Checkov is a static code analysis tool for infrastructure-as-code.

Overview

Hacktoberfest

checkov

Maintained by Bridgecrew.io build status security status code_coverage docs PyPI Python Version Terraform Version Downloads slack-community

Checkov is a static code analysis tool for infrastructure-as-code.

It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.

Table of contents

Features

  • Over 1000 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
  • Scans Terraform, Terraform Plan, CloudFormation, AWS SAM, Kubernetes, Dockerfile, Serverless framework and ARM template files.
  • Supports Context-awareness policies based on in-memory graph-based scanning.
  • Supports Python format for attribute policies and YAML format for both attribute and composite policies.
  • Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
  • Identifies secrets using regular expressions, keywords, and entropy based detection.
  • Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
  • Policies support evaluation of variables to their optional default value.
  • Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
  • Output currently available as CLI, CycloneDX, JSON, JUnit XML and github markdown and link to remediation guides.

Screenshots

Scan results in CLI

scan-screenshot

Scheduled scan result in Jenkins

jenikins-screenshot

Getting started

Requirements

  • Python >= 3.7 (Data classes are available for Python 3.7+)
  • Terraform >= 0.12

Installation

pip3 install checkov

Installation on Alpine:

pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install checkov

Installation on Ubuntu 18.04 LTS:

Ubuntu 18.04 ships with Python 3.6. Install python 3.7 (from ppa repository)

sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.7
sudo apt install python3-pip
sudo python3.7 -m pip install -U checkov #to install or upgrade checkov)

or using homebrew (MacOS only)

brew install checkov

or

brew upgrade checkov

Enabling bash autocomplete

source <(register-python-argcomplete checkov)

Upgrade

if you installed checkov with pip3

pip3 install -U checkov

Configure an input folder or file

checkov --directory /user/path/to/iac/code

Or a specific file or files

checkov --file /user/tf/example.tf

Or

checkov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml

Or a terraform plan file in json format

terraform init
terraform plan -out tf.plan
terraform show -json tf.plan  > tf.json 
checkov -f tf.json

Note: terraform show output file tf.json will be a single line. For that reason all findings will be reported line number 0 by checkov

check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.customer
	File: /tf/tf.json:0-0
	Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

If you have installed jq you can convert json file into multiple lines with the following command:

terraform show -json tf.plan | jq '.' > tf.json 

Scan result would be much user friendly.

checkov -f tf.json
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.customer
	File: /tf/tf1.json:224-268
	Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

		225 |               "values": {
		226 |                 "acceleration_status": "",
		227 |                 "acl": "private",
		228 |                 "arn": "arn:aws:s3:::mybucket",

Alternatively, specify the repo root of the hcl files used to generate the plan file, using the --repo-root-for-plan-enrichment flag, to enrich the output with the appropriate file path, line numbers, and codeblock of the resource(s). An added benefit is that check suppressions will be handled accordingly.

checkov -f tf.json --repo-root-for-plan-enrichment /user/path/to/iac/code

Scan result sample (CLI)

Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       

Start using Checkov by reading the Getting Started page.

Using Docker

docker pull bridgecrew/checkov
docker run --tty --volume /user/tf:/tf bridgecrew/checkov --directory /tf

Note: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work and it will fail with ModuleNotFoundError: No module named 'dataclasses' error message. In this case, you can use the docker version instead.

Note that there are certain cases where redirecting docker run --tty output to a file - for example, if you want to save the Checkov JUnit output to a file - will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the --tty flag.

Running or skipping checks

Using command line flags you can specify to run only named checks (allow list) or run all checks except those listed (deny list).

List available checks:

checkov --list 

Allow only 2 checks to run:

checkov --directory . --check CKV_AWS_20,CKV_AWS_57

Run all checks except 1 specified:

checkov -d . --skip-check CKV_AWS_20

Run all checks except checks with specified patterns:

checkov -d . --skip-check CKV_AWS*

For Kubernetes workloads, you can also use allow/deny namespaces. For example, do not report any results for the kube-system namespace:

checkov -d . --skip-check kube-system

Suppressing/Ignoring a check

Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, suppression can be inserted as a simple code annotation.

Suppression comment format

To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:

checkov:skip= :

  • is one of the [available check scanners](docs/5.Policy Index/all.md)
  • is an optional suppression reason to be included in the output

Example

The following comment skips the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

The output would now contain a SKIPPED check result entry:

...
...
Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource: aws_s3_bucket.foo-bucket
	Suppress comment: The bucket is a public static content host
	File: /example_skip_acl.tf:1-25
	
...

To skip multiple checks, add each as a new line.

  #checkov:skip=CKV2_AWS_6
  #checkov:skip=CKV_AWS_20:The bucket is a public static content host

To suppress checks in Kubernetes manifests, annotations are used with the following format: checkov.io/skip#: =

For example:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...

Logging

For detailed logging to stdout set up the environment variable LOG_LEVEL to DEBUG.

Default is LOG_LEVEL=WARNING.

Skipping directories

To skip files or directories, use the argument --skip-path, which can be specified multiple times. This argument accepts regular expressions for paths relative to the current working directory. You can use it to skip entire directories and / or specific files.

By default, all directories named node_modules, .terraform, and .serverless will be skipped, in addition to any files or directories beginning with .. To cancel skipping directories beginning with . override IGNORE_HIDDEN_DIRECTORY_ENV environment variable export IGNORE_HIDDEN_DIRECTORY_ENV=false

You can override the default set of directories to skip by setting the environment variable CKV_IGNORED_DIRECTORIES. Note that if you want to preserve this list and add to it, you must include these values. For example, CKV_IGNORED_DIRECTORIES=mynewdir will skip only that directory, but not the others mentioned above. This variable is legacy functionality; we recommend using the --skip-file flag.

VSCODE Extension

If you want to use checkov's within vscode, give a try to the vscode extension available at vscode

Configuration using a config file

Checkov can be configured using a YAML configuration file. By default, checkov looks for a .checkov.yaml or .checkov.yml file in the following places in order of precedence:

  • Directory against which checkov is run. (--directory)
  • Current working directory where checkov is called.
  • User's home directory.

Attention: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.

Users can also pass in the path to a config file via the command line. In this case, the other config files will be ignored. For example:

checkov --config-file path/to/config.yaml

Users can also create a config file using the --create-config command, which takes the current command line args and writes them out to a given path. For example:

checkov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --no-guide --quiet --repo-id bridgecrew/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-fixes --skip-framework dockerfile secrets --skip-suppressions --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml

Will create a config.yaml file which looks like this:

branch: develop
check:
  - CKV_DOCKER_1
compact: true
directory:
  - test-dir
docker-image: sample-image
dockerfile-path: Dockerfile
download-external-modules: true 
evaluate-variables: true 
external-checks-dir: 
  - sample-dir 
external-modules-download-path: .external_modules 
framework:
  - all 
no-guide: true 
output: cli 
quiet: true 
repo-id: bridgecrew/sample-repo 
skip-check: 
  - CKV_DOCKER_3 
  - CKV_DOCKER_2 
skip-fixes: true 
skip-framework:
  - dockerfile
  - secrets
skip-suppressions: true 
soft-fail: true

Users can also use the --show-config flag to view all the args and settings and where they came from i.e. commandline, config file, environment variable or default. For example:

checkov --show-config

Will display:

Command Line Args:   --show-config
Environment Variables:
  BC_API_KEY:        your-api-key
Config File (/Users/sample/.checkov.yml):
  soft-fail:         False
  branch:            master
  skip-check:        ['CKV_DOCKER_3', 'CKV_DOCKER_2']
Defaults:
  --output:          cli
  --framework:       ['all']
  --download-external-modules:False
  --external-modules-download-path:.external_modules
  --evaluate-variables:True

Contributing

Contribution is welcomed!

Start by reviewing the contribution guidelines. After that, take a look at a good first issue.

Looking to contribute new checks? Learn how to write a new check (AKA policy) here.

Disclaimer

checkov does not save, publish or share with anyone any identifiable customer information.
No identifiable customer information is used to query Bridgecrew's publicly accessible guides. checkov uses Bridgecrew's API to enrich the results with links to remediation guides. To skip this API call use the flag --no-guide.

Support

Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.

Start with our Documentation for quick tutorials and examples.

If you need direct support you can contact us at [email protected].

Comments
  • Checkov return empty result

    Checkov return empty result

    Describe the bug checkov checks his own version an terminates unexpectly.

    $ checkov -f main.tf                                                                                                                                                                                                                  
    
           _               _
       ___| |__   ___  ___| | _______   __
      / __| '_ \ / _ \/ __| |/ / _ \ \ / /
     | (__| | | |  __/ (__|   < (_) \ V /
      \___|_| |_|\___|\___|_|\_\___/ \_/
    
    By bridgecrew.io | version: 1.0.690
    Update available 1.0.690 → 1.0.694
    Run pip3 install -U checkov to update
    

    To Reproduce 2020-01-11_15:01 CET:

    brew install checkov                                                                                                                                                                                                                
    Updating Homebrew...
    ==> Downloading https://homebrew.bintray.com/bottles/checkov-1.0.690.catalina.bottle.tar.gz
    Already downloaded: /Users/petersa/Library/Caches/Homebrew/downloads/524348eefae3d4068a02df846d0547b103a3bbae2c2b5abcfd4b0e11fc5a5be8--checkov-1.0.690.catalina.bottle.tar.gz
    ==> Pouring checkov-1.0.690.catalina.bottle.tar.gz
    🍺  /usr/local/Cellar/checkov/1.0.690: 2,650 files, 66.8MB
    
    $ checkov -f main.tf                                                                                                                                                                                                                  
    

    Desktop (please complete the following information):

    • OS: mac os x catalina
    triage 
    opened by peddyspg 21
  • Check: CKV_AWS_35:

    Check: CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs" for terraform plan if kms_key_id is a reference to kms resource

    Describe the bug I used this example https://github.com/cloudposse/terraform-aws-cloudtrail/tree/master/examples/complete to test cloudtrail kms encryption check. Experiencing same issue reported at #799 scanning terraform files is working fine. It reports SUCCESS for KMS CMKs check. but terraform plan scanning fails

    Check: CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs"
    	FAILED for resource: aws_cloudtrail.default
    	File: /tf-formatted.json:132-150
    	Guide: https://docs.bridgecrew.io/docs/logging_7
    
    		133 |               "values": {
    		134 |                 "cloud_watch_logs_group_arn": "",
    		135 |                 "cloud_watch_logs_role_arn": "",
    		136 |                 "enable_log_file_validation": true,
    		137 |                 "enable_logging": true,
    		138 |                 "event_selector": [],
    		139 |                 "include_global_service_events": false,
    		140 |                 "insight_selector": [],
    		141 |                 "is_multi_region_trail": false,
    		142 |                 "is_organization_trail": false,
    		143 |                 "name": "eg-test-cloudtrail-test",
    		144 |                 "s3_key_prefix": null,
    		145 |                 "sns_topic_name": null,
    		146 |                 "tags": {
    		147 |                   "Name": "eg-test-cloudtrail-test",
    		148 |                   "Namespace": "eg",
    		149 |                   "Stage": "test"
    		150 |                 }
    
    
    

    Desktop (please complete the following information):

    • OS: MacOS
    • Checkov Version 1.0.711

    Additional context Attached failed terraform plan in json kms-key-reference.txt

    work in progress stale terraform languages 
    opened by ismailyenigul 20
  • Add enrichment + check suppression support for plan file scans

    Add enrichment + check suppression support for plan file scans

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    This PR introduces the --repo_root_for_plan_enrichment flag which, when used in conjunction with -f on a plan file, will enrich the reports with the appropriate filepath, line numbers, and codeblock of the hcl code that generated the plan file.

    This flag should be passed a repo root of wherever the hcl files live.

    When not set (which it isn't by default), the functionality for scanning a plan file continues as normal.

    checkov -f ~/Development/tf-test/planfile.json --repo-root-for-plan-enrichment ~/Development/tf-test

    opened by ac-square 19
  • Very slow terraform scan on medium sized repository

    Very slow terraform scan on medium sized repository

    Describe the bug

    I've just tried checkov on a medium sized repository that contains ~70 modules and around 20 Terraform workspaces. Running checkov against the entire repository takes about 1 hour and 50 minutes on current gen desktop CPU. In contrast something like tfsec only takes in the order of ~20s for the same code. My understanding is that both tools are primarily busy evaluating the logic of the Terraform code (substituting variables, instantiating modules, ...) and applying each rule set is the cheaper part of the execution. Correct me if I am wrong.

    cloc says the following about my Terraform folder:

    $ cloc terraform/
    
    github.com/AlDanial/cloc v 1.88  T=2.25 s (416.3 files/s, 35823.6 lines/s)
    -------------------------------------------------------------------------------
    Language                     files          blank        comment           code
    -------------------------------------------------------------------------------
    HCL                            709          12897           5047          50407
    …
    -------------------------------------------------------------------------------
    SUM:                           935          14249           5268          60935
    -------------------------------------------------------------------------------
    

    Running checkov against individual modules takes somewhere between a ~5 to 30s which is totally fine when looking at their complexity.

    Having done some light profiling of the application it appears as if the (costly?) parsing of each HCL block in the Terraform files is done over and over again for each instance of a module.

    I slapped some @lru_cache(max_size=1024) annotation on to the parse_var_blocks function which resulted in a 13% reduction of execution time. Increasing the cache size to an unbounded limit had more influence on the performance but not to the point where the runtime is anywhere near what I would feel comfortable with in CI.

    Anything going from here seems to require more knowledge about the code base.

    commit a4606b31d29a1f5d4f392032ebc6e75f0d7ae0a2
    Author: Andreas Rammhold <[email protected]>
    Date:   Fri Mar 19 17:09:20 2021 +0100
    
        Cache calls to find_var_blocks
        
        While using checkov on a larger terraform repository the runtime on all
        the files was about 1 hour and 50 minutes. As that large repository is
        not a good test case I trimmed it down to a smaller part of the repo
        that only took about 12.736s ± 0.153s seconds before this change and with this
        change is at 11.196s ± 0.195s which is a nice ~13% speedup in runtime.
    
    diff --git a/checkov/terraform/parser_utils.py b/checkov/terraform/parser_utils.py
    index b672c24e..50be5e27 100644
    --- a/checkov/terraform/parser_utils.py
    +++ b/checkov/terraform/parser_utils.py
    @@ -4,6 +4,8 @@ from dataclasses import dataclass
     from enum import Enum, IntEnum
     from typing import Any, Dict, List, Optional
     
    +from functools import lru_cache
    +
     import hcl2
     
     
    @@ -48,6 +50,7 @@ class ParserMode(Enum):
             return str(self.value)
     
     
    +@lru_cache(maxsize=1024)
     def find_var_blocks(value: str) -> List[VarBlockMatch]:
         """
         Find and return all the var blocks within a given string. Order is important and may contain portions of
    
    

    Profile results after applying the above caching patch:

    Profile results before applying the above caching patch:

    Looking at the output of strace -e openat bin/checkov .... I can see that checkov is reading some files as often as four times within one run.

    To Reproduce Steps to reproduce the behavior:

    1. Checkout a larger terraform repository
    2. run checkov against the directory
    3. wait

    Expected behavior I would expect a runtime in the order of seconds or minutes but not tens of minutes or almost two hours. .

    Desktop (please complete the following information):

    • OS: Linux, using checkov docker container and a local python interpreter on NixOS during profiling/testing.
    • Checkov Version: 36d065755da53b59ab8371bbe349c9cb3ce526ff
    opened by andir 19
  • --check and --skip-check lists defined in files

    --check and --skip-check lists defined in files

    Is your feature request related to a problem? Please describe. We have a need to either define multiple skip checks or multiple checks. Would be great if we could load them from a file and not define explicitly in the cli param

    Describe the solution you'd like --skip-check-list /path/to/file --check-list /path/to/file

    stale skips 
    opened by jglapa 18
  • Support AWS provider version 4.0.0

    Support AWS provider version 4.0.0

    Describe the issue The latest AWS provider version 4.0.0 introduces multiple breaking changes, especially regarding the aws_s3_bucket resource

    Examples The following snippet is based on version 4.0.0 and will make the following checks fail

    • aws-s3-enable-bucket-encryption
    • aws-s3-enable-versioning
    • aws-s3-encryption-customer-key
    resource "aws_s3_bucket" "example" {
      bucket = "example"
    }
    
    resource "aws_s3_bucket_acl" "example" {
      bucket = aws_s3_bucket.example.id
      acl    = "private"
    }
    
    resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
      bucket = aws_s3_bucket.example.id
    
      rule {
        apply_server_side_encryption_by_default {
          kms_master_key_id = aws_kms_key.example.arn
          sse_algorithm     = "aws:kms"
        }
      }
    }
    
    resource "aws_s3_bucket_versioning" "example" {
      bucket = aws_s3_bucket.example.id
    
      versioning_configuration {
        status = "Enabled"
      }
    }
    
    resource "aws_kms_key" "example" {
      description         = "example"
      enable_key_rotation = true
      multi_region        = false
    }
    

    Version (please complete the following information):

    • Checkov Version 2.0.823 (probably more versions)

    Additional context See the migration guide.

    checks terraform 
    opened by HorizonNet 17
  • Add PoC Parliament integration check

    Add PoC Parliament integration check

    So @schosterbarak, I wanted to check your thoughts on this, because I dynamically modified the .name attribute, 🤔 , and I wasn't sure if this broke expectations for other users/you.

    If you approve of my methods, then I'll add a test for this PR.

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    opened by KevinHock 15
  • Checkov don't work with custom checks when -f option is given

    Checkov don't work with custom checks when -f option is given

    Describe the bug When I work with -d flag and points terraform files everything works like a charm accordingly with documentation. But because we all know, that some things are being generated using modules in Terraform (a lot!) - modules hide underneath resources details - that's why we often need to provide a full plan (in JSON format) as input for Checkov (instead of static files). As soon as I'm switching for the -f flag, and point to my JSON plan I cannot force Checkov to trigger my custom checks.

    I have been trying with local policy (--external-checks-dir) so as with remote one (--external-checks-git). Both YAML and JSON type. There is no error message, just a blank welcome record with Checkov

    As soon as I go back to the -d flag it works.

    To Reproduce Steps to reproduce the behavior:

    • checkov -f plan.json --check CUSTOM_AWS_1 --external-checks-git ....git
    • checkov -f plan.json --check CUSTOM_AWS_1 --external-checks-dir my-policies/

    Expected behavior Run my custom checks against the plan file.

    Screenshots obraz

    Desktop (please complete the following information):

    • OS: Mac 10.15.7
    • Checkov Version 2.0.181
    opened by michal-adamkiewicz 14
  • Have checkov be callable from Python

    Have checkov be callable from Python

    Right now

    Currently if you want to call checkov from Python, I think I have to do subprocess.check_output, which is hacky.

    Right now in main.py, we call

    https://github.com/bridgecrewio/checkov/blob/a6ce482f7ba82adaa2e08cc59c3f18b6872f2702/checkov/main.py#L29

    which implicitly pulls args from sys.argv

    The proposal

    Change def main to do something like:

    def main(argv=sys.argv[1:]):
        if len(sys.argv) == 1:  # pragma: no cover
            sys.argv.append('--help')
    
        args = parse_args(argv)
    

    would do the trick.

    I've also written code like the following

    def parse_args(argv)
    	...
        return parser.parse_args(
            argv or ['--help']
        )
    
    
    def main(argv=sys.argv[1:]):
        args = parse_args(argv)
        ...
    

    etc.   See detect-secrets main.py as an example.

    enhancement work in progress 
    opened by KevinHock 14
  • Since today 23.6.22 after 10:30CET publish test results does not work anymore in azure pipelines

    Since today 23.6.22 after 10:30CET publish test results does not work anymore in azure pipelines

    Describe the issue This line appears suddenly. No change from our side. Using latest checkov container.

    ##[warning]Failed to read /home/vsts/work/1/s/CheckovReport/Checkov-Report.xml. Error : Data at the root level is invalid. Line 2, position 1..
    
    ##[debug]PublishTestResults.OverrideExeFlow=undefined
    ##[debug]OS type: Linux
    ##[debug]TestManagement.Server.UsePublishTestResultsLibInAgent is on
    ##[debug]Object of TestLogStore created.
    Result Attachments will be stored in LogStore
    ##[debug]Object of TestResultsPublisher created.
    ##[debug]Object of TestLogStore created.
    Run Attachments will be stored in LogStore
    ##[debug]Object of TestRunPublisher created.
    ##[debug]Object of TestLogStore created.
    ##[debug]Object of JUnitResultParser created.
    ##[debug]Entering ParseTestResultFiles
    ##[debug]runContext.ReleaseURI is null
    ##[debug]runContext.ReleaseEnvironmentUri is null
    ##[debug]Reading test results from file '/home/vsts/work/1/s/CheckovReport/Checkov-Report.xml'.
    ##[warning]Failed to read /home/vsts/work/1/s/CheckovReport/Checkov-Report.xml. Error : Data at the root level is invalid. Line 2, position 1..
    ##[debug]Leaving ParseTestResultFiles
    ##[debug]Processed: ##vso[results.publish type=JUnit;mergeResults=false;runTitle=Checkov Scan;publishRunAttachments=true;resultFiles=/home/vsts/work/1/s/CheckovReport/Checkov-Report.xml;failTaskOnFailedTests=false;testRunSystem=VSTS - PTR;]
    ##[debug]task result: Succeeded
    ##[debug]Processed: ##vso[task.complete result=Succeeded;]
    ##[debug]Release.ReleaseUri=undefined
    ##[debug]Release.ReleaseId=undefined
    ##[debug]Build.BuildUri=vstfs:///Build/Build/29918
    ##[debug]Build.Buildid=29918
    ##[debug]Uploading build level attachements individually
    ##[debug]runContext.ReleaseURI is null
    ##[debug]runContext.ReleaseEnvironmentUri is null
    ##[debug]Entering PublishToNewTestRunPerTestResultFileAsync
    ##[debug]Leaving PublishToNewTestRunPerTestResultFileAsync
    ##[debug]Processed: ##vso[telemetry.publish area=TestExecution;feature=PublishTestResultsTask]{"builduri":"vstfs:///Build/Build/29918","buildid":"29918","osType":"Linux","testRunner":"JUnit","failTaskOnFailedTests":"false","mergeResultsUserPreference":"false","testResultsFilesCount":1,"dotnetVersion":"6.0.301","subFeature":"publishTestResultsTaskConsolidatedCiEvent"}
    Async Command Start: Publish test results
    ##[debug]Total build level attachments: 0.
    ##[debug]TestManagement.PTR.CalculateTestRunSummary is on
    ##[debug]RESOURCE_URIS:
    ##[debug]Setting task variable METADATA_c49e0f02-4dd1-4e4b-8920-2742e06dfde8: {"name":"8db11c57-980a-4ef8-b275-14abf7190ec9","resourceUris":[],"metadata":{"description":"","relatedUrls":[{"url":"[https://dev.azure.com/SulzerChemtech/chemtech/_build/results?buildId=29918","label":"pipeline-url"}],"humanReadableName":"Test](https://dev.azure.com/SulzerChemtech/chemtech/_build/results?buildId=29918%22,%22label%22:%22pipeline-url%22}],%22humanReadableName%22:%22Test) Results from Publish Test Results utility","serializedPayload":"{\"testId\":\"PublishTestResults\",\"testTool\":\"JUnit\",\"testResultAttestation\":{\"total\":0,\"failed\":0,\"passed\":0,\"skipped\":0},\"testDurationSeconds\":0.0,\"testPassPercentage\":\"0\",\"relatedUrls\":[{\"url\":\"[https://dev.azure.com/SulzerChemtech/chemtech/_build/results?buildId=29918\",\"label\":\"pipeline-url\"}]}"}}](https://dev.azure.com/SulzerChemtech/chemtech/_build/results?buildId=29918\%22,\%22label\%22:\%22pipeline-url\%22}]}%22}}) 
    ##[debug]TestManagement.Agent.PTR.EnableFlakyCheck is on
    ##[debug]TestManagement.Server.TriggerCoverageMergeJob is on
    ##[debug]Exception in Method:Data at the root level is invalid. Line 2, position 1.
    Async Command End: Publish test results
    Finishing: Publish Checkov Quality Analysis Result
    

    Examples This is our checkov Template:

    ---
    parameters:
      - name: workingDirectory
        type: string
        default: $(System.DefaultWorkingDirectory)
      - name: azRegion
        type: string
        default: $(azRegion)
      - name: tfStorageRg
        type: string
        default: rg-tf-stor
      - name: tfStorageAccName
        type: string
        default: stacctf$(Build.Repository.Name)
      - name: tfSourceBranchName
        type: string
        default: $(srcBranchName)
      - name: tfPrevPRId
        type: string
        default: $(prevPrId)
      - name: env
        type: string
        default: $(env)
      - name: outputFileName
        type: string
        default: Checkov-Report.xml
    
    steps:
      - task: Bash@3
        displayName: Run Checkov Quality Analysis
        inputs:
          targetType: "inline"
          script: |
            mkdir ${{ parameters.workingDirectory }}/CheckovReport
            docker run --tty --volume ${{ parameters.workingDirectory }}:/scan --workdir /scan bridgecrew/checkov:latest --directory /scan --output junitxml > ${{ parameters.workingDirectory }}/CheckovReport/${{ parameters.outputFileName }}
    
            # Remove the last two lines because the report is wrongly formatted
            sed -i '$d' ${{ parameters.workingDirectory }}/CheckovReport/${{ parameters.outputFileName }}
            sed -i '$d' ${{ parameters.workingDirectory }}/CheckovReport/${{ parameters.outputFileName }}
    
      - task: PublishTestResults@2
        displayName: Publish Checkov Quality Analysis Result
        condition: succeededOrFailed()
        inputs:
          testResultsFormat: "JUnit"
          testResultsFiles: "**/*.xml"
          searchFolder: "${{ parameters.workingDirectory }}/CheckovReport"
          mergeTestResults: false
          testRunTitle: Checkov Scan
          failTaskOnFailedTest: true
          publishRunAttachments: true
    

    Version (please complete the following information):

    • Checkov Version latest docker image

    Additional context From what I see of your push activity to docker hub and our pipelines, I can correlate that this must be somewhere in between the push from 2.0.1230 to 2.1 which was 7h ago. Anyway, our Pipeline worked last time 10:12am CET. 10:45am CET the checkov task failed. You pushed 2.1 at 10:34am which broke the pipelines

    checks 
    opened by slzmruepp 13
  • ci: Add lint job; apply black, isort

    ci: Add lint job; apply black, isort

    An initial set of checks for #1007.

    This PR adds:

    This PR is large, but basically, all the changes are automatic via pre-commit run --all-files command.

    There is a room to improve code readability, while keep black satisfied, but I think improvements could be made as people working on those areas.

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    opened by antonblr 13
  • feat(dockerfile): Add check for unsafe curl usages

    feat(dockerfile): Add check for unsafe curl usages

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    Description

    Add a check to detect unsafe usages of curl in dockerfiles. The check will identify usages of curl -k or curl --insecure.

    New/Edited policies

    CKV2_DOCKER_2

    Description

    Using the specified command line options disable SSL certificate validation.

    https://curl.se/docs/manpage.html#-k

    Fix

    Remove the option, possibly use --cacert or --capath to specific additional certificates if needed.

    Checklist:

    • [x] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [x] I have commented my code, particularly in hard-to-understand areas
    • [ ] I have made corresponding changes to the documentation
    • [x] I have added tests that prove my feature, policy, or fix is effective and works
    • [x] New and existing tests pass locally with my changes
    • [ ] Any dependent changes have been merged and published in downstream modules
    fast-lane 
    opened by james-otten-pan 0
  • Improve handling of missing dependencies for helm and kustomize

    Improve handling of missing dependencies for helm and kustomize

    Describe the issue If you run with --framework helm, you get an INFO log message that the framework was skipped, and that's it.

    It would be better if this message was more visible and, if that is the only framework being run, checkov exited with an error or warning instead of trying to continue.

    Additional context Add any other context about the problem here.

    outputs 
    opened by mikeurbanski1 0
  • docs(general): fix links in contributing docs

    docs(general): fix links in contributing docs

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    Description

    Updating a few links in the docs that were pointing to master to now point at the main branch.

    Checklist:

    • [x] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [ ] I have commented my code, particularly in hard-to-understand areas
    • [x] I have made corresponding changes to the documentation
    • [ ] I have added tests that prove my feature, policy, or fix is effective and works
    • [ ] New and existing tests pass locally with my changes
    • [ ] Any dependent changes have been merged and published in downstream modules
    opened by james-otten-pan 0
  • fix(general): set newer jsonschema dependency bound-  solves #2227

    fix(general): set newer jsonschema dependency bound- solves #2227

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    Description

    Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

    Fixes # (issue)

    New/Edited policies (Delete if not relevant)

    Description

    Include a description of what makes it a violation and any relevant external links.

    Fix

    How does someone fix the issue in code and/or in runtime?

    Checklist:

    • [ ] My code follows the style guidelines of this project
    • [ ] I have performed a self-review of my own code
    • [ ] I have commented my code, particularly in hard-to-understand areas
    • [ ] I have made corresponding changes to the documentation
    • [ ] I have added tests that prove my feature, policy, or fix is effective and works
    • [ ] New and existing tests pass locally with my changes
    • [ ] Any dependent changes have been merged and published in downstream modules
    opened by JamesWoolfenden 0
  • update-locale triggers CKV_DOCKER_5

    update-locale triggers CKV_DOCKER_5

    Describe the issue CKV_DOCKER_5 (Ensure update instructions are not use alone in the Dockerfile) fails in anything that has update in it. From reading the source, it. seems that CKV_DOCKER_5 is geared towards apt-get update and apt-get install which, from the code, are cancelling each other out so the update_cnt variable remains 0. I have other update command like update-locale. I'm not sure if it's part of the issue in my Dockerfile that I need to deal or I could just ignore the failure message.

    Examples

    RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
      dpkg-reconfigure --frontend noninteractive locales && \
      update-locale LANG=en_US.UTF-8
    

    Version (please complete the following information):

    • Checkov Version 2.2.229
    checks 
    opened by kates 0
  • feat(secrets): Call secrets verify API

    feat(secrets): Call secrets verify API

    By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

    Description

    • calling secrets verifier api
    • adding status to the record and printing it

    Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

    Fixes # (issue)

    New/Edited policies (Delete if not relevant)

    Description

    Include a description of what makes it a violation and any relevant external links.

    Fix

    How does someone fix the issue in code and/or in runtime?

    Checklist:

    • [x] My code follows the style guidelines of this project
    • [x] I have performed a self-review of my own code
    • [x] I have commented my code, particularly in hard-to-understand areas
    • [ ] I have made corresponding changes to the documentation
    • [x] I have added tests that prove my feature, policy, or fix is effective and works
    • [x] New and existing tests pass locally with my changes
    • [ ] Any dependent changes have been merged and published in downstream modules
    opened by Eliran-Turgeman 0
Releases(2.2.230)
  • 2.2.230(Jan 3, 2023)

  • 2.2.229(Jan 1, 2023)

    Feature

    • gha: add support for gha existing graph - #4175
    • secrets: change secretsCoordinator to dict format - #4169
    • terraform: added aws_ssoadmin_managed_policy_attachment resource to CKV_AWS_274 - #4173

    Bug Fix

    • general: add link to BaseGraphRegistry checks - #4177
    • general: change CODE_LINK_BASE from master to main - #4178
    • kubernetes: remove unneeded context check - #4171
    • kustomize: fixed kustomize abs_file_path - #4159
    • terraform: out of range error by checking if list is empty - #4176
    Source code(tar.gz)
    Source code(zip)
  • 2.2.220(Dec 29, 2022)

  • 2.2.217(Dec 28, 2022)

    Feature

    • general: Make code blocks for json check results focused on the relevant part - #4130
    • openapi: Add v2 openAPI new checks - #4112
    • terraform: new azure storage checks - #4021

    Bug Fix

    • github: Handle entity configurations of type list - #4160
    • sca: Fix extra space in output of dependencies - #4162
    Source code(tar.gz)
    Source code(zip)
  • 2.2.212(Dec 27, 2022)

    Feature

    • azure: Add check - azure keyvalut public network access - #4155

    Bug Fix

    • terraform: fix edge-case in CKV_AZURE_183 check - #4154
    • terraform: fix graph checks nested modules - #4157
    • terraform: fix or connection graph checks nested modules - #4158
    Source code(tar.gz)
    Source code(zip)
  • 2.2.207(Dec 26, 2022)

    Feature

    • kubernetes: Support graph edges for nested (related) Pod resources. - #4100
    • secrets: Keep original secrets data in runtime for further validation - #4144
    • secrets: Keep original secrets data in runtime for further validation - #4149

    Bug Fix

    • general: fix excluded paths for path with special characters - #4152
    • terraform: add test path to exclude-patterns - #4150
    • terraform: fix edge-case in CKV_AZURE_37 check - #4153
    • terraform: fix getting graph entity config in terraform runner - #4146
    • terraform: remove redundant nested definitions - #4147
    Source code(tar.gz)
    Source code(zip)
  • 2.2.201(Dec 25, 2022)

  • 2.2.199(Dec 22, 2022)

    Feature

    • gha: support on directive in workflow files - #4125
    • sca: run old package scanning for IDE scan - #4133
    • secrets: expose maximum 6 characters of secret values - #4140

    Bug Fix

    • circleci: add resource to ir - #4135
    • general: Reformat PR template - #4139
    • kubernetes: move Kubernetes context error message - #4132
    • terraform: add aws_transfer_server to CKV2_AWS_5 check - #4137
    • terraform: Add some more supported keys to bigquery public acl check ignore list to avoid false positive - #3969
    • terraform: fix azure network address invalid value - #4131
    Source code(tar.gz)
    Source code(zip)
  • 2.2.191(Dec 21, 2022)

    Feature

    • general: add the stack trace to the error message when caught by main.py - #4121
    • sca: add GCP Terraform resources for Image Referencer - #4094
    • sca: protecting checkov with try/catch wrapping - #4104

    Bug Fix

    • kubernetes: removed obsolete error logging - #4126
    • terraform: fix azure dns invalid ip - #4128
    Source code(tar.gz)
    Source code(zip)
  • 2.2.186(Dec 20, 2022)

    Feature

    • general: move the jsonpath try/catch up a level to catch more errors - #3911
    • sca: returning exit code 2 in case of error for downloading twistcli - #4105

    Bug Fix

    • dockerfile: adjust the file abs path for Dockerfile graph results - #4118
    • openapi: fix an open API CKV_OPENAPI_6 check - #4109
    • sca: fixing integration tests - #4117
    • terraform_plan: use abs path for repo_root_for_plan_enrichment - #4115
    • terraform: CKV2_AZURE_21 changed blob access type to private - #3898
    • terraform: fix support for getting module-referenced resources context - #4110

    Platform

    • terraform: add previous get_tf_definition_key function - #4114
    Source code(tar.gz)
    Source code(zip)
  • 2.2.180(Dec 19, 2022)

    Feature

    • general: Use --no-fail-on-crash to gracefully exit commit_repository and setup_bridgecrew_credentials - #4099
    • terraform_plan: add check details to TF plan scan results - #4091
    • terraform: new azurerm checks - App config - #3988
    • terraform: Omit values from graph checks - #4076

    Bug Fix

    • general: change env var name for no-fail-on-crash flag - #4107
    • github: Fix GHA IR resource names in case of 2 identical images - #4108
    • terraform: azurerm storage defaults - fix for storage case #3516 - #4083
    • terraform: fix nested module resources ids in the report - #4098
    Source code(tar.gz)
    Source code(zip)
  • 2.2.172(Dec 18, 2022)

    Feature

    • general: Add no-fail-on-crash flag - #4097
    • gha: add fix for gha graphs and UT - #4084
    • kubernetes: inject k8s FF flags to instance instead of constructor - #4096

    Bug Fix

    • terraform: add a method for get the entity definition path from the entity itself - #4095
    • terraform: add address attribute to all scanned terraform blocks - #4074
    Source code(tar.gz)
    Source code(zip)
  • 2.2.168(Dec 15, 2022)

    Feature

    • kubernetes: Add kubernetes YAML checks to checkov packaging - #4073
    • kubernetes: move whorf to dedicated repo - #4062
    • terraform_plan: add Image Referencer for Terraform plan files - #4063
    • terraform: add CKV NCP rules about AutoScalingGroup, Load Balancer - #3821
    • terraform: add CKV NCP rules about Nat Gateways and Route - #3854
    • terraform: combine tf plan and tf graphs for nested modules - #4066
    • terraform: More azurerm checks for terraform - #3970

    Bug Fix

    • openapi: Fix in PathSchemeDefineHTTP opeAPI check - #4079
    • terraform: CKV_AZURE_43 add new test case - #4082
    Source code(tar.gz)
    Source code(zip)
  • 2.2.158(Dec 14, 2022)

  • 2.2.155(Dec 13, 2022)

    Feature

    • github: more CIS checks- part2 - #4017
    • kubernetes: added CKV2_K8S_EXAMPLE_1 only in tests as an example for k8s graph check for pod which is publicly accessible - #4060
    • kubernetes: added deployment name to pod resource id - #4040
    • sca: fix root packages fixed version - #4070

    Bug Fix

    • sca: invoke packaging.Version instead of parse - #4065
    • secrets: fix error when secret is None - #4071
    • terraform: checkov fix as resource container_group modified - #4061
    • terraform: fixed unexpected data for IAMPublicActionsPolicy - #4067
    • terraform: fixed unexpected data for MonitorLogProfileRetentionDays - #4068

    Platform

    • general: Apply licensing from platform - #3961
    Source code(tar.gz)
    Source code(zip)
  • 2.2.148(Dec 12, 2022)

    Feature

    • gha: Add gha graph infra - #4058
    • gha: add infra for gha graphs - #4052
    • sca: fixed dependencies default value - #4056
    • sca: added indirect cves fix versions - #4023
    • secrets: Inject secrets omitter to runner registry - #4054
    • terraform_plan: support jsonpath queries in AWS IAM policy strings for Terraform plan - #4033
    • terraform: Extend secret attributes to omit mapping - #4028
    • terraform: tf plan combine graphs pass params - #4051

    Bug Fix

    • terraform: add missing resource aws_route53_resolver_endpoint #3968 - #3995
    • terraform: fix getting local dest module path - #4055
    • terraform: Fix some errors in Dynamic Blocks rendering - #4050
    Source code(tar.gz)
    Source code(zip)
  • 2.2.139(Dec 11, 2022)

    Feature

    • graph: Added not_within attribute solver for graph checks - #4041
    • kubernetes: Add CKV2_K8S_2 graph check for potential privilege escalation in nodes/proxy or pods/exec with create permissions - #4034
    • kubernetes: Add CKV2_K8S_3 no impersonate permissions for ServiceAccount/Node - #4037
    • kubernetes: Added CKV2_K8S_4 check to not allow modifying of services/status - #4038
    • kubernetes: Added CKV2_K8S_5 check that no service account or node can read all secrets - #4042
    • secrets: Accepting json reports from bucket in secrets_omitter - #4039
    • terraform: add CKV NCP rules about Route Table Association - #3856

    Bug Fix

    • kubernetes: Corrected list format for yaml files in new k8s graph check tests - #4035
    • secrets: custom secret add support for value str and not only list - #4024
    • terraform: Fix in dot separator in the dynamic argument - #4036
    Source code(tar.gz)
    Source code(zip)
  • 2.2.130(Dec 8, 2022)

    Feature

    • general: Apply policy-level suppressions as skipped checks - #4020
    • github: Add 3 CIS checks: 1.1.3, 1.1.8, 1.1.10 - #4003
    • kubernetes: Added CKV2_K8S_1 to ensure RoleBinding do not allow privilege escalation to a ServiceAccount/Node - #4004
    • secrets: Omit secrets from reports based on secrets reports - #3991
    • secrets: Omit secrets from reports based on secrets reports - #4015

    Bug Fix

    • github: remove secrets from schema example - #4019
    • terraform: fix resource block address - #4018
    Source code(tar.gz)
    Source code(zip)
  • 2.2.124(Dec 7, 2022)

    Feature

    • sca: change sca packages output to include dependencies structure - #3957
    • secrets: Adding check length for secret - #3985
    • terraform: nested modules support in graph - #3935

    Bug Fix

    • circleci: fix executors in resource_id - #4008
    • secrets: Bump detect secrets version - #3997
    • terraform: Fix an issue in dynamic blocks - #4006
    • terraform: fix CKV_AWS_283 check - #4005
    • terraform: Fix CKV_AZURE_168 check - #4000
    • terraform: Fix some issues in dynamic blocks flow - #4002
    • terraform: Fix TF checks crashes - #3992
    Source code(tar.gz)
    Source code(zip)
  • 2.2.116(Dec 6, 2022)

    Feature

    • general: Report failed attempts at reporting contributor metrics - #3984
    • kubernetes: create simple resources id for pods; allow enabling k8s graph features using env vars - #3975
    • terraform: check for insecure protocols - #3958
    • terraform: Check resource-based policies for public access - #3989
    • terraform: Dynamic Blocks support for loop in for_each attribute - #3982
    • terraform: new aks checks for Azure - #3951

    Bug Fix

    • dockerfile: fix Dockerfile inline skip handling - #3976
    • secrets: fix_Record_code_block_secrets - #3987
    • terraform: azurerm kusto cluster encryption - wrong attribute tested for - #3972
    Source code(tar.gz)
    Source code(zip)
  • 2.2.114(Dec 4, 2022)

    Feature

    • terraform: add CKV NCP rules about ncloud access control group rule - #3860

    Bug Fix

    • secrets: fix Issue with 'NoneType' error in the custom detectors load_detectors - #3973

    Platform

    • terraform: remove redundant exc_info for module without source - #3974
    Source code(tar.gz)
    Source code(zip)
  • 2.2.112(Dec 1, 2022)

    Feature

    • dockerfile: add graph to Dockerfile - #3948
    • terraform: add CKV NCP rules about access control group Inbound rule. - #3859
    • terraform: Implement relative file path standard for tf plan file runs - #3918

    Bug Fix

    • general: fix doc links on windows - #3959
    • secrets: Fix omitting of secrets that are json encoded - #3964
    • terraform_plan: Fix k8s checks edgecases for terraform plan - #3966
    • terraform: OCI Security Group Control Problem - #3933

    Platform

    • secrets: remove the use of enable_secret_scan_all_files for custom secrets - #3954

    Documentation

    • terraform: update Terraform modules docs - #3965
    Source code(tar.gz)
    Source code(zip)
  • 2.2.106(Nov 30, 2022)

  • 2.2.105(Nov 29, 2022)

    Feature

    • terraform: add CKV NCP rules about Load Balancer Listener Using HTTPS - #3858
    • terraform: add CKV NCP rules about server instance and public IP - #3857
    • terraform: azurerm ACR check for retention policy - #3927
    Source code(tar.gz)
    Source code(zip)
  • 2.2.99(Nov 27, 2022)

    Feature

    • github: add CIS checks part 1. Most of the 1.1.x - #3937
    • terraform: Azure ACR Enable Image Quarantine - #3925
    • terraform: Azure use signed image in ACR - #3923

    Bug Fix

    • bicep: ignore unresolvable properties for Bicep storage account checks - #3946
    • gha: added test for step with no step name - #3945
    Source code(tar.gz)
    Source code(zip)
  • 2.2.86(Nov 23, 2022)

  • 2.2.84(Nov 22, 2022)

  • 2.2.80(Nov 21, 2022)

  • 2.2.78(Nov 20, 2022)

  • 2.2.75(Nov 17, 2022)

Owner
Bridgecrew
Secure public cloud infrastructure
Bridgecrew
A static analysis tool for Python

pyanalyze Pyanalyze is a tool for programmatically detecting common mistakes in Python code, such as references to undefined variables and some catego

Quora 212 Jan 7, 2023
TidyPy is a tool that encapsulates a number of other static analysis tools and makes it easy to configure, execute, and review their results.

TidyPy Contents Overview Features Usage Docker Configuration Ignoring Issues Included Tools Included Reporters Included Integrations Extending TidyPy

Jason Simeone 33 Nov 27, 2022
Pymwp is a tool for automatically performing static analysis on programs written in C

pymwp: MWP analysis in Python pymwp is a tool for automatically performing static analysis on programs written in C, inspired by "A Flow Calculus of m

Static Analyses of Program Flows: Types and Certificate for Complexity 2 Dec 2, 2022
A static type analyzer for Python code

pytype - ? ✔ Pytype checks and infers types for your Python code - without requiring type annotations. Pytype can: Lint plain Python code, flagging c

Google 4k Dec 31, 2022
A simple stopwatch for measuring code performance with static typing.

A simple stopwatch for measuring code performance. This is a fork from python-stopwatch, which adds static typing and a few other things.

Rafael 2 Feb 18, 2022
Collection of library stubs for Python, with static types

typeshed About Typeshed contains external type annotations for the Python standard library and Python builtins, as well as third party packages as con

Python 3.3k Jan 2, 2023
A system for Python that generates static type annotations by collecting runtime types

MonkeyType MonkeyType collects runtime types of function arguments and return values, and can automatically generate stub files or even add draft type

Instagram 4.1k Jan 2, 2023
Optional static typing for Python 3 and 2 (PEP 484)

Mypy: Optional Static Typing for Python Got a question? Join us on Gitter! We don't have a mailing list; but we are always happy to answer questions o

Python 14.4k Jan 5, 2023
Static type checker for Python

Static type checker for Python Speed Pyright is a fast type checker meant for large Python source bases. It can run in a “watch” mode and performs fas

Microsoft 9.4k Jan 7, 2023
Code audit tool for python.

Pylama Code audit tool for Python and JavaScript. Pylama wraps these tools: pycodestyle (formerly pep8) © 2012-2013, Florent Xicluna; pydocstyle (form

Kirill Klenov 966 Dec 29, 2022
Metrinome is an all-purpose tool for working with code complexity metrics.

Overview Metrinome is an all-purpose tool for working with code complexity metrics. It can be used as both a REPL and API, and includes: Converters to

null 26 Dec 26, 2022
Alarmer is a tool focus on error reporting for your application.

alarmer Alarmer is a tool focus on error reporting for your application. Installation pip install alarmer Usage It's simple to integrate alarmer in yo

long2ice 20 Jul 3, 2022
coala provides a unified command-line interface for linting and fixing all your code, regardless of the programming languages you use.

"Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live." ― John F. Woods coala provides a

coala development group 3.4k Jan 2, 2023
Turn your Python and Javascript code into DOT flowcharts

Notes from 2017 This is an older project which I am no longer working on. It was built before ES6 existed and before Python 3 had much usage. While it

Scott Rogowski 3k Jan 9, 2023
Find dead Python code

Vulture - Find dead code Vulture finds unused code in Python programs. This is useful for cleaning up and finding errors in large code bases. If you r

Jendrik Seipp 2.4k Jan 3, 2023
The uncompromising Python code formatter

The Uncompromising Code Formatter “Any color you like.” Black is the uncompromising Python code formatter. By using it, you agree to cede control over

Python Software Foundation 30.7k Dec 28, 2022
Guesslang detects the programming language of a given source code

Detect the programming language of a source code

Y. SOMDA 618 Dec 29, 2022
Learning source code review, spot vulnerability, find some ways how to fix it.

Learn Source Code Review Learning source code review, spot vulnerability, find some ways how to fix it. WordPress Plugin Authenticated Stored XSS on C

Shan 24 Dec 31, 2022
Print a directory tree structure in your Python code.

directory-structure Print a directory tree structure in your Python code. Download You can simply: pip install directory-structure Or you can also: Cl

Gabriel Stork 45 Dec 19, 2022