Skip to content
This repository has been archived by the owner on Oct 27, 2024. It is now read-only.

.checkov.yaml skip-checks being overridden by hard-coded BC_LIC* skip #125

Open
cringdahl opened this issue Mar 1, 2023 · 0 comments
Open

Comments

@cringdahl
Copy link

Problem

Version: 2.3.53
Framework: terraform

When --skip-check BC_LIC* is hard-coded into checkovRunner.ts, it overrides any skip-check params in .checkov.yaml. This can be verified by running the docker command used by the plugin with and without the BC_LIC* skip check, with LOG_LEVEL=DEBUG set, and looking at the resulting .checkov.yaml.

Workaround (but bad)

The workaround is to add inline skip comments, which do work, but that's added maintenance and makes the configuration file redundant.

Reproduce

docker run --rm --tty --name SOME_NAME --env LOG_LEVEL=DEBUG --env BC_SOURCE=vscode --env BC_SOURCE_VERSION=1.0.93 -v "/PATH_TO_CODE_WITH_CONFIG:/checkovScan" -v "/PATH_TO_CODE_WITH_CONFIG/.checkov.yaml:/checkovConfig/.checkov.yaml" -w /checkovScan bridgecrew/checkov:2.3.53 --config-file "/checkovConfig/.checkov.yaml" -f "SCANNED_FILE" -s --bc-api-key SOME_KEY --repo-id REPO_ID --skip-check BC_LIC*

vs

docker run --rm --tty --name SOME_NAME --env LOG_LEVEL=DEBUG --env BC_SOURCE=vscode --env BC_SOURCE_VERSION=1.0.93 -v "/PATH_TO_CODE_WITH_CONFIG:/checkovScan" -v "/PATH_TO_CODE_WITH_CONFIG/.checkov.yaml:/checkovConfig/.checkov.yaml" -w /checkovScan bridgecrew/checkov:2.3.53 --config-file "/checkovConfig/.checkov.yaml" -f "SCANNED_FILE" -s --bc-api-key SOME_KEY --repo-id REPO_ID

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant