checkov-vscode
checkov-vscode copied to clipboard
bridgecrewio
.checkov.yaml skip-checks being overridden by hard-coded BC_LIC* skip
Problem
Version: 2.3.53 Framework: terraform
When --skip-check BC_LIC* is hard-coded into checkovRunner.ts, it overrides any skip-check params in .checkov.yaml. This can be verified by running the docker command used by the plugin with and without the BC_LIC* skip check, with LOG_LEVEL=DEBUG set, and looking at the resulting .checkov.yaml.
Workaround (but bad)
The workaround is to add inline skip comments, which do work, but that's added maintenance and makes the configuration file redundant.
Reproduce
docker run --rm --tty --name SOME_NAME --env LOG_LEVEL=DEBUG --env BC_SOURCE=vscode --env BC_SOURCE_VERSION=1.0.93 -v "/PATH_TO_CODE_WITH_CONFIG:/checkovScan" -v "/PATH_TO_CODE_WITH_CONFIG/.checkov.yaml:/checkovConfig/.checkov.yaml" -w /checkovScan bridgecrew/checkov:2.3.53 --config-file "/checkovConfig/.checkov.yaml" -f "SCANNED_FILE" -s --bc-api-key SOME_KEY --repo-id REPO_ID --skip-check BC_LIC*
vs
docker run --rm --tty --name SOME_NAME --env LOG_LEVEL=DEBUG --env BC_SOURCE=vscode --env BC_SOURCE_VERSION=1.0.93 -v "/PATH_TO_CODE_WITH_CONFIG:/checkovScan" -v "/PATH_TO_CODE_WITH_CONFIG/.checkov.yaml:/checkovConfig/.checkov.yaml" -w /checkovScan bridgecrew/checkov:2.3.53 --config-file "/checkovConfig/.checkov.yaml" -f "SCANNED_FILE" -s --bc-api-key SOME_KEY --repo-id REPO_ID
