Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Host key verification failed #94

Open
infa-ddeore opened this issue Sep 6, 2022 · 10 comments
Open

Host key verification failed #94

infa-ddeore opened this issue Sep 6, 2022 · 10 comments

Comments

@infa-ddeore
Copy link

getting below error in github action (image used bridgecrew/checkov:2.1.192), what could be the reason?

checkov -d .  --check CKV_OCI_1 --check CKV_OCI_2 --check CKV_OCI_3 --check CKV_OCI_4 --check CKV_OCI_5 --check CKV_OCI_6 --check CKV_OCI_7 --check CKV_OCI_8 --check CKV_OCI_9 --check CKV_OCI_10 --check CKV_OCI_11 --check CKV_OCI_12 --check CKV_OCI_13 --check CKV_OCI_14 --check CKV_OCI_15 --check CKV_OCI_16 --check CKV_OCI_17 --check CKV_OCI_18 --check CKV_OCI_19 --check CKV_OCI_20 --check CKV_OCI_21 --check CKV_OCI_22   --quiet   --output github_failed_only  --download-external-modules true    --framework terraform  
Error: -06 16:53:55,934 [MainThread  ] [ERROR]  failed to get git::ssh://git@github.com/xxxx/yyyy?ref=master because of Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v --depth=1 -b master ssh://git@github.com/xxxx/yyyy /github/workspace/.external_modules/git@github.com/xxxx/yyyy/master
  stderr: 'Cloning into '/github/workspace/.external_modules/git@github.com/xxxxx/yyyy/master'...
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
@Saarett
Copy link
Contributor

Saarett commented Sep 21, 2022

Hi @infa-ddeore
Sounds like an SSH problem not related to the repository
https://www.google.com/search?q=Host+key+verification+failed

@bmorrissirromb
Copy link

bmorrissirromb commented Feb 10, 2023

I see the issue when downloading modules that are in the same organization as my current repo.

The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations.

There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via machine-learning-apps/actions-app-token.

eg. something invoked like this would be ideal:

    - name: Run Checkov Action
      uses: bridgecrewio/checkov-action@master
      with:
        app_token: ${{ steps.get_token.outputs.app_token }}

@JamesWoolfenden
Copy link
Contributor

JamesWoolfenden commented Feb 17, 2023

i don't think there's support for app_token in checkov yet, if you request/contrib (in the checkov repo) then its trivial to update the action.

I see the issue when downloading modules that are in the same organization as my current repo.

The only way I'm typically able to download those modules by using a GitHub token. Regular SSH doesn't work super well for organizations.

There is a github_pat option, but that doesn't really work for me. My organization uses app tokens via machine-learning-apps/actions-app-token.

eg. something invoked like this would be ideal:

    - name: Run Checkov Action
      uses: bridgecrewio/checkov-action@master
      with:
        app_token: ${{ steps.get_token.outputs.app_token }}

@cbugneac-nex
Copy link

cbugneac-nex commented Aug 9, 2023

I'm having the same issue when downloading Terraform modules from another private repository using SSH key (URL).

Terraform snippet:

...
module "kms_s3_" {
  source = "git::ssh://git@github.com/Org/modules-repo.git//modules/kms?ref=0.1.0"
...
}

I had to load SSH key into ssh-agent but the problem is that it's not passed by default into checkov container:

GitHub action snippet:

      - name: Configure SSH key for Terraform modules
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Execute Checkov
        uses: bridgecrewio/checkov-action@690d0bd74b5fa92fa780ffcfda77865b514da913
        with:
          output_format: cli,sarif
          output_file_path: console,results.sarif
          config_file: .checkov.yml
          directory: ./path

An workaround I guess would be to pass the SSH_AUTH_SOCK environment variable into container and mount the temporary ssh-agent socker file inside container, e.g. /tmp/ssh-XXXXXXzV0yXD/agent.3007 ?

@ArneRiemann4711
Copy link

Same problem as @cbugneac-nex reported. SSH Key via ssh.agent does not work (Terraform is able to download the modules)

@Constantin07
Copy link

I have tried this approach:

...
      - name: Configure SSH key for Terraform modules
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}
          ssh-auth-sock: ${{ github.workspace }}/ssh-auth.sock

      - name: Copy .gitconfig and .ssh to workspace
        run: |
          cp -r ~/.gitconfig ~/.ssh ${{ github.workspace }}/
          sed -i 's|/home/runner|/github/workspace|g' ${{ github.workspace }}/.ssh/config

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@v12
        env:
          SSH_AUTH_SOCK: /github/workspace/ssh-auth.sock
          GIT_CONFIG: /github/workspace/.gitconfig

but it still doesn't work. Some thoughts about discovered obstacles:

  • The chekov GH actions runs in container as root user so the SSH config file from workspace directory is not picked up automatically - it needs to be in /root directory to which there is no access. https://linux.die.net/man/5/ssh_config. It seems there is no environment variable which allows to override the location of SSH config file.
  • GH docker action, which checkov action uses doesn't allow to mount additional volumes from host system (at least I haven't found a simple solution). Here is what's mapped by default:
-v "/var/run/docker.sock":"/var/run/docker.sock" \
-v "/home/runner/work/_temp/_github_home":"/github/home" \
-v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
-v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" \
-v "/home/runner/work/terraform-components/terraform-components":"/github/workspace" \

Possible workaround which works:

jobs:
...
  checkov:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Install Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11
          cache: pip

      - name: Install Checkov
        run: pip install -r requirements.txt

      - name: Configure SSH key for Terraform components and modules
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: |
            ${{ secrets.TERRAFORM_MODULES_DEPLOY_KEY }}

      - name: Execute Checkov
        run: |
          checkov -d . \
          --config-file .checkov.yml \
          --output cli \
          --output-file-path console

requirements.txt

checkov==3.2.50

@randrusiak
Copy link

@Constantin07 I've tried to use your proposed workaround, but unfortunately it didn't work.
Do you have other idea how to resolve this issue?

@noizo
Copy link

noizo commented Jun 26, 2024

With slight modification for pipx, i was able to run it this way:

name: Run Checkov
on:
  pull_request:

jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master
        with:
          fetch-depth: 0

      - name: Install Checkov
        run: pipx install checkov

      - name: Configure SSH key for Terraform components and modules
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: |
            ${{ secrets.SSH_KEY }}

      - name: Execute Checkov
        run: |
          checkov -d . \
          --config-file ${{ github.workspace }}/.checkov.yml \
          --output cli \
          --output-file-path console

with this .checkov.yml in repo root

download-external-modules: true
directory: .
evaluate-variables: true
external-modules-download-path: .external_modules
secrets-history-timeout: 12h
secrets-scan-file-type: []
summary-position: top
skip-check: "CKV_TF_1,CKV_TF_2,CKV_AWS_144,CKV_AWS_18,CKV_AWS_21,CKV2_AWS_65"
framework: terraform

cc: @randrusiak

@Saarett
Copy link
Contributor

Saarett commented Jul 2, 2024

Putting aside checkov-action, how does it work for you using Checkov?

@randrusiak
Copy link

@noizo I tried your proposed solution, but the result is the same.

2024-07-17 10:38:40,316 [MainThread  ] [WARNI]  failed to get git::git@github.com:xxx/xxx.git//modules/aws/rds?ref=dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b because of Cmd('git') failed due to: exit code(128)
  cmdline: git clone -v --no-checkout -- git@github.com:xxx/xxx.git /__w/.external_modules/modules/aws/rds/dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b
  stderr: 'Cloning into '/__w/.external_modules/modules/aws/rds/dc8a7e49ed6ae77e6030d197fc3cce8608fcfe4b'...
Host key verification failed.
fatal: Could not read from remote repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants