feat(general): Remove code upload for on-prem integrations

checkov/common/bridgecrew/platform_integration.py

@@ -134,6 +134,7 @@ def __init__(self) -> None:
         self.persist_graphs_timeout = int(os.getenv('BC_PERSIST_GRAPHS_TIMEOUT', 60))
         self.ca_certificate: str | None = None
         self.no_cert_verify: bool = False
+        self.on_prem: bool = False
 
     def set_bc_api_url(self, new_url: str) -> None:
         self.bc_api_url = normalize_bc_url(new_url)
@@ -483,9 +484,9 @@ def persist_scan_results(self, scan_reports: list[Report]) -> None:
         # just process reports with actual results in it
         self.scan_reports = [scan_report for scan_report in scan_reports if not scan_report.is_empty(full=True)]
 
-        reduced_scan_reports = reduce_scan_reports(self.scan_reports)
+        reduced_scan_reports = reduce_scan_reports(self.scan_reports, self.on_prem)
         checks_metadata_paths = enrich_and_persist_checks_metadata(self.scan_reports, self.s3_client, self.bucket,
-                                                                   self.repo_path)
+                                                                   self.repo_path, self.on_prem)
         dpath.merge(reduced_scan_reports, checks_metadata_paths)
         persist_checks_results(reduced_scan_reports, self.s3_client, self.bucket, self.repo_path)
 
@@ -1128,5 +1129,9 @@ def get_sso_prismacloud_url(self, report_url: str) -> str:
 
         return report_url
 
+    def setup_on_prem(self) -> None:
+        if self.customer_run_config_response:
+            self.on_prem = self.customer_run_config_response.get('onPrem', False)
+
 
 bc_integration = BcPlatformIntegration()

checkov/common/bridgecrew/wrapper.py

@@ -58,18 +58,20 @@ def _put_json_object(s3_client: S3Client, json_obj: Any, bucket: str, object_pat
         raise
 
 
-def _extract_checks_metadata(report: Report, full_repo_object_key: str) -> dict[str, dict[str, Any]]:
+def _extract_checks_metadata(report: Report, full_repo_object_key: str, on_prem: bool) -> dict[str, dict[str, Any]]:
     metadata: dict[str, dict[str, Any]] = defaultdict(dict)
     for check in itertools.chain(report.passed_checks, report.failed_checks, report.skipped_checks):
         metadata_key = f'{check.file_path}:{check.resource}'
         check_meta = {k: getattr(check, k, "") for k in check_metadata_keys}
         check_meta['file_object_path'] = full_repo_object_key + check.file_path
+        if on_prem:
+            check_meta['code_block'] = []
         metadata[metadata_key][check.check_id] = check_meta
 
     return metadata
 
 
-def reduce_scan_reports(scan_reports: list[Report]) -> dict[str, _ReducedScanReport]:
+def reduce_scan_reports(scan_reports: list[Report], on_prem: Optional[bool] = False) -> dict[str, _ReducedScanReport]:
     """
     Transform checkov reports objects into compact dictionaries
     :param scan_reports: List of checkov output reports
@@ -79,6 +81,8 @@ def reduce_scan_reports(scan_reports: list[Report]) -> dict[str, _ReducedScanRep
     for report in scan_reports:
         check_type = report.check_type
         reduced_keys = secrets_check_reduced_keys if check_type == CheckType.SECRETS else check_reduced_keys
+        if on_prem:
+            reduced_keys = tuple(k for k in reduced_keys if k != 'code_block')
         reduced_scan_reports[check_type] = \
             {
                 "checks": {
@@ -136,7 +140,7 @@ def persist_logs_stream(logs_stream: StringIO, s3_client: S3Client, bucket: str,
 
 
 def enrich_and_persist_checks_metadata(
-        scan_reports: list[Report], s3_client: S3Client, bucket: str, full_repo_object_key: str
+        scan_reports: list[Report], s3_client: S3Client, bucket: str, full_repo_object_key: str, on_prem: bool
 ) -> dict[str, dict[str, str]]:
     """
     Save checks metadata into bridgecrew's platform
@@ -145,7 +149,7 @@ def enrich_and_persist_checks_metadata(
     checks_metadata_paths: dict[str, dict[str, str]] = {}
     for scan_report in scan_reports:
         check_type = scan_report.check_type
-        checks_metadata_object = _extract_checks_metadata(scan_report, full_repo_object_key)
+        checks_metadata_object = _extract_checks_metadata(scan_report, full_repo_object_key, on_prem)
         checks_metadata_object_path = f'{full_repo_object_key}/{checkov_results_prefix}/{check_type}/checks_metadata.json'
         dpath.new(checks_metadata_paths, f"{check_type}/checks_metadata_path", checks_metadata_object_path)
         _put_json_object(s3_client, checks_metadata_object, bucket, checks_metadata_object_path)

checkov/main.py

@@ -385,7 +385,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
                         logger.error('Please try setting the environment variable LOG_LEVEL=DEBUG and re-running the command, and provide the output to support', exc_info=True)
                     self.exit_run()
             else:
-                if self.config.support:
+                if bc_integration.support_flag_enabled:
                     logger.warning("--bc-api-key argument is required when using --support")
                 logger.debug('No API key found. Scanning locally only.')
                 self.config.include_all_checkov_policies = True
@@ -411,6 +411,21 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
                           '(but note that this will not include any custom platform configurations or policy metadata).',
                           file=sys.stderr)
                     self.exit_run()
+            bc_integration.setup_on_prem()
+            if bc_integration.on_prem:
+                # disable --support for on-premises integrations
+                if bc_integration.support_flag_enabled:
+                    logger.warning("--support flag is not supported for on-premises integrations")
+                    bc_integration.support_flag_enabled = False
+                # disable sca_package, sca_image for on-premises integrations
+                if not outer_registry:
+                    removed_check_types = []
+                    for runner in list(runner_registry.runners):
+                        if runner.check_type in [CheckType.SCA_IMAGE, CheckType.SCA_PACKAGE]:
+                            removed_check_types.append(runner.check_type)
+                            runner_registry.runners.remove(runner)
+                    if removed_check_types:
+                        logger.warning(f"Following runners won't run as they are not supported for on-premises integrations: {removed_check_types}")
 
             bc_integration.get_prisma_build_policies(self.config.policy_metadata_filter)
 
@@ -530,8 +545,8 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
                     self.parser.error("--branch argument is required when using --docker-image")
                     return None
                 files = [os.path.abspath(self.config.dockerfile_path)]
-                runner = sca_image_runner()
-                result = runner.run(
+                sca_runner = sca_image_runner()
+                result = sca_runner.run(
                     root_folder='',
                     image_id=self.config.docker_image,
                     dockerfile_path=self.config.dockerfile_path,
@@ -549,7 +564,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
                 if not self.config.skip_results_upload:
                     bc_integration.persist_repository(os.path.dirname(self.config.dockerfile_path), files=files)
                     bc_integration.persist_scan_results(self.scan_reports)
-                    bc_integration.persist_image_scan_results(runner.raw_report, self.config.dockerfile_path,
+                    bc_integration.persist_image_scan_results(sca_runner.raw_report, self.config.dockerfile_path,
                                                               self.config.docker_image,
                                                               self.config.branch)
 
@@ -630,7 +645,7 @@ def run(self, banner: str = checkov_banner, tool: str = checkov_tool, source_typ
             raise
 
         finally:
-            if self.config.support:
+            if bc_integration.support_flag_enabled:
                 bc_integration.persist_logs_stream(logs_stream)
 
     def exit_run(self) -> None:
@@ -664,19 +679,19 @@ def upload_results(
     ) -> None:
         """Upload scan results and other relevant files"""
 
-        bc_integration.persist_repository(
-            root_dir=root_folder,
-            files=files,
-            excluded_paths=excluded_paths,
-            included_paths=included_paths,
-        )
-        if git_configuration_folders:
-            bc_integration.persist_git_configuration(os.getcwd(), git_configuration_folders)
-        if sca_supported_ir_report:
-            scan_reports_to_upload = [report for report in self.scan_reports if report.check_type != 'sca_image']
-            scan_reports_to_upload.append(sca_supported_ir_report)
-        else:
-            scan_reports_to_upload = self.scan_reports
+        scan_reports_to_upload = self.scan_reports
+        if not bc_integration.on_prem:
+            bc_integration.persist_repository(
+                root_dir=root_folder,
+                files=files,
+                excluded_paths=excluded_paths,
+                included_paths=included_paths,
+            )
+            if git_configuration_folders:
+                bc_integration.persist_git_configuration(os.getcwd(), git_configuration_folders)
+            if sca_supported_ir_report:
+                scan_reports_to_upload = [report for report in self.scan_reports if report.check_type != 'sca_image']
+                scan_reports_to_upload.append(sca_supported_ir_report)
         bc_integration.persist_scan_results(scan_reports_to_upload)
         bc_integration.persist_run_metadata(self.run_metadata)
         if bc_integration.enable_persist_graphs: