-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CKV_TF_2 doesn't validate against version field #6307
Comments
Seeing the same. The examples in the PR explicitly put the tf_registry example as an expected failure, and the check is only looking at the URL for a version ref. This check appears to be overly opinionated. |
Agree. The code is good when |
|
Thanks. The issue is not necessary whether What is the point of this check, if first thing to do in our pipelines is to disable it globally? |
I'll put up an issue and PR that reworks CHK_TF_2. It's just wrong. As an example, here is my code. Please share how CHK_TF_2 provides any value other than being a false negative.
|
I understand that using a reference tag hash as in CKV_TF_1 is a better security approach. However, since specifying a version or using a reference are equally secure in practice, CKV_TF_2 should support both methods. |
@tsmithv11 I feel like this makes the checks less secure in practice, because now most of us are just going to skip this check altogether. Version field is pretty widely accepted. |
There are exactly two checks in CKV_TF. Both are part of tsmithv11’s personal crusade against registries and SemVer in general with no regard to the obvious problem of someone being able to convince others to use the unmerged commit hash in their branch with malicious code from your repository, which Taylor calls “more secure”, or regard for the very concept of controlled releases and being able to determine if the commit you are on is the latest. When you challenge either of the checks, the issue is closed, untouched. It’s grown tiresome. All of the Terraform specific checks are disabled for us because they require an alternate reality to exist to comply with them, and we use other tools instead for Terraform compliance. Taylor is going to personally destroy checkov use for Terraform if something doesn’t change soon. @hulquest I hope you are successful. I’d prefer not to have to migrate to another tool. |
Describe the issue
CKV_TF_2 doesn't validate against version field. In Terraform when referencing a module, in addition to
source
it is possible to also specifyversion
. This is specifically useful when using Terraform registries.Examples
Version (please complete the following information):
Additional context
CKV_TF_2 was introduced by #6213
The text was updated successfully, but these errors were encountered: