Checkov Bug Report Default BC_LIC Skip Overrides Config File

Introduction

Hey guys! Today, we're diving deep into a tricky bug report about Checkov, specifically how the default skip check for BC_LIC is overriding the config file. This issue, reported by XargsUK, highlights a frustrating situation where users' custom skip-check directives in their .checkov.yaml file are being ignored. Let's break down the problem, explore the details, and discuss potential solutions. If you're wrestling with Checkov ignoring your configurations, you're in the right place!

Background

Checkov is a fantastic tool for static analysis of infrastructure as code (IaC) files, helping you catch misconfigurations and security vulnerabilities early in the development lifecycle. It supports various IaC formats like Terraform, Kubernetes, and more. One of its powerful features is the ability to skip certain checks that might not be relevant to your environment or that you intentionally want to bypass. This is typically done using the skip-check directive in a Checkov configuration file, usually named .checkov.yaml.

However, a persistent issue has emerged where Checkov's default behavior of skipping license compliance checks (BC_LIC) is overriding the user-defined skip-check configurations. This means that even if you've specified exactly which checks to skip in your .checkov.yaml file, the default BC_LIC skip remains in effect, potentially leading to unexpected behavior and confusion. Let's dive into the specifics of the bug report to understand the problem better.

The Bug Report

XargsUK reported a bug where the skip-check directive in their .checkov.yaml file was being ignored. The configuration file specified:

skip-check:
  - CKV_TF_1

This should have skipped the CKV_TF_1 check, but it didn't. Upon inspecting the debug logs, XargsUK found that Checkov was being run with the following option by default:

--skip-check BC_LIC*

This command-line option was overriding the configuration file, causing the CKV_TF_1 check to still be executed. This issue mirrors a previous report (bridgecrewio/checkov-vscode#125), indicating a recurring problem with how Checkov handles default skip checks and configuration file overrides.

XargsUK noted that while a fix was attempted in a previous release (#10), the issue persists. Even with an empty skip list in the UI, the --skip-check BC_LIC* flag is still forced, preventing the .checkov.yaml file's skip-check directive from being honored. This behavior is documented in the release notes for version 1.0.115, but it doesn't fully address the underlying problem.

Key Observations

1. Default BC_LIC Skip: Checkov defaults to skipping license compliance checks (BC_LIC).
2. Override Issue: The --skip-check BC_LIC* command-line option overrides the skip-check directive in the .checkov.yaml file.
3. Confusion: This behavior is not immediately obvious to users and can lead to confusion and frustration.
4. Persistence: The issue persists even after attempts to fix it in previous releases.

Technical Details

To give you guys a clearer picture, here are the technical details from the bug report:

• Python Version: 3.13.5
• Checkov Installation Method: pip
• CheckovPrismaless Version: 1.0.119
• VSCode Version: 1.102.2
• Operating System: Windows 11

These details help pinpoint the environment in which the bug was encountered, which is crucial for troubleshooting and fixing the issue. The fact that it's happening on Windows 11 with the latest versions of CheckovPrismaless and VSCode suggests a general problem rather than an isolated incident.

Why This Matters

So, why is this bug such a big deal? Well, consistency and predictability are key when you're dealing with security and compliance tools. If Checkov ignores your configuration file, you can't be sure that it's behaving the way you expect. This can lead to:

• False Negatives: Important checks might be skipped unintentionally, leaving security vulnerabilities undetected.
• False Positives: Checks that you intended to skip might still run, creating unnecessary noise and wasting your time.
• Configuration Drift: Your intended configuration diverges from the actual behavior of Checkov, making it harder to manage and maintain your infrastructure as code.

In short, this bug undermines the reliability and trustworthiness of Checkov, which is the last thing you want from a security tool.

Steps to Reproduce

Here’s how you can reproduce the bug and see it in action:

1. Create a .checkov.yaml file: In your project directory, create a file named .checkov.yaml.

2. Add a skip-check directive: In the .checkov.yaml file, add the following content:

   skip-check:
     - CKV_TF_1
   

   This tells Checkov to skip the CKV_TF_1 check.

3. Run Checkov: Execute Checkov in your project directory. You'll notice that even though you've specified CKV_TF_1 to be skipped, it might still be executed due to the default --skip-check BC_LIC* option.

By following these steps, you can verify that the skip-check directive in your configuration file is being ignored, confirming the bug.

Proposed Solution

XargsUK suggests a straightforward solution: completely remove the default BC_LIC skip. This makes sense for several reasons:

• Clarity: It's not immediately obvious that the BC_LIC skip is there by default.
• Flexibility: Removing the default skip allows users to have full control over which checks are skipped via the config file.
• Consistency: It ensures that the skip-check directive in the .checkov.yaml file is honored, as expected.

By removing the default BC_LIC skip, Checkov would behave more predictably and align with user expectations. This change would also simplify the configuration process and reduce the potential for confusion.

Further Discussion

This bug highlights the importance of clear defaults and configuration precedence in software tools. When a tool has default settings that override user-defined configurations, it can lead to unexpected behavior and frustration. In Checkov's case, the default BC_LIC skip, while potentially helpful in some scenarios, is causing more harm than good by interfering with the skip-check directive.

It's also worth considering alternative approaches to managing license compliance checks. Instead of skipping them by default, Checkov could provide a clearer way to enable or disable them, perhaps through a dedicated configuration option. This would give users more control over their security scans and avoid the confusion caused by the current behavior.

Conclusion

In conclusion, the bug report from XargsUK sheds light on a significant issue in Checkov where the default skip check for BC_LIC overrides the configuration file's skip-check directive. This behavior can lead to unexpected results and undermine the reliability of Checkov. The proposed solution of removing the default BC_LIC skip seems like a reasonable step towards resolving the issue and improving the user experience.

Keep an eye on future Checkov releases for updates on this issue. In the meantime, if you're encountering this bug, you might need to work around it by explicitly including the checks you want to run in your configuration or by using command-line options to override the default skip. Let's hope the Checkov team addresses this soon so we can all have a smoother IaC scanning experience!

repair input keyword: Bug report regarding Checkov skipping checks defined in the configuration file due to the default BC_LIC skip overriding the configuration. How to fix default skip check BC_LIC overrides config file in Checkov?

Checkov Bug Report Default BC_LIC Skip Overrides Config File