Checkov upgrade notice causing CI to fail

Question

Beginning around 11:30am ET on 11/21/2022, our CI pipelines started failing due to a Checkov update/upgrade notice with an input prompt (see output below).

Is there command line option to skip this check from bridgecrew?

$ checkov
       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.1.244 
Update available 2.1.244 -> 2.2.80
Run pip3 install -U checkov to update 
Would you like to “level up” your Checkov powers for free?  The upgrade includes: 
• Command line docker Image scanning
• Software Composition Analysis
• Centralized policy management
• Free bridgecrew.cloud account with API access
• Auto-fix remediation suggestions
• Enabling of VS Code Plugin
• Dashboard visualisation of Checkov scans
• Integration with GitHub for:
    ◦   Automated Pull Request scanning
    ◦   Auto remediation PR generation
• Integration with up to 100 cloud resources for:
    ◦   Automated cloud resource checks
    ◦   Resource drift detection
and much more...
It's easy and only takes 2 minutes. We can do it right now!
To Level-up, press 'y'... 
Level up? (y/n): Traceback (most recent call last):
  File "/usr/bin/checkov", line 9, in <module>
    sys.exit(run())
  File "/usr/lib/python3.10/site-packages/checkov/main.py", line 368, in run
    bc_integration.onboarding()
  File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 696, in onboarding
    reply = self._input_levelup_results()
  File "/usr/lib/python3.10/site-packages/checkov/common/bridgecrew/platform_integration.py", line 860, in _input_levelup_results
    result = str(input('Level up? (y/n): ')).lower().strip()  # nosec
EOFError: EOF when reading a line
Uploading artifacts for failed job
00:01
Uploading artifacts...
WARNING: plan.json: no matching files              
ERROR: No files to upload                     

I did try to update the version using pip but the old version is still being used. This is a separate issue, and at this point my focus is on avoiding the update check entirely.

bash-5.1# checkov --version
2.1.244
bash-5.1# pip3 install -U checkov
... (Lots of output)
bash-5.1# checkov --version
2.1.244

This is my .checkov.yaml file:

compact: true
quiet: true
skip-download: false
download-external-modules: true
directory:
 - ./
skip-check:
 - CKV_AWS_18  
 - CKV_AWS_50  
 - CKV_AWS_115 
 - CKV_AWS_116
 - CKV_AWS_117 
 - CKV_AWS_158 
 - CKV_AWS_173 
 - CKV_OPENAPI_4  # some APIs are public
 - CKV_OPENAPI_5  # some APIs are public
 - LOW 

Answer 1

You're only getting this output because you're calling checkov without any command line parameters. It's been like this for about a year maybe even more.

Answer 2

If anyone else runs into this, I fixed it by explicitly passing the config-file flag on the command line:

checkov --config-file .checkov.yaml

It's still unclear to me why the pipelines started failing when we were using a pre-build Docker image to run our jobs.

Answer 3

I did try to update the version using pip but the old version is still being used

Version 2.1.244 was released on Oct 2nd, so it isn't from today. I join James' suggestion to use parameters - it will avoid this prompt altogether. And also to check what is missing in your machine's deps as it seems the latest checkov cannot be installed. Highly recommend using checkov's docker directly if you're not in the mood to debug this, too!