Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skiping CKV2_GHA_1 is not honoured #6216

Open
AttilaT opened this issue Apr 26, 2024 · 7 comments
Open

Skiping CKV2_GHA_1 is not honoured #6216

AttilaT opened this issue Apr 26, 2024 · 7 comments
Labels
contribution requested This is a great feature idea, but we will need a contribution to get it added to Checkov. skips

Comments

@AttilaT
Copy link

AttilaT commented Apr 26, 2024

Describe the issue
The inline skip CKV2_GHA_1 is not honoured.

Examples
When scanning the below yaml file

name: Default
#checkov:skip=CKV2_GHA_1:Please ignore
permissions: write-all
on:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  short-run:
    name: short-run
    runs-on: ${{ vars.LINUX_RUNNER }}
    steps:
      - name: Validate repo
        shell: bash
        run: echo "Hello!"

Version (please complete the following information):

  • Checkov is running of release v3.2.74
@AttilaT AttilaT added the skips label Apr 26, 2024
@naveednawazkhan
Copy link
Contributor

naveednawazkhan commented Apr 26, 2024
edited

Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:

Example:

on: [push]
jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: example/
          file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
          check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
          skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
          quiet: true # optional: display only failed checks
          soft_fail: true # optional: do not return an error code if there are failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
          skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
          output_file_path: reports/results.sarif # folder and name of results file
          output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
          repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
          var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
          log_level: DEBUG # optional: set log level. Default WARNING
          config_file: path/this_file
          baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
          use_enforcement_rules: true # optional - use enforcement rule configs from the platform

@naveednawazkhan
Copy link
Contributor

Hi @AttilaT thank you for reaching out. skip_check should come under steps. Please the following example:

Example:

`on: [push]
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@master

  - name: Run Checkov action
    id: checkov
    uses: bridgecrewio/checkov-action@master
    with:
      directory: example/
      file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
      check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
      skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
      quiet: true # optional: display only failed checks
      soft_fail: true # optional: do not return an error code if there are failed checks
      framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
      skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all}
      skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list
      output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
      output_file_path: reports/results.sarif # folder and name of results file
      output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs
      download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
      repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
      var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
      log_level: DEBUG # optional: set log level. Default WARNING
      config_file: path/this_file
      baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
      container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
      use_enforcement_rules: true # optional - use enforcement rule configs from the platform

`

@AttilaT
Copy link
Author

AttilaT commented Apr 29, 2024

It's not a viable solution as that will skip it for all the files being scanned while I only need it for one.

Is it selective when the inline skip works and when not, if yes is there any documentation on it?

@naveednawazkhan
Copy link
Contributor

Please follow this doc.

https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html

@AttilaT
Copy link
Author

AttilaT commented Apr 30, 2024

Please allow me to re-iterate as the doc is not helping.

I'm scanning a Github workflow yaml file that contains at top level permissions: write-all which is flagged by checkov scanner, and right above it the skip #checkov:skip=CKV2_GHA_1:Please ignore.

This skip doesn't seem to be working.

There are multiple files and only one specific is allowed to use permissions: write-all at top level.

@naveednawazkhan
Copy link
Contributor

Thanks for the details. After internal discussions, we concluded it was a feature request. Feel free to contribute to it.

@tsmithv11 tsmithv11 added the contribution requested This is a great feature idea, but we will need a contribution to get it added to Checkov. label May 9, 2024
@AttilaT
Copy link
Author

AttilaT commented May 9, 2024

Could you share some details to what would need changing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contribution requested This is a great feature idea, but we will need a contribution to get it added to Checkov. skips
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tsmithv11 @naveednawazkhan @AttilaT