--check and --skip-check lists defined in files

To further illustrate the point I was trying to make, I established a very simple/checkov-compatible initial data contract for exceptions, such as:

[{
  "policyId": "CKV_AWS_62",
  "comment": "Spike testing suppression",
  "resourceType": "aws_iam_policy",
  "resourceName": "iac_poc"
}]

Now we just need a mechanism (currently) to get those suppressions in-line (although my preference would lean towards a new mechanism where skips could be passed automatically to the filter where they’re utilized). However, the current model can be processed by a shell script such as:

#!/usr/bin/env bash

grep_result=$(grep --exclude=process_exceptions.sh --exclude-dir=.git --exclude-dir=.terraform -r ".*checkov:skip=.*" .)

if [ $? -eq 1 ]; then
  echo "Phew, nobody messes with checkov."
else
  echo "Uh oh, someone is already trying to get by checkov."
  exit 1
fi

exceptions=$(cat exceptions.json | jq -r '.[] | @base64')

for exception in $exceptions; do
  _jq() {
    echo ${exception} | base64 --decode | jq -r ${1}
  }
  policyId=$(_jq '.policyId')
  comment=$(_jq '.comment')
  resourceType=$(_jq '.resourceType')
  resourceName=$(_jq '.resourceName')
  insert="#checkov:skip=$policyId:$comment"
  match='(^resource[ \t]*\"'"$resourceType"'\"[ \t]*\"'"$resourceName"'\".*$)'

  if [ "$(uname)" == "Darwin" ]; then
    LC_ALL=C find . -type f -not -path '*/\.*' -exec sed -i '' -E "s/$match/\1\n$insert/i" {} +
  else
    LC_ALL=C find . -type f -not -path '*/\.*' -exec sed -r "s/$match/\1\n$insert/i" {} +
  fi
done

This would need to be paired with a CLI flag to disable in-line suppressions (for audits sake an enterprise needs to track such security exceptions to established policy, things like approvals, requestor, requested date, expiration, last update, etc). I feel like the data retrieval on the JSON can be handled outside of checkov, and that checkov itself would not need all of this data, since it is purely doing the exception handling, but it would need a way to be passed in as a JSON blob or file.

Note: this is just a preliminary analysis, something such as moduleName might also be necessary in the JSON to help distinguish between similar named resources at different levels, etc.

@tronxd do those let you specify which resources/modules to skip the check for?

@larryboymi you can use the --framework / --skip-framework flags for restrictions on specific IaC type(s). The --check flag restricts specific checks on specific resource types, so tweaking it to scan only specific resource types is feasible. Explicit resource types granularity is not supported yet, but that’s a great idea. @schosterbarak WDYT?