bump to image version 3.2.4 is causing failures

[igitcode]

All our pipelines started throwing this error this morning, which have all been after the bump to image version 3.2.4

2024-02-01 17:36:11,719 [MainThread  ] [WARNI]  Failed to get the checkov mappings and guidelines from None/bridgecrew/api/v2/guidelines. Skips using BC_* IDs will not work.
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 203, in _new_conn
    sock = connection.create_connection(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/util/connection.py", line 60, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/socket.py", line 962, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -2] Name or service not known

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 791, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 497, in _make_request
    conn.request(
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line [39](https://github.com//actions/runs/7745327156/job/21121047707#step:10:40)5, in request
    self.endheaders()
  File "/usr/local/lib/python3.11/http/client.py", line 1289, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.11/http/client.py", line 1048, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.11/http/client.py", line 986, in send
    self.connect()
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 2[43](https://github.com//actions/runs/7745327156/job/21121047707#step:10:44), in connect
    self.sock = self._new_conn()
                ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 210, in _new_conn
    raise NameResolutionError(self.host, self, e) from e
urllib3.exceptions.NameResolutionError: <urllib3.connection.HTTPConnection object at 0x7ff4874e1510>: Failed to resolve 'none' ([Errno -2] Name or service not known)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/checkov/common/bridgecrew/platform_integration.py", line 1162, in get_public_run_config
    request = self.http.request("GET", self.guidelines_api_url, headers=headers)  # type:ignore[no-untyped-call]
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/_request_methods.py", line 110, in request
    return self.request_encode_url(
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/_request_methods.py", line 143, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/poolmanager.py", line [44](https://github.com//actions/runs/7745327156/job/21121047707#step:10:45)3, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 8[45](https://github.com//actions/runs/7745327156/job/21121047707#step:10:46), in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='none', port=80): Max retries exceeded with url: /bridgecrew/api/v2/guidelines (Caused by NameResolutionError("<urllib3.connection.HTTPConnection object at 0x7ff[48](https://github.com//actions/runs/7745327156/job/21121047707#step:10:49)74e1[51](https://github.com//actions/runs/7745327156/job/21121047707#step:10:52)0>: Failed to resolve 'none' ([Errno -2] Name or service not known)"))

[tsmithv11]

Hi @igitcode, are you using a Bridgecrew API Key or is this without any API key?

[igitcode]

No API key. Have now seen this same issue across 2 customer environments. For now we've change from using @master to using previous release tag @v12.2655.0

[Saarett]

Hi @igitcode , any special configuration, environment variables, flags we should consider for the investigation? Currently we fail to reproduce it 🙏

[ppawlowski]

I am getting exactly the same error while scanning my helm chart. Action invocation is quite simple:

      - name: Scan chart with checkov
        uses: bridgecrewio/checkov-action@v12
        with:
          directory: ${{ github.workspace }}/helm
          var_file: ${{ github.workspace }}/helm/ci/default-values.yaml
          framework: helm
          output_format: cli,sarif
          output_file_path: console,results.sarif
          soft_fail: true

[igitcode]

My config looks like this. We are passing in different skip_check ID's between 2 customers, but otherwise the config is the same between the two.

      - name: Checkov
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: ${{ inputs.working-directory }}
          framework: terraform
          skip_check: ${{ inputs.checkov-ignore }} # skip a specific check_id. can be comma separated list
          quiet: true # display only failed checks
          soft_fail: false # do not return an error code if there are failed checks
          output_format: github_failed_only
          download_external_modules: false

both projects are using GitHub hosted runners. Not sure if this would make any difference.

[Saarett]

Thank you. We will prioritize it internally. If you are Prisma Cloud customers, feel free to contact your Customer Success representatives to increase the priority of this issue.

[ppawlowski]

v12.2655.0

I can confirm, that switching the action to this version makes it work again.

[JohnARauchwarter]

Experiencing same using below GH Action step. Curious part of the error seems to be url resolution:

...from None/bridgecrew/api/v2/guidelines.
...
urllib3.exceptions.NameResolutionError: <urllib3.connection.HTTPConnection object at 0x7f7eea62d010>: Failed to resolve 'none' ([Errno -2] Name or service not known)

GH Action Step:

name: Scan GitHub Actions
continue-on-error: true
uses: bridgecrewio/checkov-action@v12
with:
  framework: github_actions
  directory: ./.github
  compact: false
  quiet: false
  log_level: WARNING      # optional: set log level. Default WARNING; [WARNING, DEBUG]
  output_format: cli,sarif
  output_file_path: console,checkov_github_actions.sarif

runtime checkov-action

Run bridgecrewio/checkov-action@v12
with:
  framework: github_actions
  directory: ./.github
  compact: false
  quiet: false
  log_level: WARNING
  output_format: cli,sarif
  output_file_path: console,checkov_github_actions.sarif
  container_user: 0
/usr/bin/docker run --name ghcriobridgecrewiocheckov3219_c5eb17 --label d87c77 --workdir /github/workspace --rm -e "INPUT_FRAMEWORK" -e "INPUT_DIRECTORY" -e "INPUT_COMPACT" -e "INPUT_QUIET" -e "INPUT_LOG_LEVEL" -e "INPUT_OUTPUT_FORMAT" -e "INPUT_OUTPUT_FILE_PATH" -e "INPUT_FILE" -e "INPUT_CHECK" -e "INPUT_SKIP_CHECK" -e "INPUT_API-KEY" -e "INPUT_OUTPUT_BC_IDS" -e "INPUT_USE_ENFORCEMENT_RULES" -e "INPUT_SKIP_RESULTS_UPLOAD" -e "INPUT_SOFT_FAIL" -e "INPUT_SKIP_FRAMEWORK" -e "INPUT_EXTERNAL_CHECKS_DIRS" -e "INPUT_EXTERNAL_CHECKS_REPOS" -e "INPUT_DOWNLOAD_EXTERNAL_MODULES" -e "INPUT_ENABLE_SECRETS_SCAN_ALL_FILES" -e "INPUT_CONFIG_FILE" -e "INPUT_BASELINE" -e "INPUT_SOFT_FAIL_ON" -e "INPUT_HARD_FAIL_ON" -e "INPUT_CONTAINER_USER" -e "INPUT_DOCKER_IMAGE" -e "INPUT_DOCKERFILE_PATH" -e "INPUT_VAR_FILE" -e "INPUT_GITHUB_PAT" -e "INPUT_TFC_TOKEN" -e "INPUT_TF_REGISTRY_TOKEN" -e "INPUT_VCS_BASE_URL" -e "INPUT_VCS_USERNAME" -e "INPUT_VCS_TOKEN" -e "INPUT_BITBUCKET_TOKEN" -e "INPUT_BITBUCKET_APP_PASSWORD" -e "INPUT_BITBUCKET_USERNAME" -e "INPUT_REPO_ROOT_FOR_PLAN_ENRICHMENT" -e "INPUT_POLICY_METADATA_FILTER" -e "INPUT_SKIP_PATH" -e "INPUT_SKIP_CVE_PACKAGE" -e "INPUT_SKIP_DOWNLOAD" -e "INPUT_PRISMA-API-URL" -e "API_KEY_VARIABLE" -e "GITHUB_PAT" -e "TFC_TOKEN" -e "TF_REGISTRY_TOKEN" -e "VCS_USERNAME" -e "VCS_BASE_URL" -e "VCS_TOKEN" -e "BITBUCKET_TOKEN" -e "BITBUCKET_USERNAME" -e "BITBUCKET_APP_PASSWORD" -e "PRISMA_API_URL" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_ID_TOKEN_REQUEST_URL" -e "ACTIONS_ID_TOKEN_REQUEST_TOKEN" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/isrm-a205150_infra/isrm-a205150_infra":"/github/workspace" ghcr.io/bridgecrewio/checkov:3.2.19  "" "./.github" "" "" "false" "false" "" "" "" "" "github_actions" "" "" "" "cli,sarif" "console,checkov_github_actions.sarif" "" "" "WARNING" "" "" "" "" "" "" "" "" "" "" "" "" "--user 0"
BC_FROM_BRANCH=240206-checkov_scan_refinement
BC_TO_BRANCH=develop
...
running checkov on directory: ./.github
checkov -d ./.github             --output cli --output sarif --output-file-path console,checkov_github_actions.sarif      --framework github_actions       
2024-02-08 15:54:11,923 [MainThread  ] [WARNI]  Failed to get the checkov mappings and guidelines from None/bridgecrew/api/v2/guidelines. Skips using BC_* IDs will not work.

[igitcode]

I feel that some may not notice it's happening as is doesn't cause the GH workflow to fail

[JohnARauchwarter]

so if it is the transition from 3.2.3(Jan 31) to 3.2.4(Feb1) perhaps this issue should be attached to the checkov repo, specifically this commit

I searched the checkov-action and checkov repo's for 'v2/guidelines' and the only file I came back with was

checkov/checkov/common/bridgecrew/platform_integration.py
216,56: self.guidelines_api_url = f"{self.api_url}/api/v2/guidelines"

In the above commit, on line 116, removed from the definition value "self.bc_api_url" was the default 'https://www.bridgecrew.cloud'. So it is now only populated if the OS has BC_API_URL set.

It seems the idea was to have this value blank so that on line 203 "def setup_api_urls(self) -> None:" would automagically set "api_url" to 'https://api0.prismacloud.io' however, somewhere in logic it appears "bc_api_url" is being set to the string "None"

[igitcode]

In a third customer environment the same issue was reported, on latest version 3.2.19.
The Checkov action still reported violations it found, but also accompanied by the same stack trace.

[tsmithv11]

Thanks, folks. We will investigate the issue and get this resolved.

[omryMen]

@igitcode
we did some modifications in the code so it will fix it.
can you try a newer version to see if it works for you ?
should be from 3.2.28 forward

[igitcode]

@omryMen Still seeing the issue on 3.2.32

[omryMen]

@igitcode can you add the new log you're seeing
also see the version of checkov-action..
see @ppawlowski 's comment which he mentioned it's already working

[igitcode]

we're pulling master version in our workflow:

Showing version 3.2.32 being pulled when workflow runs:

Error message:

2024-03-07 16:57:03,375 [MainThread  ] [WARNI]  Failed to get the checkov mappings and guidelines from None/bridgecrew/api/v2/guidelines. Skips using BC_* IDs will not work.
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 203, in _new_conn
    sock = connection.create_connection(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/util/connection.py", line 60, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/socket.py", line 962, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
socket.gaierror: [Errno -2] Name or service not known

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 791, in urlopen
    response = self._make_request(
               ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 497, in _make_request
    conn.request(
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line [39](<redacted>#step:11:40)5, in request
    self.endheaders()
  File "/usr/local/lib/python3.11/http/client.py", line 1293, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.11/http/client.py", line 1052, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.11/http/client.py", line 990, in send
    self.connect()
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 2[43](<redacted>#step:11:44), in connect
    self.sock = self._new_conn()
                ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 210, in _new_conn
    raise NameResolutionError(self.host, self, e) from e
urllib3.exceptions.NameResolutionError: <urllib3.connection.HTTPConnection object at 0x7bef5ac20110>: Failed to resolve 'none' ([Errno -2] Name or service not known)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/checkov/common/bridgecrew/platform_integration.py", line 1179, in get_public_run_config
    request = self.http.request("GET", self.guidelines_api_url, headers=headers)  # type:ignore[no-untyped-call]
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/_request_methods.py", line 110, in request
    return self.request_encode_url(
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/_request_methods.py", line 143, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/poolmanager.py", line [44](<redacted>#step:11:45)3, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen
    return self.urlopen(
           ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 8[45](<redacted>#step:11:46), in urlopen
    retries = retries.increment(
              ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/urllib3/util/retry.py", line [51](<redacted>#step:11:52)5, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='none', port=[80](<redacted>#step:11:81)): Max retries exceeded with url: /bridgecrew/api/v2/guidelines (Caused by NameResolutionError("<urllib3.connection.HTTPConnection object at 0x7bef5ac20110>: Failed to resolve 'none' ([Errno -2] Name or service not known)"))

[omryMen]

@igitcode
I was able to reproduce it and solve it.
checkov version 3.2.36 solves the issue

[igitcode]

confirmed this is no longer happening as of 3.2.36

[askkhan84]

We are facing this issue when using a custom SSL certificate. Is there a way to pass the custom SSL cert or ignore warning?

10:53AM INF running checkov on directory: . id=checkov
10:53AM INF checkov -d .             --output cli --output sarif --output-file-path results.sarif             
10:54AM INF 2024-04-23 00:54:01,118 [MainThread  ] [WARNI]  Failed to get the checkov mappings and guidelines from https://api0.prismacloud.io/bridgecrew/api/v2/guidelines. Skips using BC_* IDs will not work. id=checkov
10:54AM INF Traceback (most recent call last): id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 468, in _make_request id=checkov
10:54AM INF     self._validate_conn(conn) id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 1097, in _validate_conn id=checkov
10:54AM INF     conn.connect() id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 642, in connect id=checkov
10:54AM INF     sock_and_verified = _ssl_wrap_socket_and_match_hostname( id=checkov
10:54AM INF                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connection.py", line 783, in _ssl_wrap_socket_and_match_hostname id=checkov
10:54AM INF     ssl_sock = ssl_wrap_socket( id=checkov
10:54AM INF                ^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 471, in ssl_wrap_socket id=checkov
10:54AM INF     ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname) id=checkov
10:54AM INF                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/util/ssl_.py", line 515, in _ssl_wrap_socket_impl id=checkov
10:54AM INF     return ssl_context.wrap_socket(sock, server_hostname=server_hostname) id=checkov
10:54AM INF            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/ssl.py", line 517, in wrap_socket id=checkov
10:54AM INF     return self.sslsocket_class._create( id=checkov
10:54AM INF            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/ssl.py", line 1104, in _create id=checkov
10:54AM INF     self.do_handshake() id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/ssl.py", line 1382, in do_handshake id=checkov
10:54AM INF     self._sslobj.do_handshake() id=checkov
10:54AM INF ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006) id=checkov
10:54AM INF During handling of the above exception, another exception occurred: id=checkov
10:54AM INF Traceback (most recent call last): id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 791, in urlopen id=checkov
10:54AM INF     response = self._make_request( id=checkov
10:54AM INF                ^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 492, in _make_request id=checkov
10:54AM INF     raise new_e id=checkov
10:54AM INF urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006) id=checkov
10:54AM INF The above exception was the direct cause of the following exception: id=checkov
10:54AM INF Traceback (most recent call last): id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/checkov/common/bridgecrew/platform_integration.py", line 1250, in get_public_run_config id=checkov
10:54AM INF     request = self.http.request("GET", self.guidelines_api_url, headers=headers)  # type:ignore[no-untyped-call] id=checkov
10:54AM INF               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/_request_methods.py", line 110, in request id=checkov
10:54AM INF     return self.request_encode_url( id=checkov
10:54AM INF            ^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/_request_methods.py", line 143, in request_encode_url id=checkov
10:54AM INF     return self.urlopen(method, url, **extra_kw) id=checkov
10:54AM INF            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/poolmanager.py", line 443, in urlopen id=checkov
10:54AM INF     response = conn.urlopen(method, u.request_uri, **kw) id=checkov
10:54AM INF                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen id=checkov
10:54AM INF     return self.urlopen( id=checkov
10:54AM INF            ^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen id=checkov
10:54AM INF     return self.urlopen( id=checkov
10:54AM INF            ^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 875, in urlopen id=checkov
10:54AM INF     return self.urlopen( id=checkov
10:54AM INF            ^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py", line 845, in urlopen id=checkov
10:54AM INF     retries = retries.increment( id=checkov
10:54AM INF               ^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF   File "/usr/local/lib/python3.11/site-packages/urllib3/util/retry.py", line 515, in increment id=checkov
10:54AM INF     raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type] id=checkov
10:54AM INF     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ id=checkov
10:54AM INF urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api0.prismacloud.io', port=443): Max retries exceeded with url: /bridgecrew/api/v2/guidelines (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))) id=checkov

[SteveVaknin]

@askkhan84 The issue is you have a self-signed certificate in certificate chain which fails the cert verification.

You can pass a custom CA certificate that signs the certificate (I had a similar issue while using vpn and needed to pass my organization CA cert).
The argument is --ca-certificate <path_to_CA_cert>.