Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Failing to perform Checkov Scan against Helm chart "[ERROR] Failed to run check:... "

See original GitHub issue

Describe the bug I am performing a Checkov scan again the dependency track chart in this repo. Instead of receiving scan results the scan fails and exits stating "[ERROR] Failed to run check:....at file: /dependency-track/templates/frontend/deployment.yaml" i’m not sure what is causing this, could it be a configuration issue in the chart?

To Reproduce Steps to reproduce the behavior:

  1. Clone this repo git clone https://github.com/evryfs/helm-charts.git
  2. Run Checkov command checkov -d "/helm-charts/charts/dependency-track"
  3. See error

Expected behavior I expect to see scan results without any errors

Logs

$ checkov -d "/helm-charts/charts/dependency-track" 

2021-09-14 16:38:51,343 [MainThread  ] [ERROR]  Failed to run check: Containers should run as a high UID to avoid host conflict for configuration: {'apiVersion': 'apps/v1', 'kind': 'Deployment', 'metadata': {'name': 'RELEASE-NAME-dependency-track-frontend', 'labels': {'app.kubernetes.io/name': 'dependency-track', 'helm.sh/chart': 'dependency-track-1.1.3', 'app.kubernetes.io/instance': 'RELEASE-NAME', 'app.kubernetes.io/managed-by': 'Helm', 'app.kubernetes.io/component': 'frontend', '__startline__': 8, '__endline__': 13}, '__startline__': 6, '__endline__': 13}, 'spec': {'replicas': 2, 'selector': {'matchLabels': {'app.kubernetes.io/name': 'dependency-track', 'app.kubernetes.io/instance': 'RELEASE-NAME', 'app.kubernetes.io/component': 'frontend', '__startline__': 17, '__endline__': 20}, '__startline__': 16, '__endline__': 20}, 'template': {'metadata': {'labels': {'app.kubernetes.io/name': 'dependency-track', 'helm.sh/chart': 'dependency-track-1.1.3', 'app.kubernetes.io/instance': 'RELEASE-NAME', 'app.kubernetes.io/managed-by': 'Helm', 'app.kubernetes.io/component': 'frontend', '__startline__': 23, '__endline__': 28}, '__startline__': 22, '__endline__': 28}, 'spec': {'serviceAccountName': 'RELEASE-NAME-dependency-track-frontend', 'securityContext': None, 'containers': [{'name': 'dependency-track-frontend', 'securityContext': {'allowPrivilegeEscalation': False, 'runAsUser': 101, '__startline__': 35, '__endline__': 37}, 'resources': {'limits': {'cpu': 1, 'memory': '512Mi', '__startline__': 39, '__endline__': 41}, 'requests': {'cpu': '100m', 'memory': '128Mi', '__startline__': 42, '__endline__': 44}, '__startline__': 38, '__endline__': 44}, 'image': 'docker.io/dependencytrack/frontend:4.3.1', 'imagePullPolicy': 'IfNotPresent', 'env': [{'name': 'API_BASE_URL', 'value': '', '__startline__': 47, '__endline__': 49}], 'ports': [{'name': 'http', 'containerPort': 8080, 'protocol': 'TCP', '__startline__': 50, '__endline__': 53}], 'volumeMounts': [{'name': 'tmp', 'mountPath': '/tmp', '__startline__': 54, '__endline__': 58}], 'livenessProbe': {'httpGet': {'port': 'http', 'path': '/', '__startline__': 60, '__endline__': 62}, 'initialDelaySeconds': 60, 'periodSeconds': 10, 'timeoutSeconds': 2, 'successThreshold': 1, 'failureThreshold': 3, '__startline__': 59, '__endline__': 67}, 'readinessProbe': {'httpGet': {'port': 'http', 'path': '/', '__startline__': 69, '__endline__': 71}, 'initialDelaySeconds': 60, 'periodSeconds': 10, 'timeoutSeconds': 2, 'successThreshold': 1, 'failureThreshold': 3, '__startline__': 68, '__endline__': 76}, '__startline__': 33, '__endline__': 76, 'apiVersion': 'apps/v1', 'kind': 'containers', 'parent': 'Deployment.RELEASE-NAME-dependency-track-frontend.default (container 0)', 'parent_metadata': {'name': 'RELEASE-NAME-dependency-track-frontend', 'labels': {'app.kubernetes.io/name': 'dependency-track', 'helm.sh/chart': 'dependency-track-1.1.3', 'app.kubernetes.io/instance': 'RELEASE-NAME', 'app.kubernetes.io/managed-by': 'Helm', 'app.kubernetes.io/component': 'frontend', '__startline__': 8, '__endline__': 13}, '__startline__': 6, '__endline__': 13}}], 'volumes': [{'name': 'tmp', 'emptyDir': {'__startline__': 78, '__endline__': 78}, '__startline__': 77, '__endline__': 86}], '__startline__': 29, '__endline__': 86}, '__startline__': 21, '__endline__': 86}, '__startline__': 14, '__endline__': 86}, '__startline__': 3, '__endline__': 86} at file: /dependency-track/templates/frontend/deployment.yaml


       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.255 
Update available 2.0.255 -> 2.0.413
Run pip3 install -U checkov to update 


secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_6: "Base64 High Entropy String"
	FAILED for resource: a709c1ac99f328abf9969fbfcb04913f8c9133bc
	File: /values.yaml:168-169
	Guide: https://docs.bridgecrew.io/docs/git_secrets_6

		168 |   postgresqlPassword: deptrack


$ echo $?                                                                         
1

Desktop (please complete the following information):

  • OS: iOS
  • Checkov Version :2.0.255

Additional context I performed a helm template and this is the result of dependency-track/templates/frontend/deployment.yaml

# Source: dependency-track/templates/frontend/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-dependency-track-frontend
  labels:
    app.kubernetes.io/name: dependency-track
    helm.sh/chart: dependency-track-1.1.3
    app.kubernetes.io/instance: test
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: frontend
spec:
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: dependency-track
      app.kubernetes.io/instance: test
      app.kubernetes.io/component: frontend
  template:
    metadata:
      labels:
        app.kubernetes.io/name: dependency-track
        helm.sh/chart: dependency-track-1.1.3
        app.kubernetes.io/instance: test
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: frontend
    spec:
      serviceAccountName: test-dependency-track-frontend
      securityContext:
        null
      containers:
      - name: dependency-track-frontend
        securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 101
        resources: 
          limits:
            cpu: 1
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 128Mi
        image: docker.io/dependencytrack/frontend:4.3.1
        imagePullPolicy: IfNotPresent
        env:
        - name: API_BASE_URL
          value: ""
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        #- name: config
        #  mountPath: /app/static
        livenessProbe:
          httpGet:
            port: http
            path: /
          initialDelaySeconds: 60
          periodSeconds: 10
          timeoutSeconds: 2
          successThreshold: 1
          failureThreshold: 3
        readinessProbe:
          httpGet:
            port: http
            path: /
          initialDelaySeconds: 60
          periodSeconds: 10
          timeoutSeconds: 2
          successThreshold: 1
          failureThreshold: 3
      volumes:
      - name: tmp
        emptyDir: {}
      # https://github.com/DependencyTrack/frontend/issues/60
      # - name: config
      #  configMap:
      #    name: test-dependency-track-frontend
      #    items:
      #    - key: config.json
      #      path: config.json

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
nimrodkorcommented, Sep 22, 2021

While we think about how to solve it, I’ve done a few fixes which should now handle this case without crashing. Will be released in the next release

0reactions
stale[bot]commented, Jul 11, 2022

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

Read more comments on GitHub >

github_iconTop Results From Across the Web

Scan Helm charts for Kubernetes misconfigurations with ...
Learn how to automate security scanning of Helm charts for Kubernetes misconfigurations with Bridgecrew's open-source scanner, Checkov.
Read more >
Checkov shows no result during Helm chart scan
During my tests scanning Helm charts with Checkov I never received output nor error, although there are violations inside the chart.
Read more >
CLI Command Reference - checkov
--quiet, For the CLI output, display only failed checks. ... Filter scan to run only on specific infrastructure code frameworks [env var: CKV_FRAMEWORK]....
Read more >
docs/7.Scan Examples/Helm.md - bridgecrewio / checkov
Checkov is able to autodetect helm charts by the presence of a ... Failed checks: 90, Skipped checks: 0 Check: CKV_K8S_27: "Do not...
Read more >
checkov - Fig.io
Checkov scans cloud infrastructure configurations to find misconfigurations before they're ... --soft-fail, -s, Runs checks but suppresses the error code.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

checkov -f plan.json does not download external terraform modules for enrichment

Next page

Skipping checks inside CloudFormation examples?