing"
pipenv run checkov -s -d integration_tests/example_workflow_file/.github/workflows/ -o json --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_workflow_cve.json
pipenv run checkov -s -d integration_tests/example_workflow_file/bitbucket/ -o json --bc-api-key $BC_KEY --include-all-checkov-policies > checkov_report_bitbucket_pipelines_cve.json
Expand Down
8 changes: 6 additions & 2 deletions integration_tests/test_checkov_cli_integration_report.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,17 +12,21 @@ def test_terragoat_report_dir_api_key(self):
report_path = os.path.join(current_dir, '..', 'checkov_report_azuredir_api_key_terragoat.txt')
self.validate_report(os.path.abspath(report_path))

def test_terragoat_report_dir_no_upload_api_key(self):
report_path = os.path.join(current_dir, '..', 'checkov_report_azuredir_api_key_terragoat_no_upload.txt')
self.validate_report(os.path.abspath(report_path), False)

def test_terragoat_report_file_api_key(self):
report_path = os.path.join(current_dir, '..', 'checkov_report_s3_singlefile_api_key_terragoat.txt')
self.validate_report(os.path.abspath(report_path))

def validate_report(self, report_path):
def validate_report(self, report_path, url_should_exist=True):
if sys.version_info[1] == 7 and platform.system() == 'Linux':
platform_url_found = False
with open(report_path) as f:
if 'More details: https://www.bridgecrew.cloud/projects?' in f.read():
platform_url_found = True
self.assertTrue(platform_url_found, "when using api key, platform code review url should exist")
self.assertEqual(platform_url_found, url_should_exist, "when using api key and not --skip-results-upload, platform code review url should exist")

def test_workflow_report_api_key(self):
report_path = os.path.join(current_dir, '..', 'checkov_report_workflow_cve.json')
Expand Down