-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDKTF - support a way to suppress checks inline #4634
Comments
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io |
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks! |
@gruebel can we open this and get it fixed and working? |
Hey, I'm using Terraform CDK and needs to skip a check for a specific resource (S3 bucket). Is there a way to achieve that using the I've found here how to suppress a check but not how to suppress a check for a specific resource. I see that it's possible by adding comments to a specific resource when using HCL, which I can't edit directly as it's being overwritten when synth with |
You have to skip it for all resources using the “global” checkov config. This issue is still open.
It is pretty annoying :(
…On Tue, Feb 27, 2024 at 9:44 AM, Thomas Schaffter ***@***.***(mailto:On Tue, Feb 27, 2024 at 9:44 AM, Thomas Schaffter <<a href=)> wrote:
Hey, I'm using Terraform CDK and needs to skip a check for a specific resource (S3 bucket). Is there a way to achieve that using the checkov CLI argument or configuration file?
I've found [here](https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html) how to suppress a check but not how to suppress a check for a specific resource.
I see that it's possible by adding comments to a specific resource when using HCL, which I can't edit directly as it's being overwritten when synth with cdktf.
—
Reply to this email directly, [view it on GitHub](#4634 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/BENNOFX636VZRXOUSDICNSDYVYEPRAVCNFSM6AAAAAAVU5726CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRXGA3DMNZVGE).
You are receiving this because you commented.Message ID: ***@***.***>
|
Since CDKTF
Hope it helps 🙂 |
Before finding this work around, I had opened an issue at the terraform-cdk project to this specific issue hashicorp/terraform-cdk#3609 |
After some testing, I found that this 'work around` breaks the testing. When running a test that uses
|
Hello @woutervb, I was able to reproduce the error you mentioned. The reason is that I prepared additional hack in order to workaround this :D. As far as I can see there is no native way to configure However, you can define Now given that You need to rename Here is the pytest fixture to perform the steps above:
|
@mixam24 thanks for your suggestion. The problem I'm now facing is that the hcl that is rendered isn't valid, so unfortunately I'm stuck with this for the moment. Falling back to global allow-lists to make sure that things pass for the time being. |
Describe the issue
CDKTF support is currently limited to the synthesized Terraform JSON output and therefore a way to suppress checks should be implemented, which propagates to the synthesized output file.
This could be achieved by leveraging the comment field
"//"
ex.
The text was updated successfully, but these errors were encountered: