Open tberreis opened 5 months ago
The flag name was always misleading, it is more like an ignore-check flag. It will never be checked and therefore you won't find it in a report.
Hi @gruebel, Thank you for your reply.
Like documented in Reviewing Scan Results the counter increases when adding a # checkov:skip
to the code directly and I don't understand, why this is handled differently in the code than adding the same exclude as a parameter. In my opinion the meaning is exactly the same: Suppress any warning for that specific rule.
This should be reworked or at least documented. Maybe it's a good idea to rename the parameter and deprecate the old one?
You can also fine-tune which checks run or do not run for the overall scan using the --check and --skip-check flags. You can use these flags to specify check IDs (or wildcards) and / or check severities (if using the platform integration). Any skipped check will simply not run at all and will not appear in the output.
You can also fine-tune which checks run or do not run for the overall scan using the --check and --skip-check flags. You can use these flags to specify check IDs (or wildcards) and / or check severities (if using the platform integration). Any skipped check will simply not run at all and will not appear in the output.
Thank you for pointing me in the right direction. With this discussion in mind it makes sense for me now but as you already mentioned, the implementation of the parameter is a bit misleading.
Would it be possible to use this issue as a feature request to either rename the parameter or to make it possible to include the skipped checks in the overall report? Could be an optional configuration flag or the like to not break the current usage. Or should I better create a new issue for the desired behavior while being as descriptive as possible?
In my use case I have lots of CI/CD pipelines which are consuming these skips via a Gitlab CI/CD variable and it would be great for the end users to see, that and how many rules have been skipped.
Tagging @tsmithv11 for visibility
Describe the issue As documented here we are able to skip checks by using the parameter '--skip-check SKIP_CHECK'. This works as expected but it seems these skips are not included in the overall report.
The corresponding line of code when building the report here seems to be never reached in case the check is skipped.
Examples terraform file to be checked
Output when checking everything
Output when skipping all checks matching 'CKV2*'
The scan result for both examples shows 0 skipped checks which is misleading at least in my opinion:
Passed checks: 7, Failed checks: 8, Skipped checks: 0
Passed checks: 6, Failed checks: 3, Skipped checks: 0
Adding a single line of logging to the function add_record like
logging.info(record.check_result)
, I can see only these checks which succeeded or failed:Version (please complete the following information):
Additional context -/-