feat(general): Change behavior where if a config file is missing, run the scan as if there was no config file (bridgecrewio#6926)

* Initial commit

* fix mock issue

* fix for windows

* Moving to env var

* fix flake8

* Update CLI Command Reference.md

* Add other variables

Author: tsmithv11

checkov/common/util/env_vars_config.py

@@ -83,6 +83,7 @@ def __init__(self) -> None:
         self.PROXY_URL = os.getenv('PROXY_URL', None)
         self.PROXY_HEADER_VALUE = os.getenv('PROXY_HEADER_VALUE', None)
         self.PROXY_HEADER_KEY = os.getenv('PROXY_HEADER_VALUE', None)
+        self.ENABLE_CONFIG_FILE_VALIDATION = convert_str_to_bool(os.getenv("ENABLE_CONFIG_FILE_VALIDATION", False))
 
 
 env_vars_config = EnvVarsConfig()

checkov/main.py

@@ -58,6 +58,7 @@
 from checkov.common.util.ext_argument_parser import ExtArgumentParser, flatten_csv
 from checkov.common.util.runner_dependency_handler import RunnerDependencyHandler
 from checkov.common.util.type_forcers import convert_str_to_bool
+from checkov.common.util.env_vars_config import env_vars_config
 from checkov.contributor_metrics import report_contributor_metrics
 from checkov.dockerfile.runner import Runner as dockerfile_runner
 from checkov.docs_generator import print_checks
@@ -163,7 +164,7 @@ def _parse_mask_to_resource_attributes_to_omit(self) -> None:
         self.config.mask = resource_attributes_to_omit
 
     def parse_config(self, argv: list[str] = sys.argv[1:]) -> None:
-        """Parses the user defined config via CLI flags"""
+        """Parses the user-defined config via CLI flags and handles missing config-file"""
 
         default_config_paths = get_default_config_paths(sys.argv[1:])
         self.parser = ExtArgumentParser(
@@ -175,6 +176,15 @@ def parse_config(self, argv: list[str] = sys.argv[1:]) -> None:
         self.parser.add_parser_args()
         argcomplete.autocomplete(self.parser)
 
+        # Pre-validate the config-file argument
+        if env_vars_config.ENABLE_CONFIG_FILE_VALIDATION:
+            for i, arg in enumerate(argv):
+                if arg == "--config-file" and i + 1 < len(argv):
+                    config_path = Path(argv[i + 1])
+                    if not config_path.is_file():
+                        logger.debug(f"The config file at '{config_path}' does not exist. Running without a config file.")
+                        argv[i + 1] = ""  # Clear the non-existent file from arguments
+
         self.config = self.parser.parse_args(argv)
         self.normalize_config()
 

docs/2.Basics/CLI Command Reference.md

@@ -78,3 +78,6 @@ nav_order: 2
 | `EVAL_TF_PLAN_AFTER_UNKNOWN` | Experimental feature to leverage the after_unknown section of plan files to determine if the check should pass or fail. | `False` |
 | `CHECKOV_EXPERIMENTAL_TERRAFORM_MANAGED_MODULES` | Experimental feature to leverage the local cache of modules rather than downloading them. Requires terraform init before using. | `False` |
 | `GITHUB_PAT`, `BITBUCKET_TOKEN`, `TF_REGISTRY_TOKEN`, `TF_HOST_NAME`, `VCS_BASE_URL`, `VCS_USERNAME`, `VCS_TOKEN` | See [Scanning Private Terraform Modules](https://www.checkov.io/7.Scan%20Examples/Terraform.html) for more details. |
+| `ENABLE_CONFIG_FILE_VALIDATION` | If the conf-file explicitly set using the `--config-file` command does not exist, skip rather than throw an error (default) | `False` |
+| `CHECKOV_MAX_IAC_FILE_SIZE` | Set the max size for CloudFormation file scans. | `50_000_000` or 50MB |
+| `CHECKOV_MAX_FILE_SIZE` | Set the max file size for Secrets scans. | `5000000` or 5MB |

integration_tests/test_checkov_config.py

@@ -1,6 +1,11 @@
 import json
 import os
 import unittest
+from unittest import mock
+from checkov.common.logger_streams import LoggerStreams
+from checkov.logging_init import log_stream, erase_log_stream
+from checkov.main import Checkov
+from checkov.common.util.env_vars_config import env_vars_config
 
 current_dir = os.path.dirname(os.path.realpath(__file__))
 
@@ -29,6 +34,43 @@ def test_terragoat_report(self):
                 data["results"]["failed_checks"][0]["guideline"], "expecting a guideline for checks."
             )
 
+    def setUp(self):
+        erase_log_stream()  # Clear any existing logs before each test
+        self.logger_streams = LoggerStreams()
+        self.stream_name = "test_stream"
+        self.logger_streams.add_stream(self.stream_name, log_stream)
+
+    def tearDown(self):
+        erase_log_stream()  # Ensure logs are cleared after each test
+
+    def get_logged_messages(self):
+        return self.logger_streams.get_streams().get(self.stream_name).getvalue()
+
+    def test_missing_config_file(self):
+        """Test when the provided config-file does not exist."""
+        env_vars_config.ENABLE_CONFIG_FILE_VALIDATION = True
+        config_path = os.path.join('path', 'to', 'missing', 'config.yaml')
+        argv = ["--config-file", config_path]
+
+        with mock.patch("pathlib.Path.is_file", return_value=False):
+            checkov_instance = Checkov(argv=argv)
+            checkov_instance.parse_config()
+
+        logged_messages = self.get_logged_messages()
+        expected_message = f"The config file at '{config_path}' does not exist. Running without a config file."
+        self.assertIn(expected_message, logged_messages)
+
+    def test_no_config_file_argument(self):
+        """Test when no --config-file argument is provided."""
+        env_vars_config.ENABLE_CONFIG_FILE_VALIDATION = True
+        argv = []
+
+        checkov_instance = Checkov(argv=argv)
+        checkov_instance.parse_config()
+
+        logged_messages = self.get_logged_messages()
+        self.assertNotIn("does not exist", logged_messages)
+
 
 if __name__ == "__main__":
     unittest.main()