Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

exclude a family of checks: --skip-checks-prefix

See original GitHub issue

Is your feature request related to a problem? Please describe. It is useful for CI tools to run checks on specific families of checks, and exclude the default rules, or rules, matching the prefix. this is separate from the existing check_id exclusion, or, the inline “nosec” feature.

Describe the solution you’d like a flag similar to --skip-checks-prefix. Input is a prefix string. Checkov will skip/disable checks that match the prefix “$prefix-*” and exclude them from reports.

Describe alternatives you’ve considered I’ve considered filtering the output of the scan results in my CI tooling. I would prefer if an individual GHAction or CircleCI orb fail the build right from checkov, rather than maintain a second step in my CI tools.

Additional context For example, we have an internal set of controls related to Trust Service Criteria and other internal controls. It would be helpful to run checkov ONLY against the TSC_* or ACME_CNTRL_* rules, which would “Fail” the scans invoked by the compliance/sec-ops teams.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
schosterbarakcommented, Sep 21, 2021

can you please open a new issue? @vangundy-jason-pfg

1reaction
vangundy-jason-pfgcommented, Sep 21, 2021

https://github.com/bridgecrewio/checkov/pull/750 does not seem to be working as expected. For a simple recreation I have a file with an aws secret in it. The following fails appropriately:

checkov --file iac/CKV_SECRET_2.json


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.0.430

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_2: "AWS Access Key"
        FAILED for resource: 25910f981e85ca04baf359199dd0bd4a3ae738b6
        File: /iac/CKV_SECRET_2.json:6-7
        Guide: https://docs.bridgecrew.io/docs/git_secrets_2

                6 |         "Any": "AKIAIOSFODNN7EXAMPLE"

But then the following wildcard attempt to skip this check does not work (i.e. it still runs and fails):

checkov --file iac/CKV_SECRET_2.json --skip-check 'CKV_SECRET*'


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.0.430

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_2: "AWS Access Key"
        FAILED for resource: 25910f981e85ca04baf359199dd0bd4a3ae738b6
        File: /iac/CKV_SECRET_2.json:6-7
        Guide: https://docs.bridgecrew.io/docs/git_secrets_2

                6 |         "Any": "AKIAIOSFODNN7EXAMPLE"

Would it be best to file this as a new / separate issue @metahertz ?

Read more comments on GitHub >

github_iconTop Results From Across the Web

uWSGI Options — uWSGI 2.0 documentation - Read the Docs
help : skip check of file descriptor 0 ... help : prefix vassals config files with exec:// if they have the ... help...
Read more >
chrome/browser/flag_descriptions.cc - chromium/src - Google Git
"Use advanced offline capability check to decide whether the browser ". "displays install prompts for PWAs.";. const char kChromeLabsName[] = "Chrome Labs";.
Read more >
completion.R
and "_" in the pattern excluding the anchor ## (^) and the first character but does not ... check.mode = FALSE) if (length(nc))...
Read more >
pytest Documentation - Read the Docs
assert hasattr(x, "check") pytest discovers all tests following its Conventions for Python test discovery, so it finds both test_ prefixed ...
Read more >
Azure PowerShell release notes - Microsoft Learn
Supported excludePrefix, includeDeleted, and many new schema fields in ... to remove validate null or empty check for CustomAddress in Azure ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

dataclasses backport required for Python 3.6

Next page

--check and --skip-check lists defined in files