silence checkov

Dockerfile

@@ -1,5 +1,6 @@
 #checkov:skip=CKV_DOCKER_2: no need for health check
 #checkov:skip=CKV_DOCKER_3: no need for special user
+#checkov:skip=CKV_DOCKER_7: I prefer the latest, like it, or not ;)
 FROM quay.io/almalinuxorg/8-init:latest
 ENV container docker
 

tasks/backups.yml

@@ -1,5 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
 - name: Create backup directories
   ansible.builtin.file:
     path: "{{ item }}"
@@ -113,6 +112,7 @@
     - pdns
     - wg_vpn
 - name: Restore backups
+  #checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
   tags: restore
   when: mariadb_backup_path is defined or ldap_backup_path is defined or opendkim_backup_path is defined or opendmarc_backup_path is defined or vsftpd_backup_path is defined or ssl_backup_path is defined or kolab_backup_path is defined or imap_backup_path is defined or postfix_backup_path is defined or pdns_backup_path is defined or wg_vpn_backup_path is defined
   block:

tasks/convert_user_to_ldif.yml

@@ -1,11 +1,11 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
 - name: Select passwd line
   ansible.builtin.command: 'grep "^{{ user_data_item.name }}:" /var/tmp/passwd.mig'
   register: passwd_mig_content
   changed_when: passwd_mig_content.rc == 0
   failed_when: (passwd_mig_content.rc != 0) and (passwd_mig_content.stderr | length > 0)
 - name: "Migrate already existing user {{ user_data_item.name }}"
+  #checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   when: passwd_mig_content.changed
   block:
     - name: Set passwd line

tasks/httpd.yml

@@ -1,5 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
 - name: Open firewall
   tags:
     - dyndns
@@ -14,6 +13,7 @@
     - http
     - https
 - name: Set up SELinux rules
+  #checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   when: getenforce.stdout != 'Disabled'
   block:
     - name: Set SELinux booleans

tasks/imapsync.yml

@@ -1,6 +1,6 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
 - name: Sync old IMAP account to the current mailbox
+  #checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
   no_log: yes
   when: current_user.old_imap_mail is defined
   tags: imapsync

tasks/kolab.yml

@@ -1,5 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is used for the tag only
 - name: Setup kolab
   tags: users
   # noqa yaml[line-length]
@@ -433,6 +432,7 @@
     state: restarted
 
 - name: Enable domains
+  #checkov:skip=CKV2_ANSIBLE_3: Block is used for the tag only
   tags: ldap
   block:
     # The editing domains in the Kolab API is not documented at the tome of this writing, so I go plain LDAP here

tasks/os.yml

@@ -1,5 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition
 - name: Check SELinux status
   ansible.builtin.command: getenforce
   changed_when: getenforce.rc == 0
@@ -26,6 +25,7 @@
 
 - name: Enable IPv6
   when: ansible_default_ipv6.address is not defined
+  #checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition
   block:
     - name: Enable IPv6 via sysctl
       ansible.posix.sysctl:

tasks/packages.yml

@@ -1,6 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_2: HTTPS comes from a loop variable
-#checkov:skip=CKV2_ANSIBLE_4: The Remi repo doesn't provide GPG keys
 - name: Install EL repositories
   tags:
     - always
@@ -36,6 +34,7 @@
     backup: yes
     create: yes
 - name: Set up Remi repository
+  #checkov:skip=CKV2_ANSIBLE_4: The Remi repo doesn't provide GPG keys
   ansible.builtin.dnf:
     name: "https://rpms.remirepo.net/enterprise/remi-release-{{ ansible_distribution_major_version }}.rpm"
     disable_gpg_check: yes
@@ -484,6 +483,7 @@
 #     remote_src: yes
 #     backup: yes
 - name: Download as-is executables
+  #checkov:skip=CKV2_ANSIBLE_2: HTTPS comes from a loop variable
   tags: imapsync
   ansible.builtin.get_url:
     url: "{{ item.url }}"

tasks/postfix.yml

@@ -1,5 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
 - name: Add vmail group
   ansible.builtin.group:
     name: vmail
@@ -185,6 +184,7 @@
     backup: yes
   notify: Restart postfix
 - name: Set up HELO access whitelist
+  #checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   when: helo_access is defined
   block:
     - name: Create HELO access whitelist

tasks/poweradmin.yml

@@ -1,6 +1,6 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
 - name: Get latest PowerAdmin version
+  #checkov:skip=CKV2_ANSIBLE_3: Block is used for the when condition only
   tags:
     - dyndns
     - poweradmin

tasks/read_wireguard_config.yml

@@ -1,10 +1,10 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition
 - name: Check if WireGuard config exists
   ansible.builtin.stat:
     path: "{{ wg_config_file }}"
   register: wg_config_file_info
 - name: Read existing WireGuard config into variable
+  #checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition
   when: wg_config_file_info.stat.exists
   block:
     - name: Read WireGuard config file

tasks/webdav.yml

@@ -1,5 +1,4 @@
 ---
-#checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
 - name: Render WebDav web config templates
   tags:
     - dyndns
@@ -81,6 +80,7 @@
     state: mounted
     fstype: fuse.bindfs
 - name: Set up SELinux rules for WebDAV
+  #checkov:skip=CKV2_ANSIBLE_3: Block is only used for the when condition and the tags
   tags: wireguard
   when: getenforce.stdout != 'Disabled'
   block: