search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.84k stars 1.09k forks source link

Skiping CKV2_GHA_1 is not honoured #6216

Open AttilaT opened 4 months ago

AttilaT commented 4 months ago

Describe the issue The inline skip CKV2_GHA_1 is not honoured.

Examples When scanning the below yaml file

name: Default
#checkov:skip=CKV2_GHA_1:Please ignore
permissions: write-all
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  short-run:
    name: short-run
    runs-on: ${{ vars.LINUX_RUNNER }}
    steps:
      - name: Validate repo
        shell: bash
        run: echo "Hello!"

Version (please complete the following information):

naveednawazkhan commented 4 months ago

Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:

Example:

on: [push]
jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: example/
          file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
          check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
          skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
          quiet: true # optional: display only failed checks
          soft_fail: true # optional: do not return an error code if there are failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
          skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
          output_file_path: reports/results.sarif # folder and name of results file
          output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
          repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
          var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
          log_level: DEBUG # optional: set log level. Default WARNING
          config_file: path/this_file
          baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
          use_enforcement_rules: true # optional - use enforcement rule configs from the platform
naveednawazkhan commented 4 months ago

Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:

Example:

`on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps:

AttilaT commented 4 months ago

It's not a viable solution as that will skip it for all the files being scanned while I only need it for one.

Is it selective when the inline skip works and when not, if yes is there any documentation on it?

naveednawazkhan commented 4 months ago

Please follow this doc.

https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html

AttilaT commented 4 months ago

Please allow me to re-iterate as the doc is not helping.

I'm scanning a Github workflow yaml file that contains at top level permissions: write-all which is flagged by checkov scanner, and right above it the skip #checkov:skip=CKV2_GHA_1:Please ignore.

This skip doesn't seem to be working.

There are multiple files and only one specific is allowed to use permissions: write-all at top level.

naveednawazkhan commented 3 months ago

Thanks for the details. After internal discussions, we concluded it was a feature request. Feel free to contribute to it.

AttilaT commented 3 months ago

Could you share some details to what would need changing?