-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host key verification failed #94
Comments
Hi @infa-ddeore |
I see the issue when downloading modules that are in the same organization as my current repo. The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations. There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via eg. something invoked like this would be ideal: - name: Run Checkov Action
uses: bridgecrewio/checkov-action@master
with:
app_token: ${{ steps.get_token.outputs.app_token }} |
i don't think there's support for app_token in checkov yet, if you request/contrib (in the checkov repo) then its trivial to update the action.
|
I'm having the same issue when downloading Terraform modules from another private repository using SSH key (URL). Terraform snippet: ...
module "kms_s3_" {
source = "git::ssh://git@github.com/Org/modules-repo.git//modules/kms?ref=0.1.0"
...
} I had to load SSH key into GitHub action snippet: - name: Configure SSH key for Terraform modules
uses: webfactory/ssh-agent@v0.8.0
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- name: Execute Checkov
uses: bridgecrewio/checkov-action@690d0bd74b5fa92fa780ffcfda77865b514da913
with:
output_format: cli,sarif
output_file_path: console,results.sarif
config_file: .checkov.yml
directory: ./path An workaround I guess would be to pass the |
Same problem as @cbugneac-nex reported. SSH Key via ssh.agent does not work (Terraform is able to download the modules) |
I have tried this approach: ...
- name: Configure SSH key for Terraform modules
uses: webfactory/ssh-agent@v0.8.0
with:
ssh-private-key: ${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}
ssh-auth-sock: ${{ github.workspace }}/ssh-auth.sock
- name: Copy .gitconfig and .ssh to workspace
run: |
cp -r ~/.gitconfig ~/.ssh ${{ github.workspace }}/
sed -i 's|/home/runner|/github/workspace|g' ${{ github.workspace }}/.ssh/config
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
env:
SSH_AUTH_SOCK: /github/workspace/ssh-auth.sock
GIT_CONFIG: /github/workspace/.gitconfig but it still doesn't work. Some thoughts about discovered obstacles:
Possible workaround which works: jobs:
...
checkov:
runs-on: ubuntu-22.04
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Install Python
uses: actions/setup-python@v5
with:
python-version: 3.11
cache: pip
- name: Install Checkov
run: pip install -r requirements.txt
- name: Configure SSH key for Terraform components and modules
uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: |
${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}
- name: Execute Checkov
run: |
checkov -d . \
--config-file .checkov.yml \
--output cli \
--output-file-path console requirements.txt
|
@Constantin07 I've tried to use your proposed workaround, but unfortunately it didn't work. |
With slight modification for pipx, i was able to run it this way: name: Run Checkov
on:
pull_request:
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@master
with:
fetch-depth: 0
- name: Install Checkov
run: pipx install checkov
- name: Configure SSH key for Terraform components and modules
uses: webfactory/ssh-agent@v0.9.0
with:
ssh-private-key: |
${{ secrets.SSH_KEY }}
- name: Execute Checkov
run: |
checkov -d . \
--config-file ${{ github.workspace }}/.checkov.yml \
--output cli \
--output-file-path console with this download-external-modules: true
directory: .
evaluate-variables: true
external-modules-download-path: .external_modules
secrets-history-timeout: 12h
secrets-scan-file-type: []
summary-position: top
skip-check: "CKV_TF_1,CKV_TF_2,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV2_AWS_65"
framework: terraform cc: @randrusiak |
Putting aside checkov-action, how does it work for you using Checkov? |
@noizo I tried your proposed solution, but the result is the same.
|
getting below error in github action (image used
bridgecrew/checkov:2.1.192
), what could be the reason?The text was updated successfully, but these errors were encountered: