From df9b83a8a1dc5fc112660c1860be85fa476cec54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Claudio=20Andr=C3=A9?= <dev@claudioandre.slmail.me>
Date: Mon, 18 Nov 2024 18:46:04 -0300
Subject: [PATCH] ci: enable the checkov linter (#630)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Claudio André <dev@claudioandre.slmail.me>
---
 .github/actions/spelling/expect.txt | 3 ++-
 .github/workflows/approve-it.yml    | 1 +
 .github/workflows/linter.yml        | 1 -
 .github/workflows/merge-it.yml      | 1 +
 cloud-tool/ec2.tf                   | 2 ++
 5 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index 3f609e90..fb9f6619 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -36,10 +36,11 @@ buildsystem
 CCO
 CFLAGS
 cflite
-CHECKOV
+checkov
 cidr
 circleci
 cirruslabs
+CKV
 claudio
 claudioandre
 clinfo
diff --git a/.github/workflows/approve-it.yml b/.github/workflows/approve-it.yml
index 7b1f7669..f1acef87 100644
--- a/.github/workflows/approve-it.yml
+++ b/.github/workflows/approve-it.yml
@@ -25,6 +25,7 @@ name: Approve it
 
 "on":
   workflow_dispatch:
+    #checkov:skip=CKV_GHA_7:This is automation, not a real build
     inputs:
       pullRequestNumber:
         description: Pull request number
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 9e0ab93f..e583bee9 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -62,7 +62,6 @@ jobs:
           ENABLE_COMMITLINT_STRICT_MODE: true
           ENFORCE_COMMITLINT_CONFIGURATION_CHECK: true
           VALIDATE_ALL_CODEBASE: false
-          VALIDATE_CHECKOV: false
           VALIDATE_GIT_COMMITLINT: true
           DEFAULT_BRANCH: "main"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/merge-it.yml b/.github/workflows/merge-it.yml
index 64f15a70..c28cd21b 100644
--- a/.github/workflows/merge-it.yml
+++ b/.github/workflows/merge-it.yml
@@ -25,6 +25,7 @@ name: Merge it
 
 "on":
   workflow_dispatch:
+    #checkov:skip=CKV_GHA_7:This is automation, not a real build
     inputs:
       pullRequestNumber:
         description: Pull request number
diff --git a/cloud-tool/ec2.tf b/cloud-tool/ec2.tf
index 4257b3a9..5abdaca8 100644
--- a/cloud-tool/ec2.tf
+++ b/cloud-tool/ec2.tf
@@ -37,6 +37,8 @@ data "aws_ami" "ubuntu" {
 }
 
 resource "aws_instance" "worker" {
+  #checkov:skip=CKV2_AWS_41:IAM role is NOT attached to EC2 instance. Keep simple
+  #checkov:skip=CKV_AWS_135:EC2 EBS is NOT optimized. Keep simple and CHEAP
   ami                    = data.aws_ami.ubuntu.id
   vpc_security_group_ids = [aws_security_group.jtrcrackers-sg.id]
   key_name               = aws_key_pair.deployer.key_name