From 31673ea837c58586dde26e179c1755b5580aaf24 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 8 Feb 2026 11:15:59 -0500
Subject: [PATCH] chore: add Checkov exemptions for ZNC root container

---
 .checkov.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.checkov.yaml b/.checkov.yaml
index 1c02b14..71b37f6 100644
--- a/.checkov.yaml
+++ b/.checkov.yaml
@@ -9,3 +9,5 @@ skip-check:
   - CKV_K8S_14  # Image tag should be fixed (same as above)
   - CKV_K8S_22  # Read-only filesystem (IRC apps need to write to volumes)
   - CKV_K8S_40  # Containers should run as high UID (ZNC LinuxServer container needs flexibility)
+  - CKV_K8S_23  # Minimize admission of root containers (ZNC requires root for s6-overlay init)
+  - CKV_K8S_20  # Containers should not run with allowPrivilegeEscalation (ZNC needs init flexibility)