feat: add bridgecrewio/checkov

[florianmutter]

bridgecrewio/checkov: Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew

$ aqua g -i bridgecrewio/checkov

How to confirm if this package works well

Reviewers aren't necessarily familiar with this package, so please describe how to confirm if this package works well.
Please confirm if this package works well yourself as much as possible.

Command and output

$ checkov --version
3.2.23

Reference

• https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html
• https://github.com/bridgecrewio/checkov
• https://www.checkov.io/

[suzuki-shunsuke]

Did you run cmdx bridgecrewio/checkov?
If so, I think version_overrides should be set. 🤔

e.g.

aqua-registry/pkgs/1xyz/pryrite/registry.yaml

Lines 6 to 10 in 61b4a5e

	version_constraint: "false"
	version_overrides:
	- version_constraint: semver("<= 0.10.16")
	no_asset: true
	- version_constraint: "true"

Ah, I see. This repository has a lot of GitHub Releases. 1,823
By default, the command cmdx s checks all releases so it takes a long time if the repository has a lot of GitHub Releases.
Perhaps it would cause GitHub API rate limiting issues.
Maybe we need to give up checking all versions and specify -limit option.

e.g.

cmdx s -limit 200 bridgecrewio/checkov

[florianmutter]

I did run it and it created rules for old releases. Since this is a new package I thought it is ok if we start by only supporting the latest version and future versions. I removed the rules and old versions.

[suzuki-shunsuke]

Since this is a new package I thought it is ok if we start by only supporting the latest version and future versions.

I don't think so.
Even if the package is new, users should be able to use old versions too.

[florianmutter]

👍 I will try to update the PR to include the version_constraint

[florianmutter]

Created the config again with version constraints for older versions

[suzuki-shunsuke]

LGTM. Thank you!

BTW, I'm not familiar with checkov, but checkov seems to be very slow.
It takes over 9 seconds to just show the version with -v option.

And brew install checkov installs a little old version.

$ time /opt/homebrew/bin/checkov -v
3.2.20
/opt/homebrew/bin/checkov -v  2.67s user 0.59s system 36% cpu 9.015 total

$ time /Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/github_release/github.com/bridgecrewio/checkov/3.2.23/checkov_darwin_X86_64_3.2.23.zip/dist/checkov -v
3.2.23
 -v  3.00s user 2.81s system 19% cpu 29.465 total

This has nothing to do with aqua, so I don't care about it but this is a little interesting.

[suzuki-shunsuke]

v4.140.0 is out 🎉
https://github.com/aquaproj/aqua-registry/releases/tag/v4.140.0