Skip to content

Checkov and SAST Broken on Windows #8

Description

@bpetty-interlace

Error

When scanning a random docker compose yml to test the MCP, I get:

● Aikido scan completed — no issues found in #################.

  Note: two scanner engines had execution errors on this system:
  - SAST (Opengrep): failed to load rules (unknown taint_intrafile field —
  tool/rule version mismatch)                                                 

  • IaC (Checkov): binary not found at expected path

  The secrets scan ran clean. To get full IaC coverage on the compose file
  (which is where Checkov would flag things like exposed debug ports, missing
   read-only volumes, etc.), the Aikido MCP install needs Checkov available
  and Opengrep rules updated. Want me to look into fixing the setup?

System

Windows

Resolution

The taint_intrafile field was added to opengrep in v1.17.0 (April 2025).     The MCP hardcodes opengrep v1.10.0 in its download URLs. Aikido's            opengrep-rules repo (which the MCP pulls from their API) uses the newer schema.

The MCP resolves Checkov at: %LOCALAPPDATA%\aikido-mcp\checkov\checkov.exe
NOTE: (see @aikidosec/mcp code: path.join(i, "checkov.exe"))
The actual binary on a Windows system is at: %LOCALAPPDATA%\aikido-mcp\checkov\dist\checkov.exe

The Checkov Windows release zip (v3.2.395) extracts with a dist prefix. The MCP extractor doesn't flatten/handle this, so the executable ends up one directory deeper than the lookup expects.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions