fix skipChecks overriding config file

README.md

@@ -5,7 +5,7 @@
 
 [Checkov](https://github.com/bridgecrewio/checkov) is an open-source static code analysis tool for infrastructure-as-code, secrets, and software composition analysis.
 
-This extension is a fork of the original Bridgecrew extension, with the removal of the PrismaCloud API dependencies. This forked extension can be found on the [Visual Studio Extension Marketplace](https://marketplace.visualstudio.com/items?itemName=XargsUK.checkov-prismaless) and its source code is available in an [Apache 2.0 licensed repository](https://github.com/XargsUK/checkov-prismaless-vscode).  The original extension can be found on the [Visual Studio Extension Marketplace](https://marketplace.visualstudio.com/items?itemName=Bridgecrew.checkov) and its source code is available in an [Apache 2.0 licensed repository](https://github.com/bridgecrewio/checkov-vscode). This extension is downstream from the original extension. 
+This extension is a fork of the original Bridgecrew extension, with the removal of the PrismaCloud API dependencies. This forked extension can be found on the [Visual Studio Extension Marketplace](https://marketplace.visualstudio.com/items?itemName=XargsUK.checkov-prismaless) and its source code is available in an [Apache 2.0 licensed repository](https://github.com/XargsUK/checkov-prismaless-vscode).  The original extension can be found on the [Visual Studio Extension Marketplace](https://marketplace.visualstudio.com/items?itemName=Bridgecrew.checkov) and its source code is available in an [Apache 2.0 licensed repository](https://github.com/bridgecrewio/checkov-vscode). This extension is downstream from the original extension.
 
 The Checkov Extension for Visual Studio Code enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
 
@@ -23,15 +23,14 @@ Extension features include:
 
 ### Install
 
-Open the CheckovPrismaless Extension for Visual Studio Code in the [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=XargsUK.checkov-prismaless) and install. 
+Open the CheckovPrismaless Extension for Visual Studio Code in the [Visual Studio Marketplace](https://marketplace.visualstudio.com/items?itemName=XargsUK.checkov-prismaless) and install.
 
 ### Dependencies
 
 * [Python](https://www.python.org/downloads/) >= 3.7 or [Pipenv](https://docs.pipenv.org/) or [Docker](https://www.docker.com/products/docker-desktop) daemon running
 
 The Checkov extension will invoke the latest version of ```Checkov```.
 
-
 ### Usage
 
 * Open a file you wish to scan with checkov in VSCode.
@@ -40,11 +39,13 @@ The Checkov extension will invoke the latest version of ```Checkov```.
 * Click a scan to see its details. Details will include the violating policy and a link to step-by-step fix guidelines.
 * In most cases, the Details will include a fix option. This will either add, remove or replace an unwanted configuration, based on the Checkov fix dictionaries.
 * You can skip checks by adding an inline skip annotation ```checkov:skip=<check_id>:<suppression_comment>```.
+* You can skip checks for the whole workspace by adding a `.checkov.yaml` in your workspace folder (see [Checkov Configuration file](https://github.com/bridgecrewio/checkov?tab=readme-ov-file#configuration-using-a-config-file)). You can also override certain configuration values by using the extension settings (`framework`, `skip-framework`, `skip-check`). By default, whenever you edit your checkov config file or override the values using the extension settings, the checkov cache will be cleared - this behaviour can be deisable .
 * The extension will continue to scan file modifications and highlight errors in your editor upon every material resource modification.
 
 ### Troubleshooting logs
 
 To access the checkov-prismaless-vscode logs directory, open the VS Code Command Palette `(Ctrl+Shift+P)` or `(Command+Shift+P)`, and run the command `Open Checkov Log`. It is helpful to delete the log file and then retry whichever operation failed to produce clean logs.
 
 ### Why Create this Fork?
+
 I detailed the reasons for creating this fork in a [Medium Article](https://medium.com/aws-in-plain-english/checkov-de-prismafying-the-vscode-extension-for-local-security-scans-c33aa35f5b35). The main reasons were to remove the PrismaCloud API dependencies once the Bridgecrew API was deprecated. Checkov is an excellent tool and I wanted to ensure that the Visual Studio Code extension was still available for the community to use.

package.json

@@ -77,6 +77,12 @@
           "type": "boolean",
           "default": false
         },
+        "checkov-prismaless.clearCacheUponConfigUpdate": {
+          "title": "Clear cache upon config update",
+          "markdownDescription": "Clear the Checkov extension results cache when the Checkov configuration is updated. This ensures consistant results but will require Checkov to re-scan all files.",
+          "type": "boolean",
+          "default": true
+        },
         "checkov-prismaless.useDebugLogs": {
           "title": "Use debug logs",
           "markdownDescription": "Whether to print debug logs from Checkov for troubleshooting",
@@ -89,12 +95,17 @@
         },
         "checkov-prismaless.skipFrameworks": {
           "title": "Skip Frameworks",
-          "markdownDescription": "Filter scan to skip specific frameworks (e.g., 'arm json secrets serverless').\nAdd multiple frameworks using spaces.\nSee [Checkov Frameworks](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html) for more information.\nYou may need to run the extension command 'Clear Checkov results cache' after modifying this setting.",
+          "markdownDescription": "Filter scan to skip specific frameworks (e.g., 'arm json secrets serverless'). Add multiple frameworks using spaces. See [Checkov Frameworks](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html) for more information.  \nSetting this configuration property will overide any `skip-framework` entry defined in your [checkov config file](https://github.com/bridgecrewio/checkov?tab=readme-ov-file#configuration-using-a-config-file).",
           "type": "string"
         },
         "checkov-prismaless.frameworks": {
           "title": "Frameworks",
-          "markdownDescription": "Filter scan to run only on specific frameworks (e.g., 'arm json secrets serverless').\nAdd multiple frameworks using spaces.\nSee [Checkov Frameworks](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html) for more information.\nYou may need to run the extension command 'Clear Checkov results cache' after modifying this setting.",
+          "markdownDescription": "Filter scan to run only on specific frameworks (e.g., 'arm json secrets serverless'). Add multiple frameworks using spaces.  \nSee [Checkov Frameworks](https://www.checkov.io/2.Basics/CLI%20Command%20Reference.html) for more information.  \nSetting this configuration property will overide any `framework` entry defined in your [checkov config file](https://github.com/bridgecrewio/checkov?tab=readme-ov-file#configuration-using-a-config-file).",
+          "type": "string"
+        },
+        "checkov-prismaless.skipChecks": {
+          "title": "Skip Checks",
+          "markdownDescription": "Filter scan to run all checks except those listed (deny list). Add multiple checks using comma separated values \nSetting this configuration property will overide any `skip-check` entry defined in your [checkov config file](https://github.com/bridgecrewio/checkov?tab=readme-ov-file#configuration-using-a-config-file). ",
           "type": "string"
         }
       }

src/checkov/checkovRunner.ts

@@ -14,7 +14,7 @@ const dockerMountDir = '/checkovScan';
 const configMountDir = '/checkovConfig';
 const caMountDir = '/checkovCert';
 const externalChecksMountDir = '/checkovExternalChecks';
-const skipChecks: string[] = ['BC_LIC*'];
+const skipChecksDefault: string[] = ['BC_LIC*'];
 
 const getDockerFileMountParams = (mountDir: string, filePath: string | undefined): string[] => {
     if (!filePath) {
@@ -61,7 +61,7 @@ const cleanupStdout = (stdout: string) => stdout.replace(/.\[0m/g,''); // Clean
 
 export const runCheckovScan = (logger: Logger, checkovInstallation: CheckovInstallation, extensionVersion: string, fileName: string, 
     certPath: string | undefined, useBcIds: boolean | undefined, debugLogs: boolean | undefined, noCertVerify: boolean | undefined, cancelToken: vscode.CancellationToken, 
-    configPath: string | undefined, externalChecksDir: string | undefined, skipFrameworks: string[] | undefined, frameworks: string[] | undefined): Promise<CheckovResponse> => {
+    configPath: string | undefined, externalChecksDir: string | undefined, skipFrameworks: string[] | undefined, frameworks: string[] | undefined, skipChecks: string[] | undefined): Promise<CheckovResponse> => {
     return new Promise((resolve, reject) => {   
         const { checkovInstallationMethod, checkovPath } = checkovInstallation;
         const timestamp = Date.now();
@@ -77,15 +77,20 @@ export const runCheckovScan = (logger: Logger, checkovInstallation: CheckovInsta
         const certificateParams: string[] = certPath && checkovInstallationMethod !== 'docker' ? ['-ca', `"${certPath}"`] : [];
         const bcIdParam: string[] = useBcIds ? ['--output-bc-ids'] : [];
         const noCertVerifyParam: string[] = noCertVerify ? ['--no-cert-verify'] : [];
-        const skipCheckParam: string[] = skipChecks.length ? ['--skip-check', skipChecks.join(',')] : [];
+        const skipCheckParam: string[] = skipChecks 
+            ? ['--skip-check', [...skipChecks, ...skipChecksDefault].join(',')] 
+            : (pipRunParams.length === 0 ? ['--skip-check', skipChecksDefault.join(',')] : []);
+        // If the user has set specific skip-check in the extension configuration, they will override the config file (checkov does not support both).
+        // If the user has not set skip-check in the extension configuration but has a checkov config file, the config file skip-check will be evaluated.
+        // If the user has not set neither specific skip checks nor config file, the skipChecksDefault will be applied to prevent breaking changes.
         const externalChecksParams: string[] = externalChecksDir && checkovInstallationMethod !== 'docker' ? ['--external-checks-dir', externalChecksDir] : [];
         const frameworkParams: string[] = frameworks ? ['--framework', frameworks.join(' ')] : [];
         const skipFrameworkParams: string[] = skipFrameworks ? ['--skip-framework', skipFrameworks.join(' ')] : [];
         const workingDir = vscode.workspace.rootPath;
         getGitRepoName(logger, vscode.window.activeTextEditor?.document.fileName).then((repoName) => {
             const repoIdParams = repoName ? ['--repo-id', repoName] : ['--repo-id', 'vscode/default'];
             const checkovArguments: string[] = [...dockerRunParams, ...certificateParams, ...bcIdParam, ...noCertVerifyParam, '-s',
-                ...repoIdParams, ...filePathParams, ...skipCheckParam, '-o', 'json', ...pipRunParams, ...externalChecksParams, ...frameworkParams, ...skipFrameworkParams];
+                ...repoIdParams, ...filePathParams, '-o', 'json', ...pipRunParams, ...externalChecksParams, ...frameworkParams, ...skipFrameworkParams, ...skipCheckParam];
             logger.info('Running checkov:');
             logger.info(`${checkovPath} ${checkovArguments.join(' ')}`);
 

src/configuration.ts

@@ -36,6 +36,12 @@ export const getSkipFrameworks = (): string[] | undefined => {
     return skipFrameworks ? skipFrameworks.split(' ').map(entry => entry.trim()) : undefined;
 };
 
+export const getSkipChecks = (): string[] | undefined => {
+    const configuration: vscode.WorkspaceConfiguration = vscode.workspace.getConfiguration('checkov-prismaless');
+    const skipChecks = configuration.get<string>('skipChecks');
+    return skipChecks ? skipChecks.split(' ').map(entry => entry.trim()) : undefined;
+};
+
 export const getFrameworks = (): string[] | undefined => {
     const configuration: vscode.WorkspaceConfiguration = vscode.workspace.getConfiguration('checkov-prismaless');
     const frameworks = configuration.get<string>('frameworks');
@@ -96,6 +102,12 @@ export const shouldDisableErrorMessage = (): boolean => {
     return disableErrorMessageFlag;
 };
 
+export const shouldClearCacheUponConfigUpdate = (): boolean => {
+    const configuration: vscode.WorkspaceConfiguration = vscode.workspace.getConfiguration('checkov-prismaless');
+    const clearCacheUponConfigUpdateFlag = configuration.get<boolean>('clearCacheUponConfigUpdate', true);
+    return clearCacheUponConfigUpdateFlag;
+};
+
 export const getExternalChecksDir = (): string | undefined => {
     const configuration: vscode.WorkspaceConfiguration = vscode.workspace.getConfiguration('checkov-prismaless');
     const externalChecksDir = configuration.get<string>('externalChecksDir');