Checkov scan particular folder or PR custom branch files

Question

Trying to run Checkov (for IaC validation) via Azure DevOps YAML pipelines, for ARM template files stored in Azure DevOps version control. The code below:

trigger: none

pool:
  vmImage: ubuntu-latest

stages:
  - stage: 'runCheckov'
    displayName: 'Checkov - Scan ARM files'
    jobs:
      - job: 'RunCheckov'
        displayName: 'Checkov solution'
        steps:
          - bash: |
              docker pull bridgecrew/checkov
            workingDirectory: $(System.DefaultWorkingDirectory)
            displayName: 'Pull bridgecrew/checkov image'

          - bash: |
              docker run \
                --volume $(pwd):/scripts bridgecrew/checkov \
                --directory /scripts \
                --output junitxml \
                --soft-fail > $(pwd)/CheckovReport.xml
            workingDirectory: $(System.DefaultWorkingDirectory)
            displayName: 'Run checkov'

          - task: PublishTestResults@2
            inputs:
              testRunTitle: 'Checkov run results'
              failTaskOnFailedTests: false
              testResultsFormat: 'JUnit'
              testResultsFiles: 'CheckovReport.xml'
              searchFolder: '$(System.DefaultWorkingDirectory)'
              mergeTestResults: false
              publishRunAttachments: true
            displayName: 'Publish Test results'

The problem - how to change the path/folder of ARM templates to scan. Now it scans all ARM templates found under my whole repo1, regardless what directory value I set.

Also, how to scan PR files committed to custom branch during PR review, so it would trigger the build but the build would scan only those files in the custom branch. I know how to set to trigger build via DevOps repository settings, but again, how to assure build pipeline uses/scan particular PR commit files, not whole repo1 (and master branch).

Bright Ran-MSFT · Answer 1 · 2022-12-01T12:01:26.683

I recommend you use the Docker image bridgecrew/checkov to set up a container job to run the Checkov scan. The container job will run all the tasks of the job into the Docker container started from this image.

In the container job, you can check out the source repository into the container, then use a script task (such as Bash task) to run the related Checkov CLI to do the files scan. On the script task, you can use the 'workingDirectory' option to specify the path/folder where the command lines run in. Normally, the command lines will only act on files which are in the specified directory and its subdirectories.

If you want to only scan the files in a specific branch in the job, you can clone/checkout the specific branch to the working directory of the job in the container, then like as above mentioned, use the related Checkov CLI to scan files under the specified directory.

[UPDATE]

In the pipeline job, you can try to call the Azure DevOps REST API "Commits - Get Changes" to get all the changed files and folders for the particular commit.

Then use the Checkov CLI with the parameter --directory (-d) or --file (-f) to scan the specified file or folder.

I got your point, bridgcrew cli let's me choose the right folder/branch to scan. Thank you! — NewUser, Dec 01 '22 at 04:59
but any ideas how to make sure it scans only my commit files, not whole my branch? — NewUser, Dec 01 '22 at 07:41
Hi @NewUser, I have provided more suggestion for your new question in my above answer. Please check it. — Bright Ran-MSFT, Dec 01 '22 at 12:02

Checkov scan particular folder or PR custom branch files

1 Answers1