Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kustomize checks can only be skipped with invalid YAML #6900

Open
ChrisSamo632 opened this issue Dec 10, 2024 · 1 comment
Open

kustomize checks can only be skipped with invalid YAML #6900

ChrisSamo632 opened this issue Dec 10, 2024 · 1 comment
Labels

Comments

@ChrisSamo632
Copy link

Describe the issue

Checkov fails to skip kustomize framework issues when annotations are added to the kustomization.yaml file *unless those annotations are added using invalid YAML

  • valid YAML, checkov skip ignored (i.e. checkov test fails):
metadata:
  annotations:
    checkov.io/skip1: CKV_K8S_14=using latest Image Tag for local development is easiest
  • invalid YAML (annotation not indented so annotations is not a valid YAML Object), checkov skip accepted (i.e. checkov test passes):
metadata:
  annotations:
  checkov.io/skip1: CKV_K8S_14=using latest Image Tag for local development is easiest

Examples

Given a kustomization.yaml like

resources:
  - ../../base

images:
  - name: api
    newName: api
    newTag: latest

metadata:
  annotations:
    checkov.io/skip1: CKV_K8S_14=using latest Image Tag for local development is easiest

The checko test fails. Breaking the YAML and un-indenting the checkov.io/skip1 annotation allows the checkov test to pass.

Version (please complete the following information):

  • Checkov Version: 3.2.330
@ChrisSamo632
Copy link
Author

ChrisSamo632 commented Dec 10, 2024

Also, the invalid YAML then cannot be used through kubectl apply -k ., as it cannot be parsed correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant