Skip to content

fix(scanners): do not embed literal quotes in checkov/bandit exclusion args#350

Merged
rafaelpereyra merged 1 commit into
awslabs:mainfrom
jtblack-aws:bugfix/scanner-skip-path-exclude-quoting
Jul 6, 2026
Merged

fix(scanners): do not embed literal quotes in checkov/bandit exclusion args#350
rafaelpereyra merged 1 commit into
awslabs:mainfrom
jtblack-aws:bugfix/scanner-skip-path-exclude-quoting

Conversation

@jtblack-aws

Copy link
Copy Markdown
Contributor

Issue #, 349

Description of changes:

The built-in checkov and bandit scanner plugins construct their --skip-path / --exclude CLI arguments as single-string tokens with literal double-quote characters wrapped around the value. ASH invokes scanners via subprocess with the default shell=False, so the " characters end up inside the argv value rather than being interpreted as shell quoting. The downstream tools then treat the quotes as part of the pattern — checkov compiles a regex that requires a literal " character in the file path, so no real path matches and exclusions silently fail.

The failure is silent: scanners exit 0, no warning is emitted, and the only observable symptom is that path exclusions don't appear to take effect. Both built-in KNOWN_IGNORE_PATHS and any user-configured skip_path / excluded_paths entries are affected.

Affected versions: Tested v3.2.1 and v3.5.2, although likely present in older versions.

See the linked issue for the full reproducer.

Fix

Remove the embedded quotes from the three affected f-strings. The values are passed as argv via subprocess, so no shell-level quoting is needed — the argument delimiter is the argv boundary.

  • automated_security_helper/plugin_modules/ash_builtin/scanners/checkov_scanner.py:
    two occurrences (the KNOWN_IGNORE_PATHS loop and the user skip_path loop).
  • automated_security_helper/plugin_modules/ash_builtin/scanners/bandit_scanner.py:
    one occurrence (the single --exclude token).

Tests

Two new unit-test files under tests/unit/plugin_modules/ash_builtin/:

  • test_checkov_scanner_skip_path_quoting.py:

    • test_process_config_options_skip_path_arguments_contain_no_literal_quotes — asserts no emitted --skip-path= ToolExtraArg.key contains a literal " character.
    • test_process_config_options_skip_path_values_are_verbatim — parametrized over five filesystem-safe paths; asserts each emitted token equals exactly --skip-path={path}.
  • test_bandit_scanner_exclude_quoting.py:

    • test_process_config_options_exclude_argument_contains_no_literal_quotes — asserts no emitted --exclude= ToolExtraArg.key contains a literal " character.
    • test_process_config_options_exclude_argument_value_is_well_formed — asserts the comma-joined --exclude= value splits into the expected list of glob entries (mirroring the source-code Path(...).joinpath(...) construction so the test stays correct under any future Path-normalization changes).

Also updated a stale comment in tests/integration/scanners/test_bandit_scanner.py::test_process_config_options_exclusions
that documented the buggy quoted form as if it were intentional. The assertion itself is quote-agnostic and is unchanged.

Verification

  • New regression tests fail on the unfixed code and pass after the fix.
  • Full unit + scanner integration suite (uv run pytest --run-integration tests/unit/ tests/integration/scanners/ -v --no-cov) shows the same pre-existing 5 failures as before the fix (unrelated env / mock signature drift); zero new failures.
  • uv run ruff check and uv run ruff format --check clean on all five touched files.
  • End-to-end: installed locally via uv tool install --from . automated-security-helper --force, ran against a project with a
    cdk.out/ directory and scanners.checkov.options.skip_path: "cdk.out". Verified scan properly excluded cdk.out.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@jtblack-aws jtblack-aws requested a review from a team as a code owner May 15, 2026 21:21
@jtblack-aws jtblack-aws force-pushed the bugfix/scanner-skip-path-exclude-quoting branch from e7c5cc5 to dba27ca Compare June 19, 2026 20:54
…n args

ASH builds checkov --skip-path and bandit --exclude args as
single-string f'--flag="{value}"' tokens. Because subprocess is
called with shell=False, the quote characters end up inside the argv
value, and downstream tools treat them as part of the pattern,
silently disabling all path exclusions.

Drop the quote wrap from the three affected f-strings and add unit
regression tests asserting no emitted token contains a literal '"'.

Fixes awslabs#349
@jtblack-aws jtblack-aws force-pushed the bugfix/scanner-skip-path-exclude-quoting branch from dba27ca to 0f8c896 Compare July 6, 2026 18:14
@rafaelpereyra rafaelpereyra merged commit aa92a92 into awslabs:main Jul 6, 2026
232 of 234 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants