Provide a way to ignore specific resources

[schnipseljagd]

Hello!

To make this more useful it would be good to have a way to ignore specific resources for a check.

E.g. the check that a security-group shouldn't allow ingress from 0.0.0.0 is generally really useful and I want it to continue to check all security groups but the one resource that allows internet traffic to my web-service it should ignore.

[aureq]

@schnipseljagd do you have any suggestions on how this could work? Would it be based on the resource name? tags perhaps (though not all resources support tags)?

[ZacHigi]

@aureq I think tags would be a good way to handle this. We have some tag-based exception policies for cloud resources, and the process of getting a tag to use has its own internal procedures and reviews, but assuming an engineer gets one it's as simple as putting the tag on the excepted resources.

From the purposes of the scanning tool's generic capability, it allows us to exclude findings based on the presence of a specific tag, and that would be nice to extend that to policy-as-code in a systemic way.

As it stands to achieve this, it seems like we'd take any rules trigger that we have an exception tag for, disable them, and replace them with a custom rule that has the same message, but with the extra logic to not invalidate if the tag is present.

[aureq]

@ZacHigi This is interesting! How do you handle situations where a resource doesn't support tags but needs to be excluded?

[ZacHigi]

@ZacHigi This is interesting! How do you handle situations where a resource doesn't support tags but needs to be excluded?

It's never come up. The finding having enough mitigations to warrant an exception tag is rare, and resources that don't support tags are also rare.

I suppose if it did, I'd start looking to add the resource name itself to some kind of allow list, but that starts getting very specific as we generally lean into Pulumi's auto-naming strategy.