Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to ignore specific lines during kics-scan #4420

Closed
LvffY opened this issue Oct 22, 2021 · 4 comments · Fixed by #4491 · May be fixed by #7299
Closed

Allow users to ignore specific lines during kics-scan #4420

LvffY opened this issue Oct 22, 2021 · 4 comments · Fixed by #4491 · May be fixed by #7299
Assignees
@joaoReigota1
Labels
community Community contribution feature request Community: new feature request

Comments

@LvffY
Copy link

LvffY commented Oct 22, 2021

Describe the solution you'd like

Kics already allow users to disable scan on whole files. But for most cases, I think it would be more useful to just ignores lines of files and not the entire file.

From a security point of view, it's not because one line on my file could not be analysed that I want to exclude the rest of my file (that could hide some more security breaches).

Additional context

It could be useful for temporary issues and/or too specific context problem (could probably solve #4419)
@LvffY LvffY added community Community contribution feature request Community: new feature request labels Oct 22, 2021
@joaoReigota1 joaoReigota1 self-assigned this Nov 3, 2021
@joaoReigota1
Copy link
Collaborator

Regarding this issue this is the approach we are thinking of:

Users would be able to use two comments as commands in order to ignore specific lines

  • kics ignore-block
  • kics ignore-line

kics ignore-block

This command ignores the object and all its key-value pairs beneath the line of the command

kics ignore-line

This command ignores the line beneath the line of the command

Dockerfile

image

  • line 6 is ignored from the comment on line 5
  • line 10, 11 are ignored from the comment on lines 9
  • line 15, 16, 17, 18 (whole from the block) are ignored from the comment on lines 14

Terraform

image

  • lines 4, 5, 6 are ignored from the comment on line 3
  • lines 11, 12, 13 are ignored from the comments on line 10
  • line 18 is ignored from the comment on line 17

YAML

image

  • lines 4, 5 are ignored from the comment on lines 3
  • line 11 is ignored from the comment on lines 10
  • lines 17, 18, 19 are ignored from the comment on lines 16
  • lines 22, 23, 24, 25 are ignored from the comment on lines 21

JSON

It is not possible to add this feature since JSON files don't support comments

@LvffY
Copy link
Author

LvffY commented Nov 4, 2021

@joaoReigota1 It would be great !

This was referenced Nov 4, 2021
Merged
Merged
joaoReigota1 added a commit that referenced this issue Nov 8, 2021
@joaoReigota1
feat(dockerfile): Added Ignore lines by comments to Dockerfile #4420
69ccaa6 
Signed-off-by: João Reigota <[email protected]>
@joaoReigota1 joaoReigota1 mentioned this issue Nov 8, 2021
Merged
joaoReigota1 added a commit that referenced this issue Nov 8, 2021
@joaoReigota1
feat(dockerfile): Added Ignore lines by comments to Dockerfile #4420
1f189a2 
Signed-off-by: João Reigota <[email protected]>
joaoReigota1 added a commit that referenced this issue Nov 8, 2021
@joaoReigota1
feat(dockerfile): Added Ignore lines by comments to Dockerfile #4420
399af6f 
Signed-off-by: João Reigota <[email protected]>
@joaoReigota1 joaoReigota1 mentioned this issue Nov 9, 2021
Merged
@balq60
Copy link

balq60 commented Mar 3, 2023

This does not work:

Tried this:

// kics ignore-block
resource "aws_s3_bucket" "bucket" {
#checkov:skip=CKV_AWS_144:This bucket is not required to have cross-region replication enabled because it only contains test data.
count = local.create_bucket ? 1 : 0
bucket = var.bucket_name
force_destroy = var.force_destroy
object_lock_enabled = var.object_lock_enabled
}

#######################

Log Bucket creation

#######################
// kics ignore-block
resource "aws_s3_bucket" "log_bucket" {
#checkov:skip=CKV_AWS_144:This bucket is not required to have cross-region replication enabled because it only contains test data.
count = local.create_bucket ? 1 : 0
bucket = var.log_bucket_name
}

Tried this:

###################

Bucket creation

###################
#kics ignore-line
resource "aws_s3_bucket" "read_only_bucket" {
#checkov:skip=CKV_AWS_144:This is too aggressive for most cases. This should depend on the data being stored.
#kics ignore-line
bucket = var.bucket_name_read_only
}

#######################

Log Bucket creation

#######################
#kics ignore-line
resource "aws_s3_bucket" "read_only_log_bucket" {
#checkov:skip=CKV_AWS_144:This is too aggressive for most cases. This should depend on the data being stored.
#kics ignore-line
bucket = var.log_bucket_name_read_only
}

Still shows up in report

@boatilus
Copy link

@balq60 The comment needs to start with kics-scan, not kics. See https://github.com/Checkmarx/kics/blob/master/docs/running-kics.md

@JonasCordsen JonasCordsen mentioned this issue Nov 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joaoReigota1 joaoReigota1

Labels
community Community contribution feature request Community: new feature request
Projects
None yet
Milestone
No milestone
4 participants
@boatilus @balq60 @LvffY @joaoReigota1