feat(general): Issue 6536 - example checkovignore file to skip specific Checkov checks with expiry dates on azure devops pipeline

checkovignore/.checkovignore

@@ -0,0 +1,8 @@
+# listed ruleIDs will be ignored from the scan results, if expiry date is in the future
+ignore:
+  - id: "CKV_AZURE_35"
+    expiry: "2025-07-09"
+    created: "2024-07-09"
+  - id: "CKV_AZURE_43"
+    expiry: "2025-07-09"
+    created: "2024-07-09"

checkovignore/checkov_ignore.py

@@ -0,0 +1,37 @@
+import yaml
+from datetime import datetime
+
+def is_expired(expiry_date):
+    current_date = datetime.now().date()
+    expiry_date = datetime.strptime(expiry_date, "%Y-%m-%d").date()
+    return current_date > expiry_date
+
+try:
+    # Load the YAML content from the file
+    with open('.checkovignore', 'r') as file:
+        data = yaml.safe_load(file)
+
+    # Extract the 'id' values from the ignore list that are not expired
+    ids = [rule['id'] for rule in data['ignore'] if not is_expired(rule['expiry'])]
+
+    if ids:
+        # Join the ids into a comma-separated string
+        skip_checks = ','.join(ids)
+    else:
+        skip_checks = "null"
+
+    # Get the total number of ids
+    total_ids = len(ids)
+
+    # Print the results in a way that can be captured by the shell script
+    print(f"SKIP_CHECKS: {skip_checks}")
+    print(f"TOTAL_SKIPPED: {total_ids}")
+
+    # Set the pipeline variable for other tasks
+    print(f"##vso[task.setvariable variable=SKIP_CHECKS]{skip_checks}")
+
+except FileNotFoundError:
+    # Handle the case where the file is not found
+    skip_checks = "null"
+    print("[INFO], Checkov ignore file not found, assign SKIP_CHECKS as null, for error handling when running checkov scan...")
+    print(f"##vso[task.setvariable variable=SKIP_CHECKS]{skip_checks}")

tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml

@@ -0,0 +1,46 @@
+variables: 
+  templateFile: '$(Build.Repository.LocalPath)/tests/bicep/examples/checkovignore.bicep'
+  templateFileDir: '$(Build.Repository.LocalPath)/tests/bicep/examples'
+  iacReportScriptFolder: '$(Build.Repository.LocalPath)/checkovignore'
+
+name: 'CheckovIgnore-$(SourceBranchName)-$(Date:yyyyMMdd)$(Rev:r)'
+
+pool: 'linux-agent-pool'
+
+stages:
+- stage: checkov_scan
+  displayName: checkov scan
+  jobs:
+  - job: checkov_scan
+    displayName: checkov scan
+    steps:
+    # Checkov Ignore Checks
+    - task: Bash@3
+      name: Checkov_Ignore_Checks
+      inputs:
+        targetType: 'inline'
+        script: |
+          python3 checkov_ignore.py
+        workingDirectory: '$(iacReportScriptFolder)'
+      displayName: "Checkov Ignore Checks"
+
+    # Run Checkov Scan
+    - task: Bash@3
+      name: Run_Checkov_Scan
+      inputs:
+        targetType: 'inline'
+        script: |
+          echo "[INFO], Running Checkov scan..."
+          checkov --file $(templateFile) --framework bicep --soft-fail --quiet --compact --output junitxml \
+          --output-file-path $(System.DefaultWorkingDirectory)/ --skip-check $(SKIP_CHECKS) > results_checkov.xml
+      displayName: "Run Checkov for Compliance check"
+
+    # Publish Scan Result
+    - task: PublishTestResults@2
+      inputs:
+        testRunTitle: "Checkov Results"
+        failTaskOnFailedTests: true
+        testResultsFormat: "JUnit"
+        testResultsFiles: "results_checkov.xml"
+        searchFolder: "$(System.DefaultWorkingDirectory)"
+      displayName: "Publish Test results"

tests/bicep/examples/checkovignore.bicep

@@ -0,0 +1,18 @@
+param storageAccountName string
+param location string = resourceGroup().location
+param tags object
+
+resource storageAccountResource 'Microsoft.Storage/storageAccounts@2023-01-01' = {
+  name: storageAccountName
+  location: location
+  kind: 'StorageV2'
+  sku: {
+    name: 'Standard_GRS'
+  }
+  properties: {
+    allowBlobPublicAccess: false
+    minimumTlsVersion: 'TLS1_2'
+    supportsHttpsTrafficOnly: true
+  }
+  tags: tags
+}