search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.08k forks source link

checkov skip does not work for CKV2_AZURE_206 #6414

Closed anjum-sajjad closed 3 weeks ago

anjum-sajjad commented 3 weeks ago

Describe the issue

checkov:skip=CKV2_AZURE_206

This command to skip the check for 206 does not work.

Examples Have added this inside the relevant resource block for storage account as a single command. Checkov does not see it. Also tested as a double skip within a resource block where one command already works, Checkov still doesn't see it.

Lastly added the skip command inside the security checkov scan.yml file and doesn't read it in there either. Have tested with another skip command and that works fine when added to the checkov scan.yml file.

Either way CKV2_AZURE_206 is not being picked up to skip

Version: version: 3.2.127

Additional Info:

TF Resource code below resource "azurerm_storage_account" "this" {

checkov:skip=CKV2_AZURE_1: Not needed for this deployment

name = var.name resource_group_name = var.resource_group_name location = var.location account_tier = var.account_tier

checkov:skip=CKV2_AZURE_206: not needed

account_replication_type = var.account_replication_type account_kind = var.account_kind enable_https_traffic_only = var.enable_https_traffic_only is_hns_enabled = var.is_hns_enabled min_tls_version = "TLS1_2" access_tier = var.access_tier tags = var.tags_all

public_network_access_enabled = false //var.public_access_enabled allow_nested_items_to_be_public = false shared_access_key_enabled = false

sas_policy { expiration_period = "90.00:00:00" expiration_action = "Log" }

network_rules { default_action = "Deny" bypass = ["AzureServices"] virtual_network_subnet_ids = var.allowed_subnet_ids ip_rules = var.allowed_ip_ranges } queue_properties { logging { delete = true read = true write = true version = "1.0" retention_policy_days = 30 } }

// Add this block to enable soft delete blob_properties { delete_retention_policy { days = 30 // Number of days for soft delete retention } } }

** The checkov command used inside the scan.yml file is below*** checkov -d ./ --framework terraform --skip-check CKV2_AZURE_206

Output showing error after code is committed and checkov scan is done Check: CKV_AZURE_206: "Ensure that Storage Accounts use replication" FAILED for resource: module.aml_sa.azurerm_storage_account.this File: \modules\storage_account\main.tf:1-47 Calling File: \main.tf:198-212 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/azr-general-206

    1  | resource "azurerm_storage_account" "this" {
    2  |   # checkov:skip=CKV2_AZURE_1: Not needed for this deployment
    3  |   name                = var.name
    4  |   resource_group_name = var.resource_group_name
    5  |   location            = var.location
    6  |   account_tier        = var.account_tier
    7  |   # checkov:skip=CKV2_AZURE_206: not needed
    8  |   account_replication_type  = var.account_replication_type
    9  |   account_kind              = var.account_kind
    10 |   enable_https_traffic_only = var.enable_https_traffic_only
    11 |   is_hns_enabled            = var.is_hns_enabled
    12 |   min_tls_version           = "TLS1_2"
    13 |   access_tier               = var.access_tier
    14 |   tags                      = var.tags_all
    15 | 
    16 |   public_network_access_enabled   = false //var.public_access_enabled
    17 |   allow_nested_items_to_be_public = false
    18 |   shared_access_key_enabled       = false
    19 | 
    20 |   sas_policy {
    21 |     expiration_period = "90.00:00:00"
    22 |     expiration_action = "Log"
    23 |   }
    24 | 
    25 |   network_rules {
    26 |     default_action             = "Deny"
    27 |     bypass                     = ["AzureServices"]
    28 |     virtual_network_subnet_ids = var.allowed_subnet_ids
    29 |     ip_rules                   = var.allowed_ip_ranges
    30 |   }
    31 |   queue_properties {
    32 |     logging {
    33 |       delete                = true
    34 |       read                  = true
    35 |       write                 = true
    36 |       version               = "1.0"
    37 |       retention_policy_days = 30
    38 |     }
    39 |   }
    40 | 
    41 |   // Add this block to enable soft delete 
    42 |   blob_properties {
    43 |     delete_retention_policy {
    44 |       days = 30 // Number of days for soft delete retention 
    45 |     }
    46 |   }
    47 | }
maxamel commented 3 weeks ago

Seems that you're skipping CKV2_AZURE_206 but the check is CKV_AZURE_206. Checkov does not have different skip logic for different checks.

anjum-sajjad commented 3 weeks ago

Thanks for pointing that out, this has fixed the issue