Skip to content

feat(general): Add the protect-check option that forces specific checks to always run#7565

Open
deese wants to merge 2 commits into
bridgecrewio:mainfrom
deese:feat/protected_checks
Open

feat(general): Add the protect-check option that forces specific checks to always run#7565
deese wants to merge 2 commits into
bridgecrewio:mainfrom
deese:feat/protected_checks

Conversation

@deese

@deese deese commented Jun 3, 2026

Copy link
Copy Markdown

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Add a new --protect-check option that forces specific checks to always run, even if they have been skipped via --skip-check, the YAML config file (skip-check:), or inline code comments (#checkov:skip=). This is useful in enforcement scenarios where certain security checks must never be suppressed by developers.

The option is available via:

CLI flag: --protect-check CKV_AWS_1,CKV_AWS_2
YAML config file: protect-check: [CKV_AWS_1, CKV_AWS_2]
Environment variable: CKV_PROTECT_CHECK

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@deese