Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing/skipping
      • Suppression Comment Format
        • Example
        • Kubernetes Example
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • Github Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
    • Terraform Scanning
  • 5.Policy Index
    • all resource scans
    • arm resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • kubernetes resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
  • Docs
  • 2.basics
  • Suppressing and Skipping Policies
Edit on GitHub

Suppressing/skipping

Like any static-analysis tool, suppression is limited by its analysis scope. For example, if a resource is managed manually, or using configuration management tools, a suppression can be inserted as a simple code annotation.

Suppression Comment Format

To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside its scope: checkov:skip=<check_id>:<suppression_comment>

  • <check_id> is one of the available check scanners.
  • <suppression_comment> is an optional suppression reason to be included in the output.

Example

The following comment skips the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with a public read access; Adding the suppress comment skips the appropriate check instead of the check failing.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

The output now contains a SKIPPED check result entry:

...
...
Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource: aws_s3_bucket.foo-bucket
	Suppress comment: The bucket is a public static content host
	File: /example_skip_acl.tf:1-25

...

Kubernetes Example

To suppress checks in Kubernetes manifests, annotations are used with the following format: checkov.io/skip#: <check_id>=<suppression_comment>

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Contact Us
  • Privacy policy