Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Passing a null value to the config_file makes the action freeze #173

Open
samtarplee opened this issue Apr 26, 2024 · 0 comments
Open

Passing a null value to the config_file makes the action freeze #173

samtarplee opened this issue Apr 26, 2024 · 0 comments

Comments

@samtarplee
Copy link

Passing a null value to the config_file makes the checkov action freeze

I was trying to add a toggle switch to a workflow using this action, to allow users to specify if they want to provide a config file or not, but if I set the value to null , the command line arguments in the log indicate that no config has been passed, and the action starts to run, but it freezes a few seconds later, and causes the workflow to never complete.

I know this isn't necessarily a bug, as I'm trying to use the config file input in a way that's not intended, but it would be a good feature if it could handle a null gracefully, so that the config file, and other inputs, could be optional inside a composite action.

example step:

- name: Run checkov against Terraform
      id: checkov
      uses: bridgecrewio/checkov-action@v12
      with:
        directory: ${{ inputs.path }}
        output_format: cli,sarif
        output_file_path: console,results.sarif
        download_external_modules: false
        github_pat: ${{ inputs.github_token }}
        log_level: DEBUG
        config_file: ${{ inputs.checkov_config_file != null && inputs.checkov_config_file || null }}

log entry:


running checkov on directory: xxxxxxxxxxx
checkov -d xxxxxxxxxx    --quiet         --output cli --output sarif --output-file-path console,results.sarif  

debug log entry:

Docker run command

/usr/bin/docker run --name ghcriobridgecrewiocheckov3274_f6859b --label 116ecf --workdir /github/workspace --rm -e "SSH_AUTH_SOCK" -e "SSH_AGENT_PID" -e "TERRAFORM_CLI_PATH" -e "AWS_DEFAULT_REGION" -e "AWS_REGION" -e "AWS_ACCESS_KEY_ID" -e "AWS_SECRET_ACCESS_KEY" -e "AWS_SESSION_TOKEN" -e "TF_VAR_deployment_role_name" -e "GITHUB_OVERRIDE_URL" -e "INPUT_DIRECTORY" -e "INPUT_OUTPUT_FORMAT" -e "INPUT_OUTPUT_FILE_PATH" -e "INPUT_DOWNLOAD_EXTERNAL_MODULES" -e "INPUT_GITHUB_PAT" -e "INPUT_LOG_LEVEL" -e "INPUT_CONFIG_FILE" -e "INPUT_FILE" -e "INPUT_CHECK" -e "INPUT_SKIP_CHECK" -e "INPUT_COMPACT" -e "INPUT_QUIET" -e "INPUT_API-KEY" -e "INPUT_OUTPUT_BC_IDS" -e "INPUT_USE_ENFORCEMENT_RULES" -e "INPUT_SKIP_RESULTS_UPLOAD" -e "INPUT_SOFT_FAIL" -e "INPUT_FRAMEWORK" -e "INPUT_SKIP_FRAMEWORK" -e "INPUT_EXTERNAL_CHECKS_DIRS" -e "INPUT_EXTERNAL_CHECKS_REPOS" -e "INPUT_ENABLE_SECRETS_SCAN_ALL_FILES" -e "INPUT_BASELINE" -e "INPUT_SOFT_FAIL_ON" -e "INPUT_HARD_FAIL_ON" -e "INPUT_CONTAINER_USER" -e "INPUT_DOCKER_IMAGE" -e "INPUT_DOCKERFILE_PATH" -e "INPUT_VAR_FILE" -e "INPUT_TFC_TOKEN" -e "INPUT_TF_REGISTRY_TOKEN" -e "INPUT_CKV_VALIDATE_SECRETS" -e "INPUT_VCS_BASE_URL" -e "INPUT_VCS_USERNAME" -e "INPUT_VCS_TOKEN" -e "INPUT_BITBUCKET_TOKEN" -e "INPUT_BITBUCKET_APP_PASSWORD" -e "INPUT_BITBUCKET_USERNAME" -e "INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT" -e "INPUT_POLICY_METADATA_FILTER" -e "INPUT_SKIP_PATH" -e "INPUT_SKIP_CVE_PACKAGE" -e "INPUT_SKIP_DOWNLOAD" -e "INPUT_PRISMA-API-URL" -e "API_KEY_VARIABLE" -e "GITHUB_PAT" -e "TFC_TOKEN" -e "TF_REGISTRY_TOKEN" -e "VCS_USERNAME" -e "VCS_BASE_URL" -e "VCS_TOKEN" -e "BITBUCKET_TOKEN" -e "BITBUCKET_USERNAME" -e "BITBUCKET_APP_PASSWORD" -e "PRISMA_API_URL" -e "CKV_VALIDATE_SECRETS" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "GITHUB_ACTION_PATH" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/xxxx/xxxx":"/github/workspace" ghcr.io/bridgecrewio/checkov:3.2.74 "" "xxxx" "" "" "" "" "" "" "" "" "" "" "" "" "cli,sarif" "console,results.sarif" "false" "" "DEBUG" "" "" "" "" "" "" "" "" "" "" "" "" "--user 0"

running checkov on directory:xxxxxxxxxxxxxx
checkov -d xxxxxxxxxxx     --output cli --output sarif --output-file-path console,results.sarif      


The whole log entry is several thousand lines, so I won't paste it all here, but the final logs are:

Details

2024-04-26 13:06:02,409 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,410 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,410 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,410 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,411 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,411 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,412 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,412 [ThreadPoolEx] [INFO ] cant parse policy str to object, Expecting value: line 1 column 1 (char 0)
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_75, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] should_run_check CKV2_AWS_56: True
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_75, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] should_run_check CKV2_AWS_56: True
2024-04-26 13:06:02,417 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_75, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_56: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_75, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_56: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_LOGGING_29, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_4: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_GENERAL_190, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_53: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_NETWORKING_59, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_29: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_GENERAL_189, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_51: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,418 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] skip_severity = None, explicit_skip = [], regex_match = False, suppressed_policies: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] bc_check_id = BC_AWS_IAM_73, include_all_checkov_policies = True, is_external = False, explicit_run: []
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] should_run_check CKV2_AWS_40: True
2024-04-26 13:06:02,419 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_56, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_56, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_56, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_56, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_4, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_53, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_29, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_51, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,420 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit
2024-04-26 13:06:02,421 [MainThread ] [DEBUG] Secret was not saved in CKV2_AWS_40, can't omit

It stalled on that last line for a long time, and I had to cancel the workflow in the end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant