Disable noisy custom policy

src/main/kotlin/com/bridgecrew/services/ResultsCacheService.kt

@@ -6,6 +6,7 @@ import com.bridgecrew.services.scan.CheckovScanService
 import com.bridgecrew.utils.CheckovUtils
 import com.intellij.openapi.components.Service
 import com.intellij.openapi.project.Project
+import org.jetbrains.rpc.LOG
 
 @Service
 class ResultsCacheService(val project: Project) {
@@ -46,9 +47,16 @@ class ResultsCacheService(val project: Project) {
     fun setCheckovResultsFromResultsList(results: List<CheckovResult>) {
         for (result in results) {
             val category: Category = mapCheckovCheckTypeToScanType(result.check_type, result.check_id)
-            val resource: String = getResource(result, category)
             val name: String = getResourceName(result, category)
                     ?: throw Exception("null name, category is ${category.name}, result is $result")
+
+            if (CheckovUtils.isCustomPolicy(category, result.check_id) && CheckovUtils.shouldIgnoreCustomPolicy(result.check_name)) {
+                LOG.debug("Custom policy $name should be ignored")
+                continue
+            }
+
+
+            val resource: String = getResource(result, category)
             val checkType = CheckType.valueOf(result.check_type.uppercase())
             val severity = if (result.severity != null) Severity.valueOf(result.severity.uppercase()) else Severity.UNKNOWN
             val description = if(!result.description.isNullOrEmpty()) result.description else result.short_description

src/main/kotlin/com/bridgecrew/services/checkovScanCommandsService/CheckovScanCommandsService.kt

@@ -12,7 +12,7 @@ abstract class CheckovScanCommandsService(val project: Project) {
 
     fun getExecCommandForSingleFile(filePath: String, outputFilePath: String): ArrayList<String> {
         val cmds = ArrayList<String>()
-        cmds.addAll(getCheckovRunningCommandByServiceType())
+        cmds.addAll(getCheckovRunningCommandByServiceType(outputFilePath))
         cmds.addAll(getCheckovCliArgsForExecCommand(outputFilePath))
 
         cmds.add("-f")
@@ -23,7 +23,7 @@ abstract class CheckovScanCommandsService(val project: Project) {
     fun getExecCommandsForRepositoryByFramework(framework: String, outputFilePath: String): ArrayList<String> {
 
         val baseCmds = ArrayList<String>()
-        baseCmds.addAll(getCheckovRunningCommandByServiceType())
+        baseCmds.addAll(getCheckovRunningCommandByServiceType(outputFilePath))
 
         baseCmds.add("-d")
         baseCmds.add(getDirectory())
@@ -47,8 +47,10 @@ abstract class CheckovScanCommandsService(val project: Project) {
                     "Please insert an Api Token to continue")
         }
 
-        return arrayListOf("-s", "--bc-api-key", apiToken, "--repo-id", gitRepo, "--quiet", "-o", "cli", "-o", "json",
+        val command = arrayListOf("-s", "--bc-api-key", apiToken, "--repo-id", gitRepo, "--quiet", "-o", "cli", "-o", "json",
                 "--output-file-path", "console,$outputFilePath")
+        command.addAll(getCertParams())
+        return command
     }
 
     private fun getExcludePathCommand(): ArrayList<String> {
@@ -72,7 +74,19 @@ abstract class CheckovScanCommandsService(val project: Project) {
         return StringUtils.removeEnd(excludePath, "/")
     }
 
-    abstract fun getCheckovRunningCommandByServiceType(): ArrayList<String>
+    private fun getCertParams(): ArrayList<String> {
+        val cmds = ArrayList<String>()
+        val certPath = settings?.certificate
+        if (!certPath.isNullOrEmpty()) {
+            cmds.add("--ca-certificate")
+            cmds.add(getCertPath())
+            return cmds
+        }
+        return cmds
+    }
+
+    abstract fun getCheckovRunningCommandByServiceType(outputFilePath: String): ArrayList<String>
     abstract fun getDirectory(): String
     abstract fun getFilePath(originalFilePath: String): String
+    abstract fun getCertPath(): String
 }

src/main/kotlin/com/bridgecrew/services/checkovScanCommandsService/DockerCheckovScanCommandsService.kt

@@ -8,8 +8,9 @@ import org.apache.commons.io.FilenameUtils
 class DockerCheckovScanCommandsService(project: Project) : CheckovScanCommandsService(project) {
 
     private val image = "bridgecrew/checkov"
-    private val volumeDirectory = "checkovScan"
-    override fun getCheckovRunningCommandByServiceType(): ArrayList<String> {
+    private val volumeDirectory = FilenameUtils.separatorsToUnix(project.basePath)
+    private val volumeCertPath = "/usr/lib/ssl/cert.pem"
+    override fun getCheckovRunningCommandByServiceType(outputFilePath: String): ArrayList<String> {
         val pluginVersion =
                 PluginManagerCore.getPlugin(PluginId.getId("com.github.bridgecrewio.checkov"))?.version ?: "UNKNOWN"
 
@@ -20,11 +21,14 @@ class DockerCheckovScanCommandsService(project: Project) : CheckovScanCommandsSe
             dockerCommand.addAll(arrayListOf("--env", "PRISMA_API_URL=${prismaUrl}"))
         }
 
-        if (certPath?.isNotEmpty() == true) {
-            var volumeCaFile = "$certPath:/usr/lib/ssl/cert.pem"
-            dockerCommand.addAll(arrayListOf("--volume", volumeCaFile, "--env", "SSL_CERT_FILE=/usr/lib/ssl/cert.pem", "--env", "REQUESTS_CA_BUNDLE=/usr/lib/ssl/cert.pem"))
+        if (!certPath.isNullOrEmpty()) {
+            var volumeCaFile = "$certPath:$volumeCertPath"
+            dockerCommand.addAll(arrayListOf("--volume", volumeCaFile))
         }
-        val volumeDir = "${FilenameUtils.separatorsToUnix(project.basePath!!)}:/${volumeDirectory}"
+
+        dockerCommand.addAll(arrayListOf("--volume", "$outputFilePath:$outputFilePath"))
+
+        val volumeDir = "${FilenameUtils.separatorsToUnix(project.basePath)}:/${volumeDirectory}"
         dockerCommand.addAll(arrayListOf("--volume", volumeDir, image))
         return dockerCommand
 
@@ -37,4 +41,8 @@ class DockerCheckovScanCommandsService(project: Project) : CheckovScanCommandsSe
     override fun getFilePath(originalFilePath: String): String {
         return originalFilePath.replace(project.basePath!!, volumeDirectory)
     }
+
+    override fun getCertPath(): String {
+        return volumeCertPath
+    }
 }

src/main/kotlin/com/bridgecrew/services/checkovScanCommandsService/InstalledCheckovScanCommandsService.kt

@@ -6,7 +6,7 @@ import com.intellij.openapi.project.Project
 import org.apache.commons.io.FilenameUtils
 
 class InstalledCheckovScanCommandsService(project: Project) : CheckovScanCommandsService(project) {
-    override fun getCheckovRunningCommandByServiceType(): ArrayList<String> {
+    override fun getCheckovRunningCommandByServiceType(outputFilePath: String): ArrayList<String> {
         return arrayListOf(project.service<CliService>().checkovPath)
     }
 
@@ -17,4 +17,8 @@ class InstalledCheckovScanCommandsService(project: Project) : CheckovScanCommand
     override fun getFilePath(originalFilePath: String): String {
         return FilenameUtils.separatorsToSystem(originalFilePath)
     }
+
+    override fun getCertPath(): String {
+        return settings?.certificate!!
+    }
 }

src/main/kotlin/com/bridgecrew/services/scan/CheckovScanService.kt

@@ -56,7 +56,7 @@ class CheckovScanService: Disposable {
             val generalCommandLine = generateCheckovCommand(execCommand)
 
             val processHandler: ProcessHandler = OSProcessHandler.Silent(generalCommandLine)
-            val scanTask = ScanTask.FileScanTask(project, "Checkov scanning file $filePath", filePath, processHandler, checkovResultFile)
+            val scanTask = ScanTask.FileScanTask(project, "Prisma Cloud is scanning your file $filePath", filePath, processHandler, checkovResultFile)
             singleFileCurrentScans[filePath] = scanTask
 
             ApplicationManager.getApplication().executeOnPooledThread {
@@ -102,7 +102,7 @@ class CheckovScanService: Disposable {
                     val processHandler: ProcessHandler = OSProcessHandler.Silent(generateCheckovCommand(execCommand))
 
 
-                    val scanTask = ScanTask.FrameworkScanTask(project, "Checkov scanning repository by framework $framework", framework, processHandler, checkovResultFile)
+                    val scanTask = ScanTask.FrameworkScanTask(project, "Prisma Cloud is scanning your repository by framework $framework", framework, processHandler, checkovResultFile)
                     fullScanTasks.add(scanTask)
                     project.service<AnalyticsService>().fullScanByFrameworkStarted(framework)
 
@@ -151,19 +151,13 @@ class CheckovScanService: Disposable {
         val pluginVersion = PluginManagerCore.getPlugin(PluginId.getId("com.github.bridgecrewio.checkov"))?.version
                 ?: "UNKNOWN"
         val prismaUrl = settings?.prismaURL
-        val certPath = settings?.certificate
 
         val generalCommandLine = GeneralCommandLine(execCommand)
         generalCommandLine.charset = Charset.forName("UTF-8")
         generalCommandLine.environment["BC_SOURCE_VERSION"] = pluginVersion
         generalCommandLine.environment["BC_SOURCE"] = "jetbrains"
         generalCommandLine.environment["LOG_LEVEL"] = "DEBUG"
 
-        if (certPath?.isNotEmpty() == true) {
-            generalCommandLine.environment["SSL_CERT_FILE"] = certPath
-            generalCommandLine.environment["REQUESTS_CA_BUNDLE"] = certPath
-        }
-
         if (!prismaUrl.isNullOrEmpty()) {
             generalCommandLine.environment["PRISMA_API_URL"] = prismaUrl
         }
@@ -175,26 +169,13 @@ class CheckovScanService: Disposable {
         val execCommand = if(scanSourceType == ScanSourceType.FILE)
             selectedCheckovScanner!!.getExecCommandForSingleFile(scanningSource, checkovResultFilePath) else
                 selectedCheckovScanner!!.getExecCommandsForRepositoryByFramework(scanningSource, checkovResultFilePath)
-        execCommand.addAll(getCertParams())
-
 
         val maskedCommand = replaceApiToken(execCommand.joinToString(" "))
         LOG.info("Running command with service ${selectedCheckovScanner!!.javaClass}: $maskedCommand")
 
         return execCommand
     }
 
-    private fun getCertParams(): ArrayList<String> {
-        val cmds = ArrayList<String>()
-        val certPath = settings?.certificate
-        if (!certPath.isNullOrEmpty()) {
-            cmds.add("-ca")
-            cmds.add(certPath)
-            return cmds
-        }
-        return cmds
-    }
-
     private fun replaceApiToken(command: String): String {
         val apiToknIndex = command.indexOf("--bc-api-key")
         return if (apiToknIndex >= 0) {

src/main/kotlin/com/bridgecrew/services/scan/FullScanState.kt

@@ -146,14 +146,10 @@ class FullScanStateService(val project: Project) {
         val totalErrors = project.service<ResultsCacheService>().checkovResults.size
         var message = "Checkov has detected $totalErrors configuration errors in your project.\n" +
                 "Check out the tool window to analyze your code.\n" +
-                "${DESIRED_NUMBER_OF_FRAMEWORK_FOR_FULL_SCAN} frameworks were scanned:\n" +
-                "Scans for frameworks ${frameworkScansFinishedWithErrors.keys} were finished with errors.\n" +
-                "Please check the log files in:\n" +
-                "[${frameworkScansFinishedWithErrors.map { (framework, scanResults) -> "$framework:\n" +
-                        "log file - ${scanResults.debugOutput.path}\n" +
-                        "checkov result - ${scanResults.checkovResult.path}\n" }}]\n" +
-                "${invalidFilesSize}} files were detected as invalid:\n" +
-                "No errors have been detected for frameworks $frameworkScansFinishedWithNoVulnerabilities :)\n"
+                "${DESIRED_NUMBER_OF_FRAMEWORK_FOR_FULL_SCAN} frameworks were scanned.\n" +
+                generateErrorMessageForFullScanSummary() +
+                generateInvalidFileSizeMessageForFullScanSummary() +
+                generateNoErrorsMessageForFullScanSummary()
 
         if (unscannedFrameworks.isNotEmpty()) {
             message += "Frameworks $unscannedFrameworks were not scanned because they are probably not installed.\n"
@@ -163,7 +159,34 @@ class FullScanStateService(val project: Project) {
         CheckovNotificationBalloon.showNotification(project,
                 message,
                 NotificationType.INFORMATION)
+    }
+
+    private fun generateErrorMessageForFullScanSummary(): String {
+        if (frameworkScansFinishedWithErrors.isEmpty()) {
+            return ""
+        }
+
+        return "Scans for frameworks ${frameworkScansFinishedWithErrors.keys} were finished with errors.\n" +
+                "Please check the log files in:\n" +
+                "[${frameworkScansFinishedWithErrors.map { (framework, scanResults) -> "$framework:\n" +
+                        "log file - ${scanResults.debugOutput.path}\n" +
+                        "checkov result - ${scanResults.checkovResult.path}\n" }}]\n"
+    }
+
+    private fun generateInvalidFileSizeMessageForFullScanSummary(): String {
+        if (invalidFilesSize == 0) {
+            return ""
+        }
+
+        return "${invalidFilesSize}} files were detected as invalid\n"
+    }
+
+    private fun generateNoErrorsMessageForFullScanSummary(): String {
+        if (frameworkScansFinishedWithNoVulnerabilities.isEmpty()) {
+            return ""
+        }
 
+        return "No errors have been detected for frameworks $frameworkScansFinishedWithNoVulnerabilities :)\n"
     }
 
     fun wereAllFrameworksFinished(): Boolean {

src/main/kotlin/com/bridgecrew/ui/CheckovSettingsPanel.kt

@@ -17,7 +17,7 @@ class CheckovSettingsPanel(project: Project): JPanel() {
 
         layout = GridLayoutManager(3, 1, Insets(0, 0, 0, 0), -1, -1)
 
-        add(JLabel("Checkov Plugin would scan your infrastructure as code files."), createGridRowCol(0,0, GridConstraints.ANCHOR_CENTER))
+        add(JLabel("Prisma Cloud Plugin would scan your infrastructure as code files."), createGridRowCol(0,0, GridConstraints.ANCHOR_CENTER))
         add(JLabel("Please configure a valid Prisma token in order to use this Plugin"), createGridRowCol(1,0, GridConstraints.ANCHOR_CENTER))
         val settingsButton = JButton("Open Settings")
 

src/main/kotlin/com/bridgecrew/ui/CheckovToolWindowDescriptionPanel.kt

@@ -10,6 +10,7 @@ import com.intellij.openapi.util.IconLoader
 import com.intellij.ui.ScrollPaneFactory
 import com.intellij.uiDesigner.core.GridConstraints
 import com.intellij.uiDesigner.core.GridLayoutManager
+import com.intellij.util.ui.JBUI
 import icons.CheckovIcons
 import java.awt.BorderLayout
 import java.awt.Dimension
@@ -62,10 +63,9 @@ class CheckovToolWindowDescriptionPanel(val project: Project) : SimpleToolWindow
     fun initializationDescription(): JPanel {
         descriptionPanel = JPanel()
         descriptionPanel.layout = GridLayoutManager(2, 1, Insets(0, 0, 0, 0), -1, -1)
-        val imagePanel = JPanel()
-        imagePanel.add(JLabel(IconLoader.getIcon("/icons/checkov_m.svg")), createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
+        val imagePanel = createImagePanel()
         val scanningPanel = JPanel()
-        scanningPanel.add(JLabel("Checkov is being initialized"),  createGridRowCol(1,0,GridConstraints.ANCHOR_NORTH))
+        scanningPanel.add(JLabel("Prisma Cloud is being initialized"),  createGridRowCol(1,0, GridConstraints.ANCHOR_NORTH))
         descriptionPanel.add(imagePanel, createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
         descriptionPanel.add(scanningPanel, createGridRowCol(1,0,GridConstraints.ANCHOR_NORTH))
         return descriptionPanel
@@ -74,12 +74,11 @@ class CheckovToolWindowDescriptionPanel(val project: Project) : SimpleToolWindow
     fun preScanDescription(): JPanel {
         descriptionPanel = JPanel()
         descriptionPanel.layout = GridLayoutManager(2, 1, Insets(0, 0, 0, 0), -1, -1)
-        val imagePanel = JPanel()
-        imagePanel.add(JLabel(IconLoader.getIcon("/icons/checkov_m.svg")), createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
+        val imagePanel = createImagePanel()
         val scanningPanel = JPanel()
         scanningPanel.layout = GridLayoutManager(2, 1, Insets(0, 0, 0, 0), -1, -1)
-        scanningPanel.add(JLabel("Checkov is ready to run."),  createGridRowCol(0,0,GridConstraints.ANCHOR_NORTH))
-        scanningPanel.add(JLabel("Scanning would start automatically once an IaC file is opened or saved"), createGridRowCol(1,0,GridConstraints.ANCHOR_NORTH))
+        scanningPanel.add(JLabel("Prisma Cloud is ready to run."),  createGridRowCol(0,0,GridConstraints.ANCHOR_NORTH))
+        scanningPanel.add(JLabel("Scanning would start automatically once a file is opened or saved"), createGridRowCol(1,0,GridConstraints.ANCHOR_NORTH))
         descriptionPanel.add(imagePanel, createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
         descriptionPanel.add(scanningPanel, createGridRowCol(1,0,GridConstraints.ANCHOR_NORTH))
         return descriptionPanel
@@ -88,8 +87,7 @@ class CheckovToolWindowDescriptionPanel(val project: Project) : SimpleToolWindow
     fun configurationDescription(): JPanel {
         descriptionPanel = JPanel()
         descriptionPanel.layout = GridLayoutManager(2, 1, Insets(0, 0, 0, 0), -1, -1)
-        val imagePanel = JPanel()
-        imagePanel.add(JLabel(IconLoader.getIcon("/icons/checkov_m.svg")))
+        val imagePanel = createImagePanel()
         val configPanel = JPanel()
         configPanel.add(CheckovSettingsPanel(project), GridConstraints.ANCHOR_CENTER)
         descriptionPanel.add(imagePanel, createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
@@ -100,8 +98,7 @@ class CheckovToolWindowDescriptionPanel(val project: Project) : SimpleToolWindow
     fun duringScanDescription(description: String): JPanel {
         descriptionPanel = JPanel()
         descriptionPanel.layout = GridLayoutManager(2, 1, Insets(0, 0, 0, 0), -1, -1)
-        val imagePanel = JPanel()
-        imagePanel.add(JLabel(IconLoader.getIcon("/icons/checkov_m.svg")), createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
+        val imagePanel = createImagePanel()
         val scanningPanel = JPanel()
         scanningPanel.add(JLabel(description), GridConstraints.ANCHOR_CENTER)
         descriptionPanel.add(imagePanel, createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
@@ -112,8 +109,7 @@ class CheckovToolWindowDescriptionPanel(val project: Project) : SimpleToolWindow
     fun failedScanDescription(): JPanel {
         descriptionPanel = JPanel()
         descriptionPanel.layout = GridLayoutManager(2, 1, Insets(0, 0, 0, 0), -1, -1)
-        val imagePanel = JPanel()
-        imagePanel.add(JLabel(IconLoader.getIcon("/icons/checkov_m.svg")), createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
+        val imagePanel = createImagePanel()
         val scanningPanel = JPanel()
         scanningPanel.add(JLabel("Scan failed to run, please check the logs for further action"), GridConstraints.ANCHOR_CENTER)
         descriptionPanel.add(imagePanel, createGridRowCol(0,0,GridConstraints.ANCHOR_NORTHEAST))
@@ -137,4 +133,13 @@ class CheckovToolWindowDescriptionPanel(val project: Project) : SimpleToolWindow
         )
     }
 
+    private fun createImagePanel(): JPanel {
+        val imagePanel = JPanel()
+        imagePanel.layout = GridLayoutManager(2, 2, JBUI.emptyInsets(), -1, -1)
+        imagePanel.add(JLabel(IconLoader.getIcon("/icons/plugin_large_icon.svg")), createGridRowCol(0,0, GridConstraints.ANCHOR_CENTER))
+        imagePanel.add(JLabel("Prisma Cloud"), createGridRowCol(1,0, GridConstraints.ANCHOR_NORTHEAST))
+        imagePanel.add(JLabel("  "), createGridRowCol(0,1, GridConstraints.ANCHOR_NORTHEAST))
+        return imagePanel
+    }
+
 }

src/main/kotlin/com/bridgecrew/utils/CheckovUtils.kt

@@ -19,7 +19,15 @@ class CheckovUtils {
     companion object {
         private val LOG = logger<CheckovUtils>()
         fun isCustomPolicy(result: BaseCheckovResult): Boolean {
-            return (result.category == Category.IAC || result.category == Category.SECRETS) && !result.id.startsWith("CKV")
+            return isCustomPolicy(result.category, result.id)
+        }
+
+        fun isCustomPolicy(category: Category, id: String): Boolean {
+            return (category == Category.IAC || category == Category.SECRETS) && !id.startsWith("CKV")
+        }
+
+        fun shouldIgnoreCustomPolicy(policyName: String): Boolean {
+            return CUSTOM_POLICIES_TO_BE_IGNORED.contains(policyName.lowercase())
         }
 
         fun extractFailedChecksAndParsingErrorsFromCheckovResult(rawResult: String, scanningSource: String): CheckovResultExtractionData {

src/main/kotlin/com/bridgecrew/utils/Constants.kt

@@ -47,3 +47,5 @@ val SUPPRESSION_BUTTON_ALLOWED_FILE_TYPES: Set<FileType> = setOf(
         FileType.YAML,
         FileType.TERRAFORM
 )
+
+val CUSTOM_POLICIES_TO_BE_IGNORED = listOf<String>("yaml policy  secrets", "alapaka", "Copy of S3 bucket MFA Delete is not enabled")