feat(general): Issue 6536 - example checkovignore file to skip specific Checkov checks with expiry dates on azure devops pipeline

[iheanacho-chukwu]

User description

This PR request shows a working implementation of the .checkovignore file to skip specific Checkov checks with expiry dates as requested in the issue: #6536.

---

Description

This pull request implements a .checkovignore file for managing skip-checks in Checkov scans. The .checkovignore file holds rule IDs to skip, expiration dates for the skips, and optional reasons for skipping. This feature is similar to the .trivyignore file in Trivy and centralizes the handling of skip-checks, automating the removal of expired skips.

Main Changes:

• A Python script (CHECKOV_IGNORE.py) was introduced to process the .checkovignore file, dynamically setting the --skip-check flag for Checkov runs in Azure DevOps pipelines.
• Expiration dates are checked, and expired rule IDs are automatically excluded from being skipped.
• Example integration into an Azure DevOps pipeline has been provided, demonstrating how to process the .checkovignore file and run Checkov with the appropriate skip-checks.

Benefits:

• Centralized management of skipped checks in a YAML-based .checkovignore file.
• Automated expiry handling, ensuring outdated skips are not used.
• Optional documentation of reasons for skipping checks, aiding in reviews and audits.

Fixes #6536

---

New/Edited Policies

Description

This feature adds the ability to skip specific Checkov rules by specifying them in the .checkovignore file, along with an optional expiry date and reason for skipping. This feature is useful for development teams who want to manage skip-checks centrally and enforce the expiration of old skips.

Fix

The skip-checks can be defined in a .checkovignore YAML file. A Python script processes this file, filtering out expired checks, and dynamically sets the --skip-check parameter for Checkov commands in pipelines. By integrating this into a CI/CD pipeline (e.g., Azure DevOps), developers can manage their skip-checks in a more organized manner.

---

Checklist:

• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have made corresponding changes to the documentation.
• I have added tests that prove my feature, policy, or fix is effective and works.
• New and existing tests pass locally with my changes.

---

Generated description

Dear maintainer, below is a concise technical summary of the changes proposed in this PR:

Implement a .checkovignore file to manage skip-checks in Checkov scans, allowing for centralized control over which checks to skip, with expiration dates and optional reasons. The checkov_ignore.py script processes this file, dynamically setting the --skip-check flag for Checkov runs in Azure DevOps pipelines. This ensures expired skips are automatically removed. An example integration into an Azure DevOps pipeline is provided, demonstrating the use of this feature.

Topic	Details
Checkov Ignore Management	Implement a .checkovignore file to manage skip-checks in Checkov scans, allowing for centralized control over which checks to skip, with expiration dates and optional reasons. The checkov_ignore.py script processes this file, dynamically setting the --skip-check flag for Checkov runs in Azure DevOps pipelines. This ensures expired skips are automatically removed. An example integration into an Azure DevOps pipeline is provided, demonstrating the use of this feature. Modified files (3) checkovignore/checkov_ignore.py tests/azure_pipelines/examples/azure-pipelines-checkov-ignore.yml checkovignore/.checkovignore Latest Contributors(0) Email Commit Date
Bicep Template Example	Provide an example Bicep template for testing the Checkov ignore feature in Azure DevOps pipelines. Modified files (1) tests/bicep/examples/checkovignore.bicep Latest Contributors(0) Email Commit Date

This pull request is reviewed by Baz. Join @iheanacho-chukwu and the rest of your team on (Baz).