bridgecrewio · lirshindalman · Jan 1, 2025 · Dec 24, 2024 · Dec 24, 2024 · Dec 24, 2024
diff --git a/checkov/common/goget/github/get_git.py b/checkov/common/goget/github/get_git.py
@@ -5,6 +5,7 @@
 import shutil
 
 from checkov.common.goget.base_getter import BaseGetter
+from checkov.common.proxy.proxy_client import get_proxy_envs
 from checkov.common.resource_code_logger_filter import add_resource_code_filter_to_logger
 from checkov.common.util.contextmanagers import temp_environ
 
@@ -82,16 +83,17 @@ def do_get(self) -> str:
 
     def _clone(self, git_url: str, clone_dir: str) -> None:
         self.logger.debug(f"cloning {self.url if '@' not in self.url else self.url.split('@')[1]} to {clone_dir}")
+        proxy_env = get_proxy_envs()
         with temp_environ(GIT_TERMINAL_PROMPT="0"):  # disables user prompts originating from GIT
             if self.branch:
-                Repo.clone_from(git_url, clone_dir, branch=self.branch, depth=1)  # depth=1 for shallow clone
+                Repo.clone_from(git_url, clone_dir, branch=self.branch, depth=1, env=proxy_env)  # depth=1 for shallow clone
             elif self.commit_id:  # no commit id support for branch
-                repo = Repo.clone_from(git_url, clone_dir, no_checkout=True)  # need to be a full git clone
+                repo = Repo.clone_from(git_url, clone_dir, no_checkout=True, env=proxy_env)  # need to be a full git clone
                 repo.git.checkout(self.commit_id)
             elif self.tag:
-                Repo.clone_from(git_url, clone_dir, depth=1, b=self.tag)
+                Repo.clone_from(git_url, clone_dir, depth=1, b=self.tag, env=proxy_env)
             else:
-                Repo.clone_from(git_url, clone_dir, depth=1)
+                Repo.clone_from(git_url, clone_dir, depth=1, env=proxy_env)
 
     # Split source url into Git url and subdirectory path e.g. test.com/repo//repo/subpath becomes 'test.com/repo', '/repo/subpath')
     # Also see reference implementation @ go-getter https://github.com/hashicorp/go-getter/blob/main/source.go

diff --git a/checkov/common/proxy/__init__.py b/checkov/common/proxy/__init__.py
diff --git a/.../terraform/module_loading/proxy_client.py → checkov/common/proxy/proxy_client.py b/.../terraform/module_loading/proxy_client.py → checkov/common/proxy/proxy_client.py
@@ -1,5 +1,5 @@
 import os
-from typing import Any
+from typing import Any, Mapping
 
 import requests
 
@@ -31,3 +31,13 @@ def send_request(self, request: requests.Request) -> requests.Response:
 def call_http_request_with_proxy(request: requests.Request) -> Any:
     proxy_client = ProxyClient()
     return proxy_client.send_request(request=request)
+
+
+def get_proxy_envs() -> Mapping[str, str] | None:
+    if os.getenv('PROXY_URL'):
+        proxy_env = os.environ.copy()
+        proxy_env["GIT_SSL_CAINFO"] = os.getenv('PROXY_CA_PATH')  # Path to the CA cert
+        proxy_env["http_proxy"] = os.getenv('PROXY_URL')  # Proxy URL
+        proxy_env["https_proxy"] = os.getenv('PROXY_URL')  # HTTPS Proxy URL (if needed)
+        return proxy_env
+    return None
diff --git a/checkov/terraform/module_loading/loaders/registry_loader.py b/checkov/terraform/module_loading/loaders/registry_loader.py
@@ -19,7 +19,7 @@
     order_versions_in_descending_order,
     get_version_constraints
 )
-from checkov.terraform.module_loading.proxy_client import call_http_request_with_proxy
+from checkov.common.proxy.proxy_client import call_http_request_with_proxy
 
 if TYPE_CHECKING:
     from checkov.terraform.module_loading.module_params import ModuleParams