Saarett
commented
3 months ago Hi @treber-muckrack , thank you for the idea. I’ll leave this issue open to see if there are more requests for it. Of course, a contribution would be welcome :)
Open treber-muckrack opened 3 months ago
Saarett
commented
3 months ago Hi @treber-muckrack , thank you for the idea. I’ll leave this issue open to see if there are more requests for it. Of course, a contribution would be welcome :)
Describe the issue Currently the get_skipped_checks function in kubernetes_utils is only looking at the top level metadata for a given entity -
metadata.annotations(https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/kubernetes_utils.py#L78). It would be great if checkov could check for the skip check annotations deeper than this, ideally inside pod template metadata -spec.template.metadata.annotations.Examples Some projects like Grafana Pyroscope (as a quick example) only allow annotations in this section, and not in the top level statefulset metadata (ex: https://github.com/grafana/pyroscope/blob/main/operations/pyroscope/helm/pyroscope/templates/deployments-statefulsets.yaml#L31). Currently adding skip-check annotations here doesn't have any impact when Checkov runs, they're ignored.
Version (please complete the following information):