-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(general): Add an option to pick beetwen native OpenAI and Azure OpenAI #5569
Conversation
Thank you @gruebel for approving checks on this PR yesterday! Yesterday I didn't have flake8, mypy findings addressed and unittests added. Today branch should be in better shape. Have a nice weekend! |
force _instance to be None (to be sure we are on right configuration).
Hi @gruebel ! Let me know if you think I need to add anything to that branch? Tests are passing - I'm just merging back main branch to my forked repo. |
Hey @gruebel ! Gentle reminder ob this PR 😃 Thanks! 🥩🍺 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the idea is general great, but the implementation doesn't fit the code style here. Also please test your implementation, because setting the parameter messages=messages[0]
when calling the chat completion would have shown you that it doesn't work at all.
cls._api_type = api_type.lower() | ||
if (cls._api_type == 'azure'): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to create a class attribute for this, when you set it on openai
a few lines later
self.add( | ||
"--openai-api-type", | ||
env_var="CKV_OPENAI_API_TYPE", | ||
choices=['azure', 'default'], | ||
default='default', | ||
help="By switching this flag to 'azure', you are able to send violated policies to Azure OpenAI service. " | ||
"You have to provide Key, either with --openai-api-key or CKV_OPENAI_API_KEY. " | ||
"Before you switch to 'azure' you also have to define CKV_AZURE_OPENAI_API_ENDPOINT and CKV_AZURE_OPENAI_DEPLOYMENT_NAME environment variables. " | ||
"CKV_AZURE_OPENAI_API_ENDPOINT - is the Azure OpenAI service endpoint, eg: 'https://eastus.api.cognitive.microsoft.com/'. " | ||
"CKV_AZURE_OPENAI_DEPLOYMENT_NAME - this is your Deployment Name from https://oai.portal.com portal you wish to use. " | ||
"With CKV_AZURE_OPENAI_API_VERSION environment variable you are also able to control API version - this defaults to '2023-05-15'. ", | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it doesn't make sense to add a flag for it, because you need multiple other settings, which are set via env vars to make it work
if (self._api_type == 'azure'): | ||
completion = await openai.ChatCompletion.acreate( # type:ignore[no-untyped-call] | ||
engine=self.AZURE_OPENAI_DEPLOYMENT_NAME, | ||
messages=messages[0], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
messages=messages[0], | |
messages=messages, |
otherwise you only send the first message, same a few lines lower
print( | ||
colored( | ||
f"ERROR: Configuration for Azure OpenAI is missing: Please specify {environment_variable_name} environment variable for --openai-api-type '{self._api_type}' type.", | ||
"red", | ||
) | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just use a normal log message
cls._should_run = cls._should_run & cls._validate_azure_env(cls._instance, cls.AZURE_OPENAI_API_ENDPOINT, 'CKV_AZURE_OPENAI_API_ENDPOINT') | ||
cls._should_run = cls._should_run & cls._validate_azure_env(cls._instance, cls.AZURE_OPENAI_API_VERSION, 'CKV_AZURE_OPENAI_API_VERSION') | ||
cls._should_run = cls._should_run & cls._validate_azure_env(cls._instance, cls.AZURE_OPENAI_DEPLOYMENT_NAME, 'CKV_AZURE_OPENAI_DEPLOYMENT_NAME') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of validating each one by one, pass all to a validate function and decide, if everything is set as needed
max_tokens=OPENAI_MAX_TOKENS, | ||
) | ||
|
||
logging.info(f"[COMPLETION]{completion}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logging.info(f"[COMPLETION]{completion}") | |
logging.debug(f"OpenAI request returned: {completion}") |
or something similar to have a direct context. Also debug level is more than enough.
@@ -272,6 +272,7 @@ def print_console( | |||
use_bc_ids: bool = False, | |||
summary_position: str = 'top', | |||
openai_api_key: str | None = None, | |||
openai_api_type: str = "default", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove all of the openai_api_type
parameter changes and change it to an env var with a default of default
@@ -65,4 +65,5 @@ nav_order: 2 | |||
| `--scan-secrets-history` | Enable secret scan history of commits | | |||
| `--block-list-secret-scan CKV_SECRETS_SCAN_BLOCK_LIST` | List of files to filter out in the secret scanner | | |||
| `--support` | Enable debug logs and upload the logs to the server. Requires a Bridgecrew or Prisma Cloud API key. | | |||
| `--openai-api-type` | By switching this flag to 'azure', you are able to send violated policies to Azure OpenAI service. You have to provide Key, either with --openai-api-key or CKV_OPENAI_API_KEY. Before you switch to 'azure' you also have to define CKV_AZURE_OPENAI_API_ENDPOINT and CKV_AZURE_OPENAI_DEPLOYMENT_NAME environment variables. CKV_AZURE_OPENAI_API_ENDPOINT - is the Azure OpenAI service endpoint, eg: 'https://eastus.api.cognitive.microsoft.com/'. CKV_AZURE_OPENAI_DEPLOYMENT_NAME - this is your Deployment Name from https://oai.portal.com portal you wish to use. With CKV_AZURE_OPENAI_API_VERSION environment variable you are also able to control API version - this defaults to '2023-05-15'. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove
## OpenAI type | ||
|
||
With `--openai-api-type` flag, you are able to choose OpenAI source. Possible values here are `default` and `azure`. Default valuie is obvoiusly `default`, and this flag will redirect your requests to public-generally available OpenAI service. By switching this flag to `--openai-api-type azure` you can query **Azure OpenAI** resource using Azure OpenAI Key. Please see below [Azure OpenAI] section for more configuration details. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this to the Settings
block as an env var
{"role": "user", "content": "Explain"}, | ||
], | ||
# depends on api_type, call ChatCompletion differently | ||
logging.info(f"[_chat_complete]: self._api_type: {self._api_type}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
instead of logging it here, just do it once at the end of the class instance creation, then you can also log other infos like deployment name and endpoint used.
and there is also no need to update the branch all the time, because this code part is rarely changed and we typically trigger it, when needed before merging |
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com |
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks! |
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
added
--openai-api-type
parameter with alloweddefault
andazure
values, to allow user, to use Azure OpenAI resource.default
is of course default option, and it does not change current OpenAPI workflowazure
is an additional option to choose, to make checkov "talk to" Azure OpenAI. Additional Environment Variables have to be defined to work with this type:These were included in documentation and cli help.
Azure OpenAI integration gives more control over the AI findings. Companies can built their own, private Knowlege Base/Suggestions Database with Azure OpenAI for resolving policies violations.
Calling checkov with command
checkov -d . --compact --openai-api-type azure --openai-api-key 1********************************0
, withoutCKV_AZURE_OPENAI_API_ENDPOINT
and/orCKV_AZURE_OPENAI_DEPLOYMENT_NAME
set, will result in Error messages; however checks will be performed anyway:Same checkov command, with
CKV_AZURE_OPENAI_API_ENDPOINT
andCKV_AZURE_OPENAI_DEPLOYMENT_NAME
set, will result in Azure OpenAI call and AI suggestions:Fix
How does someone fix the issue in code and/or in runtime?
Checklist: