I attempted to use this Action alongside Checkov, which outputs a SARIF report in a workflow. When doing so, suppressed results showed under the Results section and under the Suppressed section.
Below is a finding which was under both sections, despite being a suppressed finding:
I noticed that when a finding in Checkov is suppressed, it changes the level from error to warning. Potentially creating the addition of a minimum level threshold would prevent results which are supressed from showing under the results section, and configuration for a minimum level threshold for under the suppressed section.
I understand that this is likely due to the implementation of SARIF report generation from Checkov.
Note that also in the SARIF is $.runs[0].tool.driver.rules which are actually the results which are populated under the Results section in the comment. Here is the contents of $.runs[0].tool.driver.rules[0] as an example:
{
"id": "CKV_AWS_356",
"name": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions",
"shortDescription": {
"text": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions"
},
"fullDescription": {
"text": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions"
},
"help": {
"text": "Ensure no IAM policies documents allow \"*\" as a statement's resource for restrictable actions\nResource: module.eks_cluster.aws_iam_policy_document.ecr"
},
"defaultConfiguration": {
"level": "error"
},
"helpUri": "https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356"
}
Version
v2.0.1
Current Behavior
I attempted to use this Action alongside Checkov, which outputs a SARIF report in a workflow. When doing so, suppressed results showed under the
Results
section and under theSuppressed
section.Below is a finding which was under both sections, despite being a suppressed finding:
JSON Selector:
$.runs[0].results[0]
Expected Behavior
If a finding is suppressed, it should not show under the
Results
section, but should show under theSuppressed
section in the comment.Steps to Reproduce
.github/workflow/checkov.yml
Additional Information
I noticed that when a finding in Checkov is suppressed, it changes the
level
fromerror
towarning
. Potentially creating the addition of a minimum level threshold would prevent results which are supressed from showing under theresults
section, and configuration for a minimum level threshold for under the suppressed section.For example:
I understand that this is likely due to the implementation of SARIF report generation from Checkov.
Note that also in the SARIF is
$.runs[0].tool.driver.rules
which are actually the results which are populated under theResults
section in the comment. Here is the contents of$.runs[0].tool.driver.rules[0]
as an example: