# Pitfall Log Project: bridgecrewio/checkov Summary: Found 35 structured pitfall item(s), including 9 high/blocking item(s). Top priority: Installation risk - Installation risk requires verification. ## 1. Installation risk - Installation risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7394 ## 2. Installation risk - Installation risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/6645 ## 3. Installation risk - Installation risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/6950 ## 4. Configuration risk - Configuration risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7473 ## 5. Security or permission risk - Security or permission risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Developers should check this security_permissions risk before relying on the project: Security: Multiple CVEs in Dependencies (urllib3, asteval, ply) - Checkov 3.2.517 - User impact: Developers may expose sensitive permissions or credentials: Security: Multiple CVEs in Dependencies (urllib3, asteval, ply) - Checkov 3.2.517 - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7504 ## 6. Security or permission risk - Security or permission risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7402 ## 7. Security or permission risk - Security or permission risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7396 ## 8. Security or permission risk - Security or permission risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7210 ## 9. Security or permission risk - Security or permission risk requires verification - Severity: high - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7504 ## 10. Installation risk - Installation risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this installation risk before relying on the project: Discrepancy Between Homebrew vs pip Installations: CKV2 Checks Not Running with Homebrew - User impact: Developers may fail before the first successful local run: Discrepancy Between Homebrew vs pip Installations: CKV2 Checks Not Running with Homebrew - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/6645 ## 11. Installation risk - Installation risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this installation risk before relying on the project: feat(general): Add warnings when API-dependent parameters are used without API key - User impact: Developers may fail before the first successful local run: feat(general): Add warnings when API-dependent parameters are used without API key - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7379 ## 12. Installation risk - Installation risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this installation risk before relying on the project: update Python module packaging - User impact: Developers may fail before the first successful local run: update Python module packaging - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/6950 ## 13. Configuration risk - Configuration risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this configuration risk before relying on the project: Bicep: Missing parser support for `extension` keyword - User impact: Developers may misconfigure credentials, environment, or host setup: Bicep: Missing parser support for `extension` keyword - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7364 ## 14. Configuration risk - Configuration risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this configuration risk before relying on the project: CKV_AWS_86 only validates v1 logging, not v2 - User impact: Developers may misconfigure credentials, environment, or host setup: CKV_AWS_86 only validates v1 logging, not v2 - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7385 ## 15. Configuration risk - Configuration risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this configuration risk before relying on the project: CKV_GCP_123 triggers even if remove_default_node_pool is set - User impact: Developers may misconfigure credentials, environment, or host setup: CKV_GCP_123 triggers even if remove_default_node_pool is set - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7406 ## 16. Configuration risk - Configuration risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this configuration risk before relying on the project: CKV_GCP_93 false positive when using multi-key configuration - User impact: Developers may misconfigure credentials, environment, or host setup: CKV_GCP_93 false positive when using multi-key configuration - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7402 ## 17. Configuration risk - Configuration risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Developers should check this configuration risk before relying on the project: GCS Bucket Logging Checks with Undetermined Value - User impact: Developers may misconfigure credentials, environment, or host setup: GCS Bucket Logging Checks with Undetermined Value - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7473 ## 18. Configuration risk - Configuration risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Project evidence flags a configuration risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7406 ## 19. Capability evidence risk - Capability evidence risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: README/documentation is current enough for a first validation pass. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: capability.assumptions | https://github.com/bridgecrewio/checkov ## 20. Runtime risk - Runtime risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Project evidence flags a runtime risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: packet_text.keyword_scan | https://github.com/bridgecrewio/checkov ## 21. Maintenance risk - Maintenance risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: evidence.maintainer_signals | https://github.com/bridgecrewio/checkov ## 22. Security or permission risk - Security or permission risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: no_demo - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: downstream_validation.risk_items | https://github.com/bridgecrewio/checkov ## 23. Security or permission risk - Security or permission risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: no_demo - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: risks.scoring_risks | https://github.com/bridgecrewio/checkov ## 24. Security or permission risk - Security or permission risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7364 ## 25. Security or permission risk - Security or permission risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7385 ## 26. Security or permission risk - Security or permission risk requires verification - Severity: medium - Evidence strength: source_linked - Finding: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/bridgecrewio/checkov/issues/7379 ## 27. Capability evidence risk - Capability evidence risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this capability risk before relying on the project: Bicep / ARM support expectations are misleading for real-world Azure usage - User impact: Developers may hit a documented source-backed failure mode: Bicep / ARM support expectations are misleading for real-world Azure usage - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7394 ## 28. Capability evidence risk - Capability evidence risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this capability risk before relying on the project: Expose variables from terraform plan - User impact: Developers may hit a documented source-backed failure mode: Expose variables from terraform plan - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7396 ## 29. Capability evidence risk - Capability evidence risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this capability risk before relying on the project: Kubernetes manifests with ${VAR} placeholders are silently skipped - User impact: Developers may hit a documented source-backed failure mode: Kubernetes manifests with ${VAR} placeholders are silently skipped - Evidence: failure_mode_cluster:github_issue | https://github.com/bridgecrewio/checkov/issues/7210 ## 30. Maintenance risk - Maintenance risk requires verification - Severity: low - Evidence strength: source_linked - Finding: issue_or_pr_quality=unknown。 - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: evidence.maintainer_signals | https://github.com/bridgecrewio/checkov ## 31. Maintenance risk - Maintenance risk requires verification - Severity: low - Evidence strength: source_linked - Finding: release_recency=unknown。 - User impact: May increase setup, validation, or first-run risk for the user. - Evidence: evidence.maintainer_signals | https://github.com/bridgecrewio/checkov ## 32. Maintenance risk - Maintenance risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this maintenance risk before relying on the project: 3.2.533 - User impact: Upgrade or migration may change expected behavior: 3.2.533 - Evidence: failure_mode_cluster:github_release | https://github.com/bridgecrewio/checkov/releases/tag/3.2.533 ## 33. Maintenance risk - Maintenance risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this maintenance risk before relying on the project: 3.2.534 - User impact: Upgrade or migration may change expected behavior: 3.2.534 - Evidence: failure_mode_cluster:github_release | https://github.com/bridgecrewio/checkov/releases/tag/3.2.534 ## 34. Maintenance risk - Maintenance risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this maintenance risk before relying on the project: 3.3.0 - User impact: Upgrade or migration may change expected behavior: 3.3.0 - Evidence: failure_mode_cluster:github_release | https://github.com/bridgecrewio/checkov/releases/tag/3.3.0 ## 35. Maintenance risk - Maintenance risk requires verification - Severity: low - Evidence strength: source_linked - Finding: Developers should check this maintenance risk before relying on the project: 3.3.1 - User impact: Upgrade or migration may change expected behavior: 3.3.1 - Evidence: failure_mode_cluster:github_release | https://github.com/bridgecrewio/checkov/releases/tag/3.3.1