checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Only scan changed files

Open lukelloydagi opened this issue 1 year ago • 2 comments

Question Is it possible to have checkov only scan files that have changed (git diff)?

Currently using checkov as part of MegaLinter and while other linters are only scanning the changed files as part of a PR checkov is scanning the entire git repo.

lukelloydagi avatar Oct 16 '24 08:10 lukelloydagi

yeah, this is possible for example via pre-commit, but you can also achieve it on your own by passing the file paths to the -f flag, like here https://github.com/bridgecrewio/checkov/blob/f177b202e32c2bf7d28ff00b34bc5d4062a7f13f/.pre-commit-hooks.yaml#L29-L35

gruebel avatar Oct 16 '24 09:10 gruebel

Can that be done via the config file? Do you have a list of config file options and what they do? I only found the below doc on config file usage but it doesn't give options and what the options do 🤷‍♂️ https://github.com/bridgecrewio/checkov#configuration-using-a-config-file

lukelloydagi avatar Oct 16 '24 09:10 lukelloydagi

@lukelloydagi scanning per file can be configured via the config-file. Any flag can be added to the file like you can see under Will create a config.yaml file which looks like this:. For multiple files, you can list them in the config-file like this:

file:
  - terragoat/terraform/aws/ec2.tf
  - terragoat/terraform/aws/s3.tf

So I imagine if you wanted to do this in a pipeline, you'd have to dynamically update the file with the list of files that were changed. Note this will impact things like variable rendering.

tsmithv11 avatar Nov 03 '24 23:11 tsmithv11