Skip to content

feat(scan): Enable/disable queries for specific Terraform blocks/lines #8015

New issue
New issue
Open
Open
feat(scan): Enable/disable queries for specific Terraform blocks/lines#8015
Labels
communityCommunity contributionfeature requestCommunity: new feature request
@ChrisArmstrongUK

Description

@ChrisArmstrongUK
ChrisArmstrongUK
opened on Mar 26, 2026

Is your feature request related to a problem? Please describe.
We use Kics to scan Terraform modules. Kics flags a finding which we would like to ignore for only for specific resources. The finding may be something we would still like flagged with other resources.

We can't usekics-scan disable=<query-id>. This will ignore the finding for all resources in the file.
We can't usekics-scan ignore-block. This will ignore all queries since it ignores the block. We may want to pick up other queries.
We can't usekics-scan ignore-line. Again, this will ignore all queries since it ignores the line. Again, We may want to pick up other queries.

We would like to ignore specific findings for specific blocks and lines.

Describe the solution you'd like
New commands such as:
kics-scan block-enable=<query-id>,<query-id>
kics-scan block-disable=<query-id>,<query-id>
kics-scan line-enable=<query-id>,<query-id>
kics-scan line-disable=<query-id>,<query-id>

Describe alternatives you've considered
Moving resources into it's own file and disabling queries with the kics-scan disable=<query-id>
However this is not ideal for module structure etc. We do not want Kics to force us to separate out resources into other files as it may prevent easy module readability etc.

Additional context
We have these Terraform resources in a larger file...

data "aws_iam_policy_document" "this" {
    version = "2012-10-17"
    statement {
        sid = "Allow all Org Principles to add objects to buckets"
    
        principles {
            type = "AWS"
            identifiers = ["*"]
        }

        actions = ["s3:GetObject"]

        resources = [var.bucket_name]

        condition {
            test = "StringEquals"
            variable = "aws:PrincipleOrgID"
            values = var.aws_org_id
        }
    }
}

resource "aws_s3_buckey_policy" "this" {
    bucket = aws_s3_bucket.waf.id
    policy = data.aws_iam_policy_document.this.json
}

Which Kics will flag with the finding S3 Bucket Allows Get Action From All Principles on the line policy = data.aws_iam_policy_document.this.json

We're happy to allow all principles to get objects from this bucket as we've confined it to only our AWS org with a condition in the bucket policy. So would like to ignore this finding but only for this one resource.

Metadata

Metadata

Assignees

No one assigned

    Labels

    communityCommunity contributionfeature requestCommunity: new feature request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions