From b7f17a6d2e00fdda8c5cdfea23a86f87c05e26cc Mon Sep 17 00:00:00 2001
From: Nic Cheneweth <nchenewe@thoughtworks.com>
Date: Tue, 19 Mar 2024 21:07:41 -0500
Subject: [PATCH] [nc] re-test checkov scan

Signed-off-by: Nic Cheneweth <nchenewe@thoughtworks.com>
---
 .checkov.yaml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .checkov.yaml

diff --git a/.checkov.yaml b/.checkov.yaml
new file mode 100644
index 0000000..88a93aa
--- /dev/null
+++ b/.checkov.yaml
@@ -0,0 +1,25 @@
+directory:
+  - .
+branch: main
+download-external-modules: true
+evaluate-variables: true
+external-modules-download-path: .external_modules
+framework:
+- all
+mask: []
+secrets-scan-file-type: []
+summary-position: top
+skip-check:
+  - CKV2_AWS_14  # only machine accounts are being created by the pipeline
+  - CKV2_AWS_21
+  - CKV2_AWS_22
+  - CKV_AWS_273
+  - CKV_AWS_288  # policy statement is long, but necessary
+  - CKV_AWS_286  # creation and storage of machine account credentials is the necessary function of this repo
+  - CKV_AWS_287
+  - CKV_AWS_289
+  - CKV_AWS_61   # by design, the machine accounts can assume all roles
+  - CKV_AWS_290
+  - CKV_AWS_355  # appropriate use for Tag*
+  - CKV_AWS_40   # machine accounts do not receive policies, added to a group that has assume role permissions
+  - CKV_CIRCLECIPIPELINES_2  # this check is apparently unable to recognize that I did pin the image tag