I wanted to run a Checkov analysis on Ansible roles I'm developping. Checkov reports some errors that shouldn't be reported if you take into account the value of the facts.
Here is a simple example on a simplified playbook:
- name: Test checkov
hosts: localhost
tasks:
- name: Set BASE_URL
ansible.builtin.set_fact:
BASE_URL: "https://localhost:1234/myportal"
- name: call myportal
ansible.builtin.uri:
url: "{{ BASE_URL }}/CsrfGuardServlet"
method: POST
status_code: 200
return_content: true
headers:
FETCH-CSRF-TOKEN: 1
body_format: form-urlencoded
body:
_action: submit
register: csrf_response
no_log: true
Checkov returns the following error:
$> checkov -f checkov_test.yaml --quiet --evaluate-variables True
ansible scan results:
Passed checks: 1, Failed checks: 1, Skipped checks: 0
Check: CKV2_ANSIBLE_1: "Ensure that HTTPS url is used with uri"
FAILED for resource: tasks.ansible.builtin.uri.call myportal
File: /checkov_test.yaml:9-22
9 | - name: call myportal
10 | ansible.builtin.uri:
11 | url: "{{ BASE_URL }}/CsrfGuardServlet"
12 | method: POST
13 | status_code: 200
14 | return_content: true
15 | headers:
16 | FETCH-CSRF-TOKEN: 1
17 | body_format: form-urlencoded
18 | body:
19 | _action: submit
20 | register: csrf_response
Though clearly the url uses HTTPS.
Is there a way to tell checkov to take into account declared facts? (whether through ansible.builtin.set_fact or with vars - as this leads to the same error).