checkov

Checkov upgrade notice causing CI to fail


Beginning around 11:30am ET on 11/21/2022, our CI pipelines started failing due to a Checkov update/upgrade notice with an input prompt (see output below).

Is there command line option to skip this check from bridgecrew?

$ checkov
       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.1.244 
Update available 2.1.244 -> 2.2.80
Run pip3 install -U checkov to update 
Would you like to “level up” your Checkov powers for free?  The upgrade includes: 
• Command line docker Image scanning
• Software Composition Analysis
• Centralized policy management
• Free bridgecrew.cloud account with API access
• Auto-fix remediation suggestions
• Enabling of VS Code Plugin
• Dashboard visualisation of Checkov scans
• Integration with GitHub for:
    ◦   Automated Pull Request scanning
    ◦   Auto remediation PR generation
• Integration with up to 100 cloud resources for:
    ◦   Automated cloud resource checks
    ◦   Resource drift detection
and much more...
It's easy and only takes 2 minutes. We can do it right now!
To Level-up, press 'y'... 
Level up? (y/n): Traceback (most recent call last):
  File "/usr/bin/checkov", line 9, in <module>
    sys.exit(run())
  File "/usr/lib/python3.10/site-packages/checkov/main.py", line 368, in run
    bc_integration.onboarding()
  File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 696, in onboarding
    reply = self._input_levelup_results()
  File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 860, in _input_levelup_results
    result = str(input('Level up? (y/n): ')).lower().strip()  # nosec
EOFError: EOF when reading a line
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: plan.json: no matching files              
ERROR: No files to upload                     

I did try to update the version using pip but the old version is still being used. This is a separate issue, and at this point my focus is on avoiding the update check entirely.

bash-5.1# checkov --version
2.1.244
bash-5.1# pip3 install -U checkov
... (Lots of output)
bash-5.1# checkov --version
2.1.244

This is my .checkov.yaml file:

compact: true
quiet: true
skip-download: false
download-external-modules: true
directory:
 - ./
skip-check:
 - CKV_AWS_18  
 - CKV_AWS_50  
 - CKV_AWS_115 
 - CKV_AWS_116
 - CKV_AWS_117 
 - CKV_AWS_158 
 - CKV_AWS_173 
 - CKV_OPENAPI_4  # some APIs are public
 - CKV_OPENAPI_5  # some APIs are public
 - LOW 


Solution

  • If anyone else runs into this, I fixed it by explicitly passing the config-file flag on the command line:

    checkov --config-file .checkov.yaml
    

    It's still unclear to me why the pipelines started failing when we were using a pre-build Docker image to run our jobs.