Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(general): Issue 6536 - example checkovignore file to skip specific Checkov checks with expiry dates on azure devops pipeline #6718

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat(general): Issue 6536 - example checkovignore file to skip specific Checkov checks with expiry dates on azure devops pipeline #6718

wants to merge 5 commits into from

Conversation

iheanacho-chukwu
Copy link

@iheanacho-chukwu iheanacho-chukwu commented Sep 12, 2024
edited
Loading

This PR request shows a working implementation of the .checkovignore file to skip specific Checkov checks with expiry dates as requested in the issue: #6536.

Description

This pull request implements a .checkovignore file for managing skip-checks in Checkov scans. The .checkovignore file holds rule IDs to skip, expiration dates for the skips, and optional reasons for skipping. This feature is similar to the .trivyignore file in Trivy and centralizes the handling of skip-checks, automating the removal of expired skips.

Main Changes:

  • A Python script (CHECKOV_IGNORE.py) was introduced to process the .checkovignore file, dynamically setting the --skip-check flag for Checkov runs in Azure DevOps pipelines.
  • Expiration dates are checked, and expired rule IDs are automatically excluded from being skipped.
  • Example integration into an Azure DevOps pipeline has been provided, demonstrating how to process the .checkovignore file and run Checkov with the appropriate skip-checks.

Benefits:

  • Centralized management of skipped checks in a YAML-based .checkovignore file.
  • Automated expiry handling, ensuring outdated skips are not used.
  • Optional documentation of reasons for skipping checks, aiding in reviews and audits.

Fixes #6536

New/Edited Policies

Description

This feature adds the ability to skip specific Checkov rules by specifying them in the .checkovignore file, along with an optional expiry date and reason for skipping. This feature is useful for development teams who want to manage skip-checks centrally and enforce the expiration of old skips.

Fix

The skip-checks can be defined in a .checkovignore YAML file. A Python script processes this file, filtering out expired checks, and dynamically sets the --skip-check parameter for Checkov commands in pipelines. By integrating this into a CI/CD pipeline (e.g., Azure DevOps), developers can manage their skip-checks in a more organized manner.

Checklist:

  • I have performed a self-review of my own code.
  • I have commented my code, particularly in hard-to-understand areas.
  • I have made corresponding changes to the documentation.
  • I have added tests that prove my feature, policy, or fix is effective and works.
  • New and existing tests pass locally with my changes.

@iheanacho-chukwu iheanacho-chukwu changed the title Issue 6536 - example checkovignore file to skips checks using azure devops feat(general): Issue 6536 - example checkovignore file to skip specific Checkov checks with expiry dates on azure devops pipeline Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implementing a .checkovignore File to sets list of ruleID for Skip-Check with expiry Dates
1 participant
@iheanacho-chukwu