When you download a shiny, new developer tool to check your code, it can be overwhelming to see the long list of errors identified. Sometimes you are satisfied with the current state and only want to fail builds for new misconfigurations introduced with code changes. Adding skips for each resource is not the answer.
That’s where Checkov’s new baseline feature comes into play. If you add a baseline to Checkov it will ignore all existing misconfigurations from the baseline scan in all future scans. This is especially useful when you want to block builds in pipelines for new misconfigurations and with our secrets scanning feature to ignore secrets you don’t care about, such as example secrets or false positives.
How to set your baseline
Let’s use the AWS directory of TerraGoat, our vulnerable by design Terraform repository, as an example. To create a baseline file, start with the --create-baseline flag:
checkov -d terraform/aws/ --create-baseline
You’ll see the normal list of misconfigurations Checkov identified with a new line at the bottom:
Created a checkov baseline file at /path/terragoat/terraform/aws/.checkov.baseline
That’s our new baseline file. It includes all of the resources per file along with the Checkov policies that that resource failed.
Now if I run Checkov with the --baseline tag, it will give a clean slate output.
checkov -d terraform/aws/ --baseline terraform/aws/.checkov.baseline
checkov -d terraform/aws/ --baseline terraform/aws/.checkov.baseline
Whenever a new misconfiguration is introduced, Checkov will flag that issue, but ignore all the ones discovered in the baseline run. Try this out for yourself with Checkov and join the discussion in our CodifiedSecurity Slack!
