Prioritize new misconfigurations with Checkov’s baseline feature

When you download a shiny, new developer tool to check your code, it can be overwhelming to see the long list of errors identified. Sometimes you are satisfied with the current state and only want to fail builds for new misconfigurations introduced with code changes. Adding skips for each resource is not the answer.

That’s where Checkov’s new baseline feature comes into play. If you add a baseline to Checkov it will ignore all existing misconfigurations from the baseline scan in all future scans. This is especially useful when you want to block builds in pipelines for new misconfigurations and with our secrets scanning feature to ignore secrets you don’t care about, such as example secrets or false positives.

flow chart of baseline build success fail

How to set your baseline

Let’s use the AWS directory of TerraGoat, our vulnerable by design Terraform repository, as an example. To create a baseline file, start with the --create-baseline flag:

checkov -d terraform/aws/ --create-baseline

You’ll see the normal list of misconfigurations Checkov identified with a new line at the bottom:

Created a checkov baseline file at /path/terragoat/terraform/aws/.checkov.baseline

That’s our new baseline file. It includes all of the resources per file along with the Checkov policies that that resource failed.

screenshot of failed checks

Now if I run Checkov with the --baseline tag, it will give a clean slate output.

checkov -d terraform/aws/ --baseline terraform/aws/.checkov.baseline

checkov baselineNow if we introduce a new misconfiguration, say an open RDP port (3389), that will be the only misconfiguration that is identified.

checkov -d terraform/aws/ --baseline terraform/aws/.checkov.baseline

screenshot of checkov passed checks

Whenever a new misconfiguration is introduced, Checkov will flag that issue, but ignore all the ones discovered in the baseline run. Try this out for yourself with Checkov and join the discussion in our CodifiedSecurity Slack!