Beginning around 11:30am ET on 11/21/2022, our CI pipelines started failing due to a Checkov update/upgrade notice with an input prompt (see output below).
Is there command line option to skip this check from bridgecrew?
$ checkov
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.1.244
Update available 2.1.244 -> 2.2.80
Run pip3 install -U checkov to update
Would you like to “level up” your Checkov powers for free? The upgrade includes:
• Command line docker Image scanning
• Software Composition Analysis
• Centralized policy management
• Free bridgecrew.cloud account with API access
• Auto-fix remediation suggestions
• Enabling of VS Code Plugin
• Dashboard visualisation of Checkov scans
• Integration with GitHub for:
◦ Automated Pull Request scanning
◦ Auto remediation PR generation
• Integration with up to 100 cloud resources for:
◦ Automated cloud resource checks
◦ Resource drift detection
and much more...
It's easy and only takes 2 minutes. We can do it right now!
To Level-up, press 'y'...
Level up? (y/n): Traceback (most recent call last):
File "/usr/bin/checkov", line 9, in <module>
sys.exit(run())
File "/usr/lib/python3.10/site-packages/checkov/main.py", line 368, in run
bc_integration.onboarding()
File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 696, in onboarding
reply = self._input_levelup_results()
File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 860, in _input_levelup_results
result = str(input('Level up? (y/n): ')).lower().strip() # nosec
EOFError: EOF when reading a line
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: plan.json: no matching files
ERROR: No files to upload
I did try to update the version using pip but the old version is still being used. This is a separate issue, and at this point my focus is on avoiding the update check entirely.
bash-5.1# checkov --version
2.1.244
bash-5.1# pip3 install -U checkov
... (Lots of output)
bash-5.1# checkov --version
2.1.244
This is my .checkov.yaml file:
compact: true
quiet: true
skip-download: false
download-external-modules: true
directory:
- ./
skip-check:
- CKV_AWS_18
- CKV_AWS_50
- CKV_AWS_115
- CKV_AWS_116
- CKV_AWS_117
- CKV_AWS_158
- CKV_AWS_173
- CKV_OPENAPI_4 # some APIs are public
- CKV_OPENAPI_5 # some APIs are public
- LOW
If anyone else runs into this, I fixed it by explicitly passing the config-file flag on the command line:
checkov --config-file .checkov.yaml
It's still unclear to me why the pipelines started failing when we were using a pre-build Docker image to run our jobs.