move checkov config to a common place

suhancz · suhancz · commit 70ffce2c96bd · 2024-05-16T03:05:55.000+02:00
diff --git a/.github/linters/.checkov.yaml b/.github/linters/.checkov.yaml
@@ -0,0 +1,4 @@
+skip-check:
+  - CKV2_ANSIBLE_2 # HTTPS comes from a loop variable
+  - CKV2_ANSIBLE_3 # Block is used at many places only for the when condition and the tags
+  - CKV2_ANSIBLE_4 # The Remi repo doesn't provide GPG keys
diff --git a/Dockerfile b/Dockerfile
@@ -7,6 +7,7 @@ ENV container docker
 
 WORKDIR /
 
+# hadolint ignore=SC2154
 RUN "(cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done);"
 
 RUN rm -rf /lib/systemd/system/multi-user.target.wants/ \
diff --git a/tasks/backups.yml b/tasks/backups.yml
@@ -112,7 +112,6 @@
     - pdns
     - wg_vpn
 - name: Restore backups
-  # checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
   tags: restore
   when: mariadb_backup_path is defined or ldap_backup_path is defined or opendkim_backup_path is defined or opendmarc_backup_path is defined or vsftpd_backup_path is defined or ssl_backup_path is defined or kolab_backup_path is defined or imap_backup_path is defined or postfix_backup_path is defined or pdns_backup_path is defined or wg_vpn_backup_path is defined
   block:
diff --git a/tasks/convert_user_to_ldif.yml b/tasks/convert_user_to_ldif.yml
@@ -5,7 +5,6 @@
   changed_when: passwd_mig_content.rc == 0
   failed_when: (passwd_mig_content.rc != 0) and (passwd_mig_content.stderr | length > 0)
 - name: "Migrate already existing user {{ user_data_item.name }}"
-  # checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   when: passwd_mig_content.changed
   block:
     - name: Set passwd line
diff --git a/tasks/httpd.yml b/tasks/httpd.yml
@@ -13,7 +13,6 @@
     - http
     - https
 - name: Set up SELinux rules
-  # checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   when: getenforce.stdout != 'Disabled'
   block:
     - name: Set SELinux booleans
diff --git a/tasks/imapsync.yml b/tasks/imapsync.yml
@@ -1,6 +1,5 @@
 ---
 - name: Sync old IMAP account to the current mailbox
-  # checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
   no_log: yes
   when: current_user.old_imap_mail is defined
   tags: imapsync
diff --git a/tasks/kolab.yml b/tasks/kolab.yml
@@ -432,7 +432,6 @@
     state: restarted
 
 - name: Enable domains
-  # checkov:skip=CKV2_ANSIBLE_3: Block is used for the tag only
   tags: ldap
   block:
     # The editing domains in the Kolab API is not documented at the tome of this writing, so I go plain LDAP here
diff --git a/tasks/os.yml b/tasks/os.yml
@@ -25,7 +25,6 @@
 
 - name: Enable IPv6
   when: ansible_default_ipv6.address is not defined
-  # checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition
   block:
     - name: Enable IPv6 via sysctl
       ansible.posix.sysctl:
diff --git a/tasks/packages.yml b/tasks/packages.yml
@@ -34,7 +34,6 @@
     backup: yes
     create: yes
 - name: Set up Remi repository
-  # checkov:skip=CKV2_ANSIBLE_4: The Remi repo doesn't provide GPG keys
   ansible.builtin.dnf:
     name: "https://rpms.remirepo.net/enterprise/remi-release-{{ ansible_distribution_major_version }}.rpm"
     disable_gpg_check: yes
@@ -483,7 +482,6 @@
 #     remote_src: yes
 #     backup: yes
 - name: Download as-is executables
-  # checkov:skip=CKV2_ANSIBLE_2: HTTPS comes from a loop variable
   tags: imapsync
   ansible.builtin.get_url:
     url: "{{ item.url }}"
diff --git a/tasks/postfix.yml b/tasks/postfix.yml
@@ -184,7 +184,6 @@
     backup: yes
   notify: Restart postfix
 - name: Set up HELO access whitelist
-  # checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   when: helo_access is defined
   block:
     - name: Create HELO access whitelist
diff --git a/tasks/poweradmin.yml b/tasks/poweradmin.yml
@@ -1,6 +1,5 @@
 ---
 - name: Get latest PowerAdmin version
-  # checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   tags:
     - dyndns
     - poweradmin
diff --git a/tasks/read_wireguard_config.yml b/tasks/read_wireguard_config.yml
@@ -4,7 +4,6 @@
     path: "{{ wg_config_file }}"
   register: wg_config_file_info
 - name: Read existing WireGuard config into variable
-  # checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition
   when: wg_config_file_info.stat.exists
   block:
     - name: Read WireGuard config file
diff --git a/tasks/webdav.yml b/tasks/webdav.yml
@@ -80,7 +80,6 @@
     state: mounted
     fstype: fuse.bindfs
 - name: Set up SELinux rules for WebDAV
-  # checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
   tags: wireguard
   when: getenforce.stdout != 'Disabled'
   block:
