-
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.checkov.yml
More file actions
70 lines (58 loc) · 2.43 KB
/
Copy path.checkov.yml
File metadata and controls
70 lines (58 loc) · 2.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Checkov configuration for GitHub Actions security scans
# Configuration follows modern best practices for 2025
# See: https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html
# yaml-language-server: $schema=https://www.schemastore.org/any.json
# Compact output to reduce noise
compact: true
# Custom tool name for better SARIF integration
custom-tool-name: "Checkov-UptimeWatcher"
enable-secret-scan-all-files: true
# Enable evaluation of variables for better accuracy
evaluate-variables: true
# Framework selection - only scan relevant frameworks for this project
framework:
- "github_actions"
- "github_configuration"
- "dockerfile"
- "secrets"
- "yaml"
- "json"
# Hard fail on high and critical issues
hard-fail-on: "HIGH,CRITICAL"
# Output format for better integration with CI/CD
output: "cli,sarif"
output-file-path: "console,checkov-results.sarif"
scan-secrets-history: false # Disabled to avoid performance impact in CI
# Skip specific checks with detailed justifications
skip-check:
# GitHub Actions Permission Checks
- "CKV_GHA_1" # Require job permissions write-all to be set to false
# Justification: Electron app build process requires write access for artifact uploads and releases
- "CKV2_GHA_1" # Ensure top-level permissions are not set to write-all
# Justification: Desktop app build workflow needs comprehensive permissions for secure artifact management
# GitHub Actions Pinning Checks
- "CKV_GHA_6" # Require checkout action to be pinned to SHA version
# Justification: Using semantic versioning (@v4) for official actions provides better maintainability
# and security updates while maintaining readability. Risk is mitigated by using only official actions.
# Workflow Input Checks
- "CKV_GHA_7" # Ensure workflow_dispatch inputs are NOT empty/blank
# Justification: Manual trigger workflows without inputs are legitimate for this desktop application
# where simple build/test triggers don't require parameters
# Security enhancements
# Enable secret scanning for all file types
# Scan secrets in git history
# Soft fail on low severity issues
# Skip paths that don't need security scanning
skip-path:
- "node_modules/"
- "dist/"
- "coverage/"
- ".vscode/"
- "docs/assets/"
- "**/icons/**"
- "html/"
- "release/"
- ".secretlintrc.json"
- "docs/"
- "shared/test/validation/schemas.test.ts"
soft-fail-on: "LOW"