Storing the Checkov token in settings.json is insecure

[ryboe]

We currently have to pass the Checkov token by storing it in settings.json.

"checkov.token": "<REDACTED>"

This is not ideal for a few of reasons:

1. It contributes to secret sprawl (settings.json file is one more file that needs to be protected)
2. settings.json is globally readable on my Mac (644 permissions)
3. The secret persists on the file system.
4. The secret is readable in plaintext.
5. If Settings Sync is enabled, the secret is copied to the cloud (in plaintext).

It would be better to have the option of pulling the secret from the BC_API_KEY env var. That would let us avoid storing the secret on the file system.

Thanks for making a great IaC scanner and thanks for considering this feature.

[ryboe]

UPDATE: I just discovered that you can use env vars in settings.json.

"checkov.token": "${env:BC_API_KEY}"

This seems to work. Maybe the docs should encourage setting the key this way?

UPDATE 2: This isn't working for me.