| layout | published | title | nav_order |
|---|---|---|---|
default |
true |
Suppressing and Skipping Policies |
3 |
Like any static-analysis tool, suppression is limited by its analysis scope. For example, if a resource is managed manually, or using configuration management tools, a suppression can be inserted as a simple code annotation.
To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside its scope:
checkov:skip=<check_id>:<suppression_comment>
<check_id>is one of the available check scanners.<suppression_comment>is an optional suppression reason to be included in the output.
The following comment skips the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private.
In the example, the bucket is configured with a public read access; Adding the suppression comment skips the appropriate check instead of the check failing.
resource "aws_s3_bucket" "foo-bucket" {
region = var.region
#checkov:skip=CKV_AWS_20:The bucket is a public static content host
bucket = local.bucket_name
force_destroy = true
acl = "public-read"
}The output now contains a SKIPPED check result entry:
...
...
Check: "S3 Bucket has an ACL defined which allows public access."
SKIPPED for resource: aws_s3_bucket.foo-bucket
Suppress comment: The bucket is a public static content host
File: /example_skip_acl.tf:1-25
...Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
# Test case for check skip via comment
# checkov:skip=CKV_AWS_16:Ensure all data stored in the RDS is securely encrypted at rest
Properties:
DBName: 'mydb'
DBInstanceClass: 'db.t3.micro'
Engine: 'mysql'
MasterUsername: 'master'
MasterUserPassword: 'password'To suppress checks in Kubernetes manifests, annotations are used with the following format:
checkov.io/skip#: <check_id>=<suppression_comment>
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
checkov.io/skip2: CKV_K8S_14
checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
containers:
...To suppress secrets checks in any configuration file a comment needs to be added directly before, after or next to the infringing line.
Resources:
MyDB:
Type: 'AWS::RDS::DBInstance'
Properties:
DBName: 'mydb'
DBInstanceClass: 'db.t3.micro'
Engine: 'mysql'
MasterUsername: 'master'
# checkov:skip=CKV_SECRET_6 before it
MasterUserPassword: 'password' # checkov:skip=CKV_SECRET_6 or next to it
# checkov:skip=CKV_SECRET_6 or after it