Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Allow the creation of a baseline from a scan that uses a baseline, without ignoring the failed checks in the baseline in the new created baseline file. Currently we can use --baseline and --create-baseline together, but running a scan using the new baseline will show the previously omitted findings.
Examples
Run checkov with --create-baseline and find result "A".
Repo changed
Run checkov with --baseline and --create-baseline
Currently it prints Created a checkov baseline file at /path/to/.checkov.baselineBaseline analysis report using ./.checkov.baseline - only new failed checks with respect to the baseline are reported. Running another checkov scan with --baseline .checkov.baseline will lead to the older findings from the original baseline being reported.
I suggest adding an option to end up with a new .checkov.baseline file that has the findings from both scans. The motivation is that we want to avoid running checkov twice (once to get the filtered findings, and once to create a combined baseline).
Describe the feature
Allow the creation of a baseline from a scan that uses a baseline, without ignoring the failed checks in the baseline in the new created baseline file. Currently we can use
--baselineand--create-baselinetogether, but running a scan using the new baseline will show the previously omitted findings.Examples
--create-baselineand find result "A".--baselineand--create-baselineCurrently it prints
Created a checkov baseline file at /path/to/.checkov.baselineBaseline analysis report using ./.checkov.baseline - only new failed checks with respect to the baseline are reported. Running another checkov scan with--baseline .checkov.baselinewill lead to the older findings from the original baseline being reported.I suggest adding an option to end up with a new
.checkov.baselinefile that has the findings from both scans. The motivation is that we want to avoid running checkov twice (once to get the filtered findings, and once to create a combined baseline).