This GitHub Action runs Bridgecrew against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
Home Page: https://bridgecrew.io/
License: MIT License
boto3.exceptions.S3UploadFailedError: Failed to upload ... An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
this often occurs while scanning the directory, should I file this issue on the
https://github.com/bridgecrewio/checkov
page?
Using this action as configured below, the checks pass even though errors are detected. Soft-fail is not configured, and no rules are skipped.
---
name: Run Bridgecrew
on:
push:
branches-ignore:
- 'master'
jobs:
build:
name: Check chopd3b IaC rules
runs-on: ubuntu-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout codebase
uses: actions/checkout@v2
- name: Run Bridgecrew
id: Bridgecrew
uses: bridgecrewio/bridgecrew-action@master
with:
api-key: ${{ secrets.BRIDGECREW_API_KEY }}
This build fails to find code to scan and so passes when it should fail https://github.com/JamesWoolfenden/terraform-aws-test-gha/runs/1855911083?check_suite_focus=true, its not the softfail flag as no checks are triggered at all
There is an option to check individual checks via their identifiers.
It would also be good if you could select the checks by their severity.
For example only "--check HIGH" as in https://github.com/bridgecrewio/checkov with "checkov -d . --check MEDIUM".
My current config is:
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
quiet: true
soft_fail: false
framework: all
output_format: sarif
download_external_modules: true
log_level: WARNING
check: LOW # Results in - no checks applied
Just a heads up - lots of folks are experiencing failures (us included) when trying to use the github action for bridgecrew. https://github.com/mikeurbanski1/azure-tf/actions/runs/661611939 as an example.
This is an output from one of my repos:
Run actions/upload-artifact@v2
with:
name: SARIF results
path: results.sarif
if-no-files-found: warn
Warning: No files were found with the provided path: results.sarif. No artifacts will be uploaded.
1s
Run github/codeql-action/upload-sarif@v1
Error: Path does not exist: results.sarif
Error: Path does not exist: results.sarif
at getSarifFilePaths (/tmp/github-runner/_actions/github/codeql-action/v1/lib/upload-lib.js:144:15)
at Object.uploadFromActions (/tmp/github-runner/_actions/github/codeql-action/v1/lib/upload-lib.js:132:30)
at run (/tmp/github-runner/_actions/github/codeql-action/v1/lib/upload-sarif-action.js:49:46)
at async runWrapper (/tmp/github-runner/_actions/github/codeql-action/v1/lib/upload-sarif-action.js:63:9)
I used the file from here
Though --skip-suppressions flag can be used via CLI but this feature is not available in bridgecrew-action. This may be a vulnerability issue as any developer can use checkov suppression comment and skip the policy check.
The documentation suggests I can increase logging level by setting log_level: DEBUG, but when I do so, I get informed that:
Warning: Unexpected input(s) 'log_level', valid inputs are ['entryPoint', 'args', 'directory', 'check', 'skip_check', 'quiet', 'api-key', 'soft_fail', 'external_checks_dir', 'output_format']
I believe this is also a problem with download_external_modules.
Hi Team,
Hope you are doing well.
we are using bridgecrew scanning for scanning our infrastructure service due to some reason we are unable to download the module due to which the scanning is incomplete please help in fixing the same
Here is the error for the same
2023-02-07 06:17:53,753 [MainThread ] [WARNI] Failed to download module from the location
We are seeing
Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: docker.com/increase-rate-limit
Warning: Docker pull failed with exit code 1, back off 3.146 seconds before retry.
How do we set the Action to only pull from an internal repo?
We've had to fully pull Bridgecrew from our actions until then.
as of now, we have a parameter for soft_fail or defaulted hard fail.
Can we have an a parameter or condition to fail the checks only if SEVERITY=HIGH Or above severity checks fail ?
Currently we can enable a terraform_plan scan using bridgecrew-action by including terraform plan output that's been exported as a JSON file in the directory being scanned. It would be great if we could enrich this output with the appropriate file path, line numbers, and codeblock of the resource(s) like we do with checkov cli using the --repo-root-for-plan-enrichment parameter. Can we get this added as a parameter to this action?
Call to Action buttons at bridgecrew.io are aligned to the center when the text around it is aligned to left. This looks like an alignment issue.
Can be fixed by:
CSS:
.cta-row--center {
text-align: left;
}
The repo id references to the wrong string in github actions
Shouldn't it point to $GITHUB_REPOSITORY for the --repo-id arg?
https://docs.bridgecrew.io/docs/ingesting-scan-data
Reference:
https://github.com/sentrei/sentrei/pull/1313/checks?check_run_id=654786486
just out of curiosity. whats the difference between
bridgecrewio/bridgecrew-action
and
bridgecrewio/checkov-action
?
can't seem to find it in any docs.
the default value uses sarif and that fails
The instructions in the README
state that 'soft-fail', 'skip-check', 'external-checks-dir' `re parameters. They are not.
The correct values for the gha action:
valid inputs are ['entryPoint', 'args', 'directory', 'check', 'skip_check', 'quiet', 'api-key', 'soft_fail', 'external_checks_dir', 'output_format']
I noticed that the action is specifying branch as master, gh now uses 'main' as the default branch with new repos
is there away to specify branch as param in action?
bridgecrew --bc-api-key XXXXXXXXX-XXX-XXXXX --branch master --repo-id
What was working previously, I'm now getting the following error:
Error: -04 16:04:54,526 [MainThread ] [ERROR] Received an error response during authentication
Error: -04 16:04:54,527 [MainThread ] [ERROR] An error occurred setting up the Bridgecrew platform integration. Please check your API token and try again.
Error: -04 16:04:54,527 [MainThread ] [ERROR] Please try setting the environment variable LOG_LEVEL=DEBUG and re-running the command, and provide the output to support
Can you please create releases for this action so that we can pin to specific versions in our code?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.