Open
Description
Is your feature request related to a problem? Please describe.
It would be handy to be able to disable specific queries for a specific block of code using a comment.
For example, if I have multiple azurerm_key_vault_secret resources defined in a file, but I'd like one of them to not expire, I'd want to disable query dfa20ffa-f476-428f-a490-424b41e91c7f (Secret Expiration Not Set) for that specific resource, but sill have the query to apply to all other resources in that file.
Describe the solution you'd like
Support for a disable-block command comment that behaves like a combination of ignore-block and disable. E.g.:
# kics-scan disable-block=dfa20ffa-f476-428f-a490-424b41e91c7f
# specified query is disabled for this block only
resource "azurerm_key_vault_secret" "secret_without_expiry" {
key_vault_id = azurerm_key_vault.key_vault.id
name = "secret-that-doesnt-expire"
value = var.secret_value
}
# query dfa20ffa-f476-428f-a490-424b41e91c7f still applies here
resource "azurerm_key_vault_secret" "secret_with_expiry" {
key_vault_id = azurerm_key_vault.key_vault.id
name = "secret-that-expires"
value = var.secret_value
expiration_date = "2023-08-14T00:00:00Z"
}Describe alternatives you've considered
- Adding
# kics-scan ignore-blockto the affected resource- This would disable all queries for the block, when most of them should ideally still be enabled
- Adding
# kics-scan disable=dfa20ffa-f476-428f-a490-424b41e91c7fto the top of the file- This would disable the query for all resources in the file, when it should only be disabled for 1 resource