ci: ignore kics-scan checks for test resources

6dfec854 · Ryan Kowalewski · 495295db · 6dfec854 · 6dfec854 · 6dfec854
Commit 6dfec854 authored 1 year ago by Ryan Kowalewski
--- a/docker-compose.yml
+++ b/docker-compose.yml
+# This docker-compose file is only used for running integration tests and generating docs. As such we're making some
+# allowances with regards to ignoring kics-scan checks.
+# kics-scan ignore
+
 name: gcp-cloud-run-app-testing

 services:
@@ -11,9 +15,13 @@ services:
    volumes:
      - .:/workdir:rw
      - ~/.config/gcloud/application_default_credentials.json:/root/.config/gcloud/application_default_credentials.json:ro
+    cap_drop:
+      - "ALL"
  terraform-docs:
    image: quay.io/terraform-docs/terraform-docs:0.17.0
    entrypoint: ["."]
    working_dir: /workdir
    volumes:
      - .:/workdir:rw
+    cap_drop:
+      - "ALL"
--- a/static_egress_ip.tf
+++ b/static_egress_ip.tf
@@ -3,6 +3,7 @@
 # https://cloud.google.com/run/docs/configuring/static-outbound-ip

 # trivy:ignore:AVD-GCP-0029
+# kics-scan disable=40430747-442d-450a-a34f-dc57149f4609
 resource "google_compute_subnetwork" "vpc_connector" {
  count = local.create_vpc_connector ? 1 : 0


--- a/tests/setup/main.tf
+++ b/tests/setup/main.tf
+# These are test resources which are destroyed after each test run. Therefore, we are disabling kics-scan on the whole
+# file.
+# kics-scan ignore
+
 resource "random_id" "name" {
  byte_length = 2
  # "rapp" represents Cloud Run App and is required to ensure any resources created by this repo's tests are easily