From 6dfec854359f7b5684bad68a5b18ac57bb57c75b Mon Sep 17 00:00:00 2001
From: Ryan Kowalewski <rk725@cam.ac.uk>
Date: Mon, 26 Feb 2024 12:33:39 +0000
Subject: [PATCH] ci: ignore kics-scan checks for test resources

---
 docker-compose.yml  | 8 ++++++++
 static_egress_ip.tf | 1 +
 tests/setup/main.tf | 4 ++++
 3 files changed, 13 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8aed5c3..8c2784b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,3 +1,7 @@
+# This docker-compose file is only used for running integration tests and generating docs. As such we're making some
+# allowances with regards to ignoring kics-scan checks.
+# kics-scan ignore
+
 name: gcp-cloud-run-app-testing
 
 services:
@@ -11,9 +15,13 @@ services:
     volumes:
       - .:/workdir:rw
       - ~/.config/gcloud/application_default_credentials.json:/root/.config/gcloud/application_default_credentials.json:ro
+    cap_drop:
+      - "ALL"
   terraform-docs:
     image: quay.io/terraform-docs/terraform-docs:0.17.0
     entrypoint: ["."]
     working_dir: /workdir
     volumes:
       - .:/workdir:rw
+    cap_drop:
+      - "ALL"
diff --git a/static_egress_ip.tf b/static_egress_ip.tf
index fc6cf77..a150db5 100644
--- a/static_egress_ip.tf
+++ b/static_egress_ip.tf
@@ -3,6 +3,7 @@
 # https://cloud.google.com/run/docs/configuring/static-outbound-ip
 
 # trivy:ignore:AVD-GCP-0029
+# kics-scan disable=40430747-442d-450a-a34f-dc57149f4609
 resource "google_compute_subnetwork" "vpc_connector" {
   count = local.create_vpc_connector ? 1 : 0
 
diff --git a/tests/setup/main.tf b/tests/setup/main.tf
index c20b8a0..11a5bc8 100644
--- a/tests/setup/main.tf
+++ b/tests/setup/main.tf
@@ -1,3 +1,7 @@
+# These are test resources which are destroyed after each test run. Therefore, we are disabling kics-scan on the whole
+# file.
+# kics-scan ignore
+
 resource "random_id" "name" {
   byte_length = 2
   # "rapp" represents Cloud Run App and is required to ensure any resources created by this repo's tests are easily
-- 
GitLab