Skip to content
This repository has been archived by the owner on Oct 27, 2024. It is now read-only.

Storing the Checkov token in settings.json is insecure #129

Open
ryboe opened this issue Apr 17, 2023 · 1 comment
Open

Storing the Checkov token in settings.json is insecure #129

ryboe opened this issue Apr 17, 2023 · 1 comment

Comments

@ryboe
Copy link

ryboe commented Apr 17, 2023
edited
Loading

We currently have to pass the Checkov token by storing it in settings.json.

"checkov.token": "<REDACTED>"

This is not ideal for a few of reasons:

  1. It contributes to secret sprawl (settings.json file is one more file that needs to be protected)
  2. settings.json is globally readable on my Mac (644 permissions)
  3. The secret persists on the file system.
  4. The secret is readable in plaintext.
  5. If Settings Sync is enabled, the secret is copied to the cloud (in plaintext).

It would be better to have the option of pulling the secret from the BC_API_KEY env var. That would let us avoid storing the secret on the file system.

Thanks for making a great IaC scanner and thanks for considering this feature.
@ryboe
Copy link
Author

ryboe commented Apr 17, 2023
edited
Loading

UPDATE: I just discovered that you can use env vars in settings.json.

"checkov.token": "${env:BC_API_KEY}"

This seems to work. Maybe the docs should encourage setting the key this way?

UPDATE 2: This isn't working for me.

@ryboe ryboe closed this as completed Apr 17, 2023
@ryboe ryboe reopened this Apr 21, 2023
@ryboe ryboe changed the title Storing the Checkov token in settings.json is not ideal Storing the Checkov token in settings.json is insecure Apr 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ryboe