Check Skip and Suppression Standards

Intermediate

Define standards for skipping Checkov checks — inline suppressions must include justification comments, skip lists must be reviewed, and no blanket suppressions are allowed.

File Patterns

**/*.tf**/.checkov***/.github/workflows/**

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Check Skip and Suppression Standards

## Rule
Checkov check suppressions MUST include a documented justification. Blanket suppressions of entire check categories are prohibited. Every suppression is subject to code review.

## Inline Suppression (Terraform)
```hcl
# Good — documented justification
resource "aws_security_group_rule" "allow_ssh" {
  #checkov:skip=CKV_AWS_24: "SSH access restricted to VPN CIDR (10.0.0.0/8), not public internet"
  type        = "ingress"
  from_port   = 22
  to_port     = 22
  cidr_blocks = ["10.0.0.0/8"]
}

# Bad — no justification
resource "aws_s3_bucket" "data" {
  #checkov:skip=CKV_AWS_19
  bucket = "my-bucket"
}
```

## CLI Skip (CI Configuration)
```bash
# Good — documented skip list
checkov -d ./terraform/ \
  --skip-check CKV_AWS_999  # Check is known false positive for our provider version

# Bad — skipping many checks without documentation
checkov -d ./terraform/ --skip-check CKV_AWS_1,CKV_AWS_2,...,CKV_AWS_50
```

## Rules
1. Every inline suppression MUST include a reason after the colon
2. CLI `--skip-check` entries must be documented in a comment or README
3. Never skip encryption checks (CKV_AWS_18, CKV_AWS_19) without compensating controls
4. Never skip public access checks without network-level mitigation
5. Suppressions require approval from a security-aware reviewer

## Review Process
1. PRs with new Checkov suppressions require explicit reviewer acknowledgment
2. Quarterly audit of all suppressions — remove those with available fixes
3. Track suppression count as a security health metric

## Anti-Patterns
- Inline suppression without reason text
- Skipping 10+ checks in CI without documentation
- Suppressing checks to "get the build green"
- Copy-pasting suppressions from other resources without evaluation

FAQ

Discussion

Loading comments...

# Check Skip and Suppression Standards ## Rule Checkov check suppressions MUST include a documented justification. Blanket suppressions of entire check categories are prohibited. Every suppression is subject to code review. ## Inline Suppression (Terraform) ```hcl # Good — documented justification resource "aws_security_group_rule" "allow_ssh" { #checkov:skip=CKV_AWS_24: "SSH access restricted to VPN CIDR (10.0.0.0/8), not public internet" type = "ingress" from_port = 22 to_port = 22 cidr_blocks = ["10.0.0.0/8"] } # Bad — no justification resource "aws_s3_bucket" "data" { #checkov:skip=CKV_AWS_19 bucket = "my-bucket" } ``` ## CLI Skip (CI Configuration) ```bash # Good — documented skip list checkov -d ./terraform/ \ --skip-check CKV_AWS_999 # Check is known false positive for our provider version # Bad — skipping many checks without documentation checkov -d ./terraform/ --skip-check CKV_AWS_1,CKV_AWS_2,...,CKV_AWS_50 ``` ## Rules 1. Every inline suppression MUST include a reason after the colon 2. CLI `--skip-check` entries must be documented in a comment or README 3. Never skip encryption checks (CKV_AWS_18, CKV_AWS_19) without compensating controls 4. Never skip public access checks without network-level mitigation 5. Suppressions require approval from a security-aware reviewer ## Review Process 1. PRs with new Checkov suppressions require explicit reviewer acknowledgment 2. Quarterly audit of all suppressions — remove those with available fixes 3. Track suppression count as a security health metric ## Anti-Patterns - Inline suppression without reason text - Skipping 10+ checks in CI without documentation - Suppressing checks to "get the build green" - Copy-pasting suppressions from other resources without evaluation