feat(gha): make checkov config part of megalinter

ruzickap · Jan 28, 2024 · 7e8b212 · 7e8b212
1 parent 0ff46ce
commit 7e8b212
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 10 deletions.
diff --git a/.checkov.yml b/.checkov.yml
diff --git a/.dockerignore b/.dockerignore
@@ -1,5 +1,6 @@
 .git
 .github
+demo
 images
 tests
 .*.yaml

diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -53,6 +53,6 @@ jobs:
           private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}"
 
       - name: 💡 Self-hosted Renovate
-        uses: renovatebot/github-action@bf21d623a81a349d57109049960248ab12c62431 # v40.0.0
+        uses: renovatebot/github-action@42c1d3cb1d1ca891765626ba71cdff5e757258de # v40.0.2
         with:
           token: "${{ steps.app-token.outputs.token }}"
diff --git a/.mega-linter.yml b/.mega-linter.yml
@@ -25,6 +25,16 @@ PRINT_ALPACA: false
 # Disable creating report directory
 REPORT_OUTPUT_FOLDER: none
 
+# Issue: https://github.com/bridgecrewio/checkov/issues/3839
+# The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty
+REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7
+
+# Do not leave debug code in production, Insecure URL
+REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138
+
+# Communication Over HTTP
+REPOSITORY_KICS_ARGUMENTS: --exclude-queries 2e8d4922-8362-4606-8c14-aa10466a1ce3
+
 TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
   - GITHUB_TOKEN
 

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -44,7 +44,7 @@ print_info() {
 cleanup() {
   if [ -n "${PAGES_PATH}" ]; then
     # Ignore DevSkim - Accessing localhost could indicate debug code, or could hinder scaling.
-    $sudo_cmd bash -c "sed -i \"/127.0.0.1 ${PAGES_DOMAIN}  # Created by my-broken-link-checker/d\" /etc/hosts || true" # DevSkim: ignore DS162092
+    $sudo_cmd bash -c "sed -i \"/127.0.0.1 ${PAGES_DOMAIN}  # Created by my-broken-link-checker/d\" /etc/hosts || true"
     $sudo_cmd caddy stop &> /dev/null
     [ -f "${CADDYFILE}" ] && rm "${CADDYFILE}"
     [ -f "${CADDY_LOG}" ] && rm "${CADDY_LOG}"
@@ -115,7 +115,7 @@ else
 
   # Add domain into /etc/hosts
   if ! grep -q "${PAGES_DOMAIN}" /etc/hosts; then
-    $sudo_cmd bash -c "echo \"127.0.0.1 ${PAGES_DOMAIN}  # Created by my-broken-link-checker\" >> /etc/hosts" # DevSkim: ignore DS162092
+    $sudo_cmd bash -c "echo \"127.0.0.1 ${PAGES_DOMAIN}  # Created by my-broken-link-checker\" >> /etc/hosts"
   fi
 
   {

diff --git a/lychee.toml b/lychee.toml
@@ -37,6 +37,3 @@ exclude_path = [
 # Equivalent to setting `exclude_private`, `exclude_link_local`, and
 # `exclude_loopback` to true
 exclude_all_private = true
-
-# Exclude all mail addresses from checking
-exclude_mail = true
-Original file line number
+Diff line change
@@ -1,5 +1,6 @@
     .git
     .github
+    demo
     images
     tests
     .*.yaml
@@ Expand Down @@