Skiping CKV2_GHA_1 is not honoured

[AttilaT]

Describe the issue The inline skip CKV2_GHA_1 is not honoured.

Examples When scanning the below yaml file

name: Default
#checkov:skip=CKV2_GHA_1:Please ignore
permissions: write-all
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  short-run:
    name: short-run
    runs-on: ${{ vars.LINUX_RUNNER }}
    steps:
      - name: Validate repo
        shell: bash
        run: echo "Hello!"

Version (please complete the following information):

• Checkov is running of release v3.2.74

[naveednawazkhan]

Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:

Example:

on: [push]
jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: example/
          file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
          check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
          skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
          quiet: true # optional: display only failed checks
          soft_fail: true # optional: do not return an error code if there are failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
          skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
          output_file_path: reports/results.sarif # folder and name of results file
          output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
          repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
          var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
          log_level: DEBUG # optional: set log level. Default WARNING
          config_file: path/this_file
          baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
          use_enforcement_rules: true # optional - use enforcement rule configs from the platform

[naveednawazkhan]

Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:

Example:

`on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps:

• name: Checkout repo uses: actions/checkout@master

• name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: directory: example/ file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided. check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all} skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif output_file_path: reports/results.sarif # folder and name of results file output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with file var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans. log_level: DEBUG # optional: set log level. Default WARNING config_file: path/this_file baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline. container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues use_enforcement_rules: true # optional - use enforcement rule configs from the platform `

[AttilaT]

It's not a viable solution as that will skip it for all the files being scanned while I only need it for one.

Is it selective when the inline skip works and when not, if yes is there any documentation on it?

[naveednawazkhan]

Please follow this doc.

https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html

[AttilaT]

Please allow me to re-iterate as the doc is not helping.

I'm scanning a Github workflow yaml file that contains at top level permissions: write-all which is flagged by checkov scanner, and right above it the skip #checkov:skip=CKV2_GHA_1:Please ignore.

This skip doesn't seem to be working.

There are multiple files and only one specific is allowed to use permissions: write-all at top level.

[naveednawazkhan]

Thanks for the details. After internal discussions, we concluded it was a feature request. Feel free to contribute to it.

[AttilaT]

Could you share some details to what would need changing?

[james-garriss]

Verified that this bug still exists today.