Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Authenticate to Private Terraform Module Registry with Checkov #117

Open
isaacoluwade opened this issue Jul 23, 2024 · 1 comment
Open

Unable to Authenticate to Private Terraform Module Registry with Checkov #117

isaacoluwade opened this issue Jul 23, 2024 · 1 comment

Comments

@isaacoluwade
Copy link

I am encountering an issue with the Microsoft Security DevOps task (microsoftsecuritydevops@1) when trying to authenticate to our private Terraform module registry using the Checkov. Although Checkov supports authentication via the "TF_REGISTRY_TOKEN" environment variable, this method does not seem to work within the microsoftsecuritydevops@1 task.

Could you please provide guidance on how to successfully authenticate to a private module registry while using Checkov in this context?

Thank you.

I have tried:
- task: MicrosoftSecurityDevOps@1 displayName: 'Checkov Policy Scanner' inputs: command: run policy: azuredevops tools: checkov break: true publish: true artifactName: CodeAnalysisLogs env: TF_REGISTRY_TOKEN: $(TF_REGISTRY_TOKEN) TF_HOST_NAME: $(TF_HOST_NAME) GDN_CHECKOV_FRAMEWORK: "terraform" GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"

and also tried:
- task: MicrosoftSecurityDevOps@1 displayName: 'Checkov Policy Scanner' inputs: command: run policy: azuredevops tools: checkov break: true publish: true artifactName: CodeAnalysisLogs env: GDN_CHECKOV_TF_REGISTRY_TOKEN: $(TF_REGISTRY_TOKEN) GDN_CHECKOV_TF_HOST_NAME: $(TF_HOST_NAME) GDN_CHECKOV_FRAMEWORK: "terraform" GDN_CHECKOV_DOWNLOADEXTERNALMODULES: "true"

But nothing seems to work. If Checkov is replacing Terrascan as the default IaC code analysis tool for microsoftsecuritydevops@1, then this feature is extremely important.

Terrascan has the GDN_TERRASCAN_USETERRAFORMCACHE to authenticate using the terraform init cache for remote modules.
@t3hprofit
Copy link

How are you referencing your external modules? Check out the InstallSSHKey@0 task. We run this prior to running the MSDO task. There are some decent tutorials on getting it to work around the internet. https://dev.to/pwd9000/connect-terraform-to-azure-devops-git-repos-over-ssh-163c#:~:text=When%20using%20an%20Azure%20DevOps%20pipeline%20to%20execute may be a good starting point.

You'll need to add the SSH keys to your pipeline library Secure files, and you'll also need some other variables for the knownHostsEntry, and passphrase (if you set on).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t3hprofit @isaacoluwade