--skip-check not skipping checks

Question

--skip-check not skipping checks

Closed this issue 2 months ago · 1 comments

I need to be able to feed a customized list of checks to be skipped as part of an automated check process that invokes Checkov via a template (I'm wanting to make this as generic, and as flexible as possible, as it is part of a larger generic module)

It looks as though I am successfully feeding the customized list into the template as a parameter [skipChecksCheckov] like this "--skip-check "%DEFAULT_LIST_OF_CHECKS_TO_SKIP%, ${{ parameters.skipChecksCheckov }}", and I am seeing the full list when I examine the pipeline run logs (Ie.
<property name>="skip_check" value="['%DEFAULT_LIST_OF_CHECKS_TO_SKIP%, ${{ parameters.skipChecksCheckov }}']"

However, it looks like none of the checks listed in skipChecksCheckov are actually being skipped, as when Checkov runs, it is reporting that those checks are failing

Here's the pertinent bits

I'm currently feeding custom list of checks to be skipped as a parameter when calling the template from the yml

checkov-check.yml
resources:
  repositories:
    - repository: templates
steps:
  - template: checkov.yml@templates
    parameters:
      skipChecksCheckov: %LIST_OF_CHECKS_TO_SKIP%

checkov.yml
parameters:
  - name: skipChecksCheckov
    type: string
    default: ''
steps:
- script: |
    checkov \
        --skip-check "%DEFAULT_LIST_OF_CHECKS_TO_SKIP%, ${{ parameters.skipChecksCheckov }}"

I know I need to find a better way of feeding the custom list into the invoking .yaml, but thaat's a different issue - the problem I am facing is that, while ${{ parameters.skipChecksCheckov }} is being expanded correctly, and apparently parsed correctly as a property, the checks listed aren't actually being skipped

My expectation is that Checkov will actually skip the checks defined in ${{ parameters.skipChecksCheckov }}

It doesn't, and I need it to

Version: Checkov 3.2.255

FWIW - the checks I am wanting to skip are;
CKV_AZURE_206 - it's generating a false positive on a storage account's replication configuration
CKV2_AZURE_1 - I don't need to use Customer Managed Keys for encryption for the storage accounts being checked
CKV2_AZURE_33 - the storage accounts don't require private endpoints

If I use the "#checkov:skip=<check_to_skip>:" method in the code? It works - but this isn't as generic as I require, I need to be able to have this working when invoked by "checkov --skip-check <checks_to_skip>"

Any idea as to why the --skip-check CLI argument is failing?

Cheers

-=A=-

.

Answer 1 · 2024-09-26T12:44:32.000Z

Nevermind - the problem has been identified, and the issue resolved

Apparently --skip-check cannot handle spaces between entries - I.e.. --skip-check "check_1, check_2, check_3" will fail, but --skip-check "check_1,check_2,check_3" is fine

Now I have the ability to set the default checks to skip AND add any additional checks that need skipping for the particular implementation I'm working on

That leaves me with the problem f how to feed the parameter string into the calling .yml itself - but that's not important here ; )