gh-agentsecops-secopsagentkit/skills/devsecops/iac-checkov/assets/checkov_config.yaml

# Checkov Configuration File
# Place this file as .checkov.yaml in your project root

# Framework selection
framework:
  - terraform
  - kubernetes
  - dockerfile
  - helm

# Checks to skip globally
skip-check:
  # Development environment exceptions
  - CKV_AWS_17   # RDS backup retention (dev envs)
  - CKV_AWS_8    # CloudWatch log encryption (cost optimization)

  # Low severity informational checks
  - CKV_AWS_50   # Lambda tracing
  - CKV_K8S_35   # Prefer secrets as files

# Paths to exclude from scanning
skip-path:
  - .terraform/
  - .terragrunt-cache/
  - node_modules/
  - vendor/
  - "**/.git"
  - "**/test/"
  - "**/examples/"

# Severity-based configuration
soft-fail-on:
  - LOW
  - MEDIUM

hard-fail-on:
  - CRITICAL
  - HIGH

# Compact output mode
compact: true

# Quiet mode (only show failures)
quiet: false

# Download external Terraform modules
download-external-modules: true

# Output configuration
output:
  - cli
  - json
  - sarif

# Output file path
output-file-path: ./checkov-reports

# Repository identification
repo-id: my-infrastructure
branch: main

# External checks directory
external-checks-dir:
  - ./custom_checks

# Baseline file for drift detection
# baseline: .checkov.baseline

# Enable secrets scanning
# framework:
#   - secrets

# Prisma Cloud/Bridgecrew integration (optional)
# bc-api-key: ${PRISMA_API_KEY}
# prisma-api-url: https://api.prismacloud.io

# Skip specific resources by regex
# skip-resources-without-violations: true

# CKV check configuration
# check:
#   - CIS_AWS
#   - CIS_AZURE
#   - CIS_KUBERNETES

# Enable/disable specific frameworks
# skip-framework:
#   - ansible
#   - github_actions

# Custom policies metadata filter
# policy-metadata-filter:
#   severity: HIGH,CRITICAL
#   category: IAM,ENCRYPTION