Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Have checkov be callable from Python

See original GitHub issue

Right now

Currently if you want to call checkov from Python, I think I have to do subprocess.check_output, which is hacky.

Right now in main.py, we call

https://github.com/bridgecrewio/checkov/blob/a6ce482f7ba82adaa2e08cc59c3f18b6872f2702/checkov/main.py#L29

which implicitly pulls args from sys.argv

The proposal

Change def main to do something like:

def main(argv=sys.argv[1:]):
    if len(sys.argv) == 1:  # pragma: no cover
        sys.argv.append('--help')

    args = parse_args(argv)

would do the trick.

I’ve also written code like the following

def parse_args(argv)
	...
    return parser.parse_args(
        argv or ['--help']
    )


def main(argv=sys.argv[1:]):
    args = parse_args(argv)
    ...

etc. See detect-secrets main.py as an example.

Issue Analytics

State:
Created 3 years ago
Reactions:3
Comments:14 (12 by maintainers)

Top GitHub Comments

3reactions

KevinHockcommented, Apr 27, 2021

Alrighty, can confirm this works now! 🥳 ⚡ 🍰

import io
from contextlib import redirect_stdout
from checkov.main import run as run_checkov

f = io.StringIO()
with redirect_stdout(f):
    run_checkov(argv=[
        '-f',
        'some_example.tf',
        '--output',
        'json',
    ])

print(f'heyo, f is {f.getvalue()}')

is a sample.

Thanks for playing everyone.

1reaction

jtaylor100commented, Mar 12, 2022

To add to the above, if anybody is running checkov more than once in a given python context, you’ll need to reload the checkov.main module before each run since it has some global state.

e.g.

import io
from contextlib import redirect_stdout
import checkov.main
from importlib import reload

# first run
f = io.StringIO()
with redirect_stdout(f):
    checkov.main.run(argv=[
        '-f',
        'some_example.tf',
        '--output',
        'json',
    ])

print(f'for the first run, f is {f.getvalue()}')

# second run
reload(checkov.main) # NOTE: reload the module before subsequent runs
f = io.StringIO()
with redirect_stdout(f):
    checkov.main.run(argv=[
        '-f',
        'another_example.tf',
        '--output',
        'json',
    ])

print(f'for the second run, f is {f.getvalue()}')

Top Results From Across the Web

Developers - Have checkov be callable from Python - - Bountysource

Currently if you want to call checkov from Python, I think I have to do subprocess.check_output , which is hacky. Right now in...

Add baseline functionality #379 - bridgecrewio/checkov - GitHub

This makes it easy to implement 'from now on' security, and audit baselines asynchronously. It also easily allows seeing how loud the tool...

Create Custom Policy - Python - Attribute Check - checkov

Custom Policies created in code (in Python) support checking the state of a resource's attributes. A Python-based Custom Policy for Checkov consists of ......

Issues · bridgecrewio / checkov · GitLab

Feature request: Support checkov:skip in modules. Issue #777 · created 1 year ago by Matt Grouping: Provide more ... Have checkov be callable...

module has no attribute mypy

In Python Iterator[YieldType] over Checkov is a static code analysis tool ... Callable type; Callable[[int], str] is a function of (int) -> str....