checkov
checkov copied to clipboard
bridgecrewio
Skiping CKV2_GHA_1 is not honoured
Describe the issue
The inline skip CKV2_GHA_1 is not honoured.
Examples When scanning the below yaml file
name: Default
#checkov:skip=CKV2_GHA_1:Please ignore
permissions: write-all
on:
workflow_dispatch:
push:
branches:
- main
jobs:
short-run:
name: short-run
runs-on: ${{ vars.LINUX_RUNNER }}
steps:
- name: Validate repo
shell: bash
run: echo "Hello!"
Version (please complete the following information):
- Checkov is running of release
v3.2.74
Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:
Example:
on: [push]
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@master
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: example/
file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
output_file_path: reports/results.sarif # folder and name of results file
output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
log_level: DEBUG # optional: set log level. Default WARNING
config_file: path/this_file
baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
use_enforcement_rules: true # optional - use enforcement rule configs from the platform
Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:
Example:
`on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps: - name: Checkout repo uses: actions/checkout@master
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
directory: example/
file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
output_file_path: reports/results.sarif # folder and name of results file
output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
log_level: DEBUG # optional: set log level. Default WARNING
config_file: path/this_file
baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
use_enforcement_rules: true # optional - use enforcement rule configs from the platform
`
It's not a viable solution as that will skip it for all the files being scanned while I only need it for one.
Is it selective when the inline skip works and when not, if yes is there any documentation on it?
Please follow this doc.
https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html
Please allow me to re-iterate as the doc is not helping.
I'm scanning a Github workflow yaml file that contains at top level permissions: write-all which is flagged by checkov scanner, and right above it the skip #checkov:skip=CKV2_GHA_1:Please ignore.
This skip doesn't seem to be working.
There are multiple files and only one specific is allowed to use permissions: write-all at top level.
Thanks for the details. After internal discussions, we concluded it was a feature request. Feel free to contribute to it.