Baseline should be invalidated for a resource the moment it changes

[audunmo]

Describe the issue When I have a project with a generated baseline, I'd like to have the baseline-skip dropped when I change a baseline-skipped resource. This is to encourage clean-as-you go practices, to clean up previously skipped vulns when you introduce any change on the resource.

Examples Lets say I have a resource.tf with a resource resource.insecure.default, which contains some bad stuff. I generate a baseline for it that makes it ignore all the existing vulns. When I then change resource.insecure.default in some way, I want all previously skipped vulns to no longer be skipped, even if I didn't change anything related to the vuln.

Version (please complete the following information):

• Checkov Version 3.1.26

[gruebel]

Hey @audunmo

I understand what you want, but that was not the intended use case of baseline. Also what does it mean for you, someone changed something. Formatting the file? Adding tags? Renaming referenced blocks, like resources or variables?

[audunmo]

@gruebel yeah ideally I'd like it to run on change to the source code, as any time a dev is making changes there I'd like to surface the previously skipped violations. That way, we can push a clean-as-you code approach to fixing policy violations. Just makes it easier for teams to stomach the large initial list of findings, and gives a sustainable way of resolving them over time.

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!