Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

check CKV_SECRET_6 fails even when suppressed

See original GitHub issue

Describe the bug Checkov raises FAILED check CKV_SECRET_6 when running against a project even if the check is suppressed.

To Reproduce Steps to reproduce the behavior:

Create a module with Terraform and suppress the check for CKV_SECRET_6

# terraform/common/modules/terraform-azurerm-kv-secrets/main.tf

terraform {
  required_providers {
    azurerm = {
        source = "hashicorp/azurerm"
    }
  }
}

#Create Key Vault Secret
resource "azurerm_key_vault_secret" "secret" {
    name         = var.key_vault_secret_name
    value        = var.key_vault_secret_value
    key_vault_id = var.key_vault_id

    #checkov:skip=CKV_SECRET_6 todo
    #checkov:skip=CKV_AZURE_114 Content type is not used
    #checkov:skip=CKV_AZURE_41  No expiration dates set on keys
}

Create a Terraform file where the module is called upon:

terraform {
  backend "azurerm" {
    version = "2.74.0"
  }
  required_providers {
    azuredevops = {
      source  = "microsoft/azuredevops"
      version = "0.1.7"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = "1.6.0"
    }
  }
}

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

module "terraform-azurerm-rg" {
  source = "../common/modules/terraform-azurerm-rg"

  resource_group_name = "dummy-rg"
  location            = var.location
  tags                = var.tags
}

module "terraform-azurerm-kv" {
  source = "../common/modules/terraform-azurerm-kv"

  keyvault_name = "dummy-kv"

  resource_group_name = module.terraform-azurerm-rg.name
  location            = module.terraform-azurerm-rg.location
  tags                = var.tags

  tenant_id = data.azurerm_client_config.current.tenant_id
}

module "kv-secret" {
  source = "../common/modules/terraform-azurerm-kv-secrets"

  key_vault_id           = module.terraform-azurerm-kv.key_vault_id
  key_vault_secret_name  = "MultiTenancy"
  key_vault_secret_value = "verymuchsecretvalue"

Run Checkov scan in Azure DevOps pipeline:

- stage: SecurityCheck
  displayName: Security & Quality Check
  jobs:
    - job: Checkov_analysis
      displayName: Run Checkov
      steps:
        - script: |
              mkdir CheckovReport
              docker pull bridgecrew/checkov
              docker run --volume $(tbc__terraform_folder):/tf bridgecrew/checkov --directory /tf --compact --output junitxml > $(System.DefaultWorkingDirectory)/CheckovReport/Checkov-Report.xml
          displayName: Run Static Code analysis for Terraform using Checkov in a Docker container

Expected behavior The check for CKV_SECRET_6 should have been SKIPPED but instead, my Azure DevOps pipeline fails.

Screenshots

checkov ckv_secret_6

Desktop (please complete the following information):

Terraform: 1.0.0
Checkov Version: latest image

Additional context I have been able to work around this issue by using an older image tag. Found the following version working for me bridgecrew/checkov:2.0.355 but I want to be able to stay up to date and skip the check for CKV_SECRET_6

Issue Analytics

State:
Created 2 years ago
Comments:8 (1 by maintainers)

Top GitHub Comments

2reactions

BesartSulejmanicommented, Dec 15, 2021

Skipping the check works now by adding the skip next to the name and value of the Azure Keyvault Secrets. Tested with the latest image at the moment of writing this comment.

0reactions

BesartSulejmanicommented, Nov 11, 2021

@schosterbarak @gruebel Any update on your side for this issue?