Monorepo support #22

Open

Assignees

Labels

opened

on Dec 19, 2020

Would adding support for autodiscovery of terraform projects within a monrepo root or subdirectory be possible? Currently I've got 3 or 4 projects where I have to write several hundreds lines of yaml to manually add each project (also remembering to update yaml when a new project is added).

added

self-assigned this

Author

I'm basically looking for something that includes directories/files to check. Maybe an excludes would be easier to implement at least then things can run a bit faster and dependencies/libs aren't being scanned recursively.

On Mon, Feb 8, 2021 at 5:36 PM Matt Johnson ***@***.***> wrote: Hi Ben, Would something like the following allow you to just get the failed checks section of the json without a new flag? checkov -o json -f terraform/aws/ec2.tf | jq .results.failed_checks checkov -o json -f terraform/aws/ec2.tf | jq .results.failed_checks > just_failed.json — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#22 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAB4XFKYHTRTQD2N5VM2KDTS6B7RHANCNFSM4VB4PVVQ> .

Contributor

Hello @btilford

I think we may be able to satisfy what you're after as-is. I'm not sure about excluding dirs yet. But checkout below:

I use this action configuration to run a recursive checkov scan only in the 'modules' directory. By specifying 'framework: terraform' I am only running terraform scans.

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: modules/
          quiet: false
          soft_fail: false
          framework: terraform
          output_format: cli

Will this do what you want? You could do things like use several blocks if you want to choose different specific dirs and subdirs to scan.

Did not test, but directory: dir1/ -d dir2/ -d dir3/ might do the trick to scan selected set of directories.

While we're at it, can we enable Checkov GH actions to take multiple directories?

Edit: Alternative could be to run Checkov multiple times by changing directory variable from matrix which is dynamically built based on extracted changed directories in the repository. Similar to: https://tomasvotruba.com/blog/2020/11/16/how-to-make-dynamic-matrix-in-github-actions/

@alen-z I'm using .checkov.yaml to work around more options than the GitHub Action supports, such as a list of directories to skip using skip-path.

Here is my working template that I use in this and other repos:

https://github.com/HariSekhon/Templates/blob/master/.checkov.yaml

mentioned this

fix(general): Allow specifying files in a github actions config file checkov#6813

to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

metahertz

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

fix(general): Allow specifying files in a github actions config filebridgecrewio/checkov

Participants