chore(deps): update pre-commit hook bridgecrewio/checkov to v3
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| bridgecrewio/checkov | repository | major |
2.3.358 -> 3.2.179
|
Note: The pre-commit manager in Renovate is not supported by the pre-commit maintainers or community. Please do not report any problems there, instead create a Discussion in the Renovate repository if you have any questions.
Release Notes
bridgecrewio/checkov (bridgecrewio/checkov)
v3.2.179
Feature
- arm: add CKV_AZURE_206 to ensure that Storage Accounts use replication - #6524
- arm: BCE-33785 Support Azure Synapse Analytics policies - #6513
v3.2.178
v3.2.177
Bug Fix
- sast: fix cdk policies - #6552
v3.2.176
v3.2.175
Feature
- arm: AzureSearchSQLQueryUpdates - #6543
v3.2.174
Feature
- arm: add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - #6533
- arm: add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - #6478
- arm: AppServicePlanZoneRedundant - #6472
- arm: AzureSearchSLAIndex - #6530
- arm: SQLDatabaseZoneRedundant - #6515
- azure: add new policies for Azure Synapse - #6520
- general: update detect secrets package - #6535
v3.2.173
v3.2.172
v3.2.171
Feature
- arm: add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - #6532
- arm: add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - #6523
- arm: add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - #6486
- arm: add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - #6279
- arm: CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - #6498
- arm: DataFactoryNoPublicNetworkAccess - #6479
- arm: DataLakeStoreEncryption - #6516
- arm: EventHubNamespaceMinTLS12 - #6485
Bug Fix
- openapi: [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - #6406
- terraform_json: support locals block in CDKTF output - #6452
- terraform: Deprecate CKV2_AWS_67 - #6529
v3.2.170
v3.2.169
v3.2.168
v3.2.167
v3.2.166
v3.2.165
v3.2.164
Documentation
- general: Add Python note - #6521
v3.2.163
Feature
- arm: add CKV_AZURE_174 to ensure that API management public access is disabled - #6480
- arm: AppServicePHPVersion - #6436
- arm: AppServicePublicAccessDisabled - #6467
- arm: KeyVaultEnablesPurgeProtection - #6465
- arm: PubsubSpecifyIdentity - #6483
v3.2.162
v3.2.161
v3.2.160
v3.2.159
Bug Fix
-
arm: fix CKV_AZURE_78:
siteConfigobject should be underproperties- #6477 - general: Mypy issues - #6510
- terraform: ignore comment out modules - #6507
v3.2.158
v3.2.157
v3.2.156
Feature
- arm: add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups - #6427
- arm: add CKV_AZURE_137 Ensure ACR admin account is disabled - #6430
- arm: add CKV_AZURE_139 Ensure ACR set to disable public networking - #6428
- arm: add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - #6431
- arm: add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - #6385
- arm: add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - #6422
- arm: add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - #6457
- arm: ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - #6453
- arm: ARM AppServiceSlotHTTPSOnly - #6454
- arm: ARM VnetLocalDNS - #6424
- arm: PostgressSQLGeoBackupEnabled - #6456
- arm: StorageAccountName - #6426
- secrets: dont filter secrets - #6508
Bug Fix
- azure: fix description of CKV_AZURE_236 - #6503
- kubernetes: Fix CKV_K8S_31 for CronJobs - #6506
- sca: fix parsing json with comments - #6509
- terraform: CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - #6353
- terraform: remove print from CKV_AWS_364 - #6504
v3.2.155
v3.2.154
v3.2.153
v3.2.152
v3.2.151
v3.2.150
v3.2.149
v3.2.148
v3.2.147
v3.2.146
v3.2.145
Documentation
- general: Note for feature requests - #6497
v3.2.144
Bug Fix
- kubernetes: ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - #6459
- terraform: Add more conditions for CKV_AWS_70 - #6464
v3.2.143
v3.2.142
v3.2.141
Bug Fix
- secrets: dedup secrets history values - #6462
v3.2.140
Feature
- azure: fix ckv_azure_189 according to docs - #6413
Bug Fix
- sca: Support parsing json with comments - #6466
Documentation
- general: fix pre-commit link - #6433
v3.2.139
v3.2.138
Feature
- graph: support creation of resource type allow/deny lists - #6451
Bug Fix
- terraform: Fix name of CKV2_AWS_67 to be more clear - #6434
- terraform: Fix when apt is in rm statement - #6437
- terraform: Update CKV_AWS_224 title - #6435
v3.2.137
v3.2.136
Bug Fix
- arm: Correct AzureMLWorkspacePrivateEndpoint rule check logic - #6432
- general: removed references Putin references - #6445
v3.2.135
v3.2.134
v3.2.133
Feature
- general: add AI_AND_ML to CheckCategories - #6423
Bug Fix
- sast: Update CKV IDs for CDK policies - #6415
v3.2.132
v3.2.131
v3.2.130
Feature
- arm: add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2. - #6364
- arm: add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - #6329
- arm: add CKV_AZURE_163 Enable vulnerability scanning for container images - #6339
- arm: add MariaDbPublicAccessDisabled convert policy to arm - #6246
- arm: AKSLocalAdminDisabled - #6334
- arm: AppServiceFTPSState - #6363
- arm: AzureServiceFabricClusterProtectionLevel - #6366
- arm: ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - #6373
- arm: KeyVaultDisablesPublicNetworkAccess - #6342
- arm: PostgreSQLServerPublicAccessDisabled - #6330
- terraform: extract image referencers for AWS SageMaker - #6408
Bug Fix
- ansible: add dict check in create_tasks_vertices - #6417
v3.2.129
v3.2.128
Feature
- azure: drop support for dotnet v7.0 - #6383
- general: Image Referencer should not run for CI workflow files - #6386
- secrets: Add _prioritise_secrets by 3 levels of severity - #6390
- terraform: add 5 policies - #6401
- terraform: add 6 policies - #6396
- terraform: add fix for ckv_aws_300 - #6404
- terraform: add fix for not contains solver - #6389
Bug Fix
- ansible: filter conf if its int or float - #6409
- general: add try except gihub_action read file - #6411
- general: bitbucket integration test failure - #6407
- general: CKV2_AZURE_50 generates false positive azurerm_storage_account violations - #6391
- sast: add log for sast on windows - #6397
v3.2.127
v3.2.126
v3.2.125
Feature
- arm: Add check for AzureML workspace not configured with private endpoint - #6387
v3.2.124
Feature
- azure: Add policy to ensure proper AzureML Workspace network access - #6362
- azure: Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - #6368
v3.2.123
v3.2.122
Feature
- arm: AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - #6282
v3.2.121
Feature
- terraform: AWS SageMaker notebook instance KMS Key - #6374
- terraform: CognitiveServicesConfigureIdentity - new check - #6378
- terraform: Ensure that Cognitive Services accounts enable local authentication - new check - #6377
v3.2.120
v3.2.119
Feature
- arm: add FunctionAppsEnableAuthentication - Checking if a certain field exists - #6250
- terraform: Add more conditions to CKV_AWS_70 - #6371
- terraform: Added the CKV2_AWS_68 Check for TF and CFN - #6369
Bug Fix
- ansible: set task as ansible vertices config - #6376
- terraform: for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - #6372
v3.2.118
v3.2.117
v3.2.116
v3.2.115
v3.2.114
v3.2.113
v3.2.112
Feature
- terraform: Add provider address to resources - #6266
- terraform: Support for count & for_each in data blocks - #6359
Bug Fix
- terraform: Fix an issue for loading tfvars + issue in the dynamic rendering - #6360
v3.2.111
v3.2.110
v3.2.109
v3.2.108
Bug Fix
- sast: don't scan hidden files - #6349
v3.2.107
Bug Fix
- terraform: Handle registry modules with a version in CKF_TF_2 - #6354
v3.2.106
Feature
- arm: Ensure Databricks Workspace data plane to control plane co… - #6319
- general: TF and ARM - Ensure that Databricks Workspaces enable… - #6313
- secrets: Bump detect-secrets - #6346
v3.2.105
Feature
- arm: add AppServiceJavaVersion - #6258
- arm: add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - #6323
- arm: add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - #6320
- arm: add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - #6270
- arm: add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - #6272
- arm: add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - #6281
- arm: AzureDefenderOStorage - #6269
- arm: MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - #6263
- arm: StorageSyncPublicAccessDisabled - #6331
- secrets: eliminate false positives in entropy keyword combinator detector - #6327
Bug Fix
v3.2.104
v3.2.103
v3.2.102
v3.2.101
v3.2.100
Feature
v3.2.99
v3.2.98
Bug Fix
- terraform: Remove invalid CIDRs in CKV2_AWS_44 - #6301
v3.2.97
Feature
- arm: add CKV_AZURE_73 to ensure that Automation account variables are encrypted - #6271
- arm: add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - #6280
- arm: add FunctionAppDisallowCORS - password correctness check - #6248
- arm: ARM FunctionAppHttpVersionLatest policy - #6244
- arm: CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - #6273
- arm: MSSQLServerMinTLSVersion - #6245
v3.2.96
v3.2.95
Bug Fix
- terraform: handle module source tag ref when it is not the first parameter - #6314
v3.2.94
Bug Fix
- sast: fix random test sast js - #6315
Platform
- general: Double-Encode URI for RelayState Parameter - #6302
v3.2.93
v3.2.92
Feature
Bug Fix
- secrets: secret_filter_block_list filter by file name and suffixes - #6285
- secrets: secret_filter_block_list filter by file name and suffixes 2 - #6306
Platform
- general: Fix policy.name to use the spaces as specified on CLI. - #6296
v3.2.91
Feature
- secrets: bump bc-detect-secrets to 1.5.10 - #6297
v3.2.90
Feature
Bug Fix
- ansible: fix ansible definitions raw type - #6292
Platform
- ansible: add set definitions raw to ansible runner - #6286
- general: Handle SAST suppressions (suppressions V2) - #6109
Documentation
- general: add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - #6291
- general: Update README links for PyPi - #6231
v3.2.89
v3.2.88
v3.2.87
v3.2.86
v3.2.85
Platform
- ansible: add missing arg to ansible runner - #6276
v3.2.84
Feature
- sast: Enable cdk ts integraion test - #6158
Bug Fix
v3.2.83
v3.2.82
Feature
- github: add summary message in github_failed_only output - #6131
- sast: add ts checks to python pack - #6261
- sast: run all cdk integration test - #6256
Bug Fix
- general: fix changed serif path - #6251
v3.2.81
v3.2.80
v3.2.79
Feature
- sast: Add 10 TS CDK - #6194
- sast: add typescript - DONT MERGE - #6193
- sast: Filter js files generate by ts - #6220
- secrets: bump bc-detect-secrets 1.5.9 - #6205
- terraform: Add GCP policy - #6177
- terraform: Add resource attributes to jsonify - #6203
- terraform: Ensure dedicated data endpoints are enabled - #6188
- terraform: support provider in tf_plan graph - #6195
- terraform: Update CloudArmorWAFACLCVE202144228.py - #6217
Bug Fix
- general: add print to random test - #6229
- general: fix integration test in build - #6227
- general: fix integration tests - #6207
- kubernetes: Update checkov-job.yaml - #5985
- sca: remove old test for the depracated workflow github-action - #6232
- terraform_plan: Edges not created because of indexing in resource["address"] when resources in modules use count - #6145
- terraform: CKV_AWS_23 rule description fixed for clarity - #5993
- terraform: Fix CKV_AWS_358 to handle plan files - #6202
Platform
- ansible: add create_definitions function for ansible framework - #6225
Documentation
v3.2.78
v3.2.77
v3.2.76
v3.2.75
v3.2.74
Feature
- general: Update range includes to handle lists of ranges and lists of values - #6192
v3.2.73
Feature
- sast: TypeScript cdk policies p7 - #6186
v3.2.72
Feature
- bicep: Add bicep version of policy - #6191
v3.2.71
Feature
- sca: support licenses custom policies enforcement rules - #6173
v3.2.70
Feature
- sast: Add 5 cdk for TS - #6179
Bug Fix
- sast: fix skipped_checks paths before upload to the platform - #6183
v3.2.69
v3.2.68
Feature
- sast: adding extended code block - #6178
- sca: using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - #6174
Bug Fix
- sca: Revert "feat(sca): using the new api license/get-licenses-violations … - #6176
v3.2.67
v3.2.66
v3.2.65
Bug Fix
- sast: save suppress_comment for sast inline suppressions - #6171
- secrets: Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - #6168
v3.2.64
v3.2.63
Feature
- sast: CDK TS policies p2 - #6165
v3.2.62
v3.2.61
v3.2.60
Feature
Bug Fix
- terraform: Fix conditional expression evaluation logic with compare - #6160
- terraform: Fixed flaky test for CKV_AWS_356 - #6162
v3.2.59
v3.2.58
v3.2.57
v3.2.56
v3.2.55
Feature
- sast: Adding typescript cdk part 6 paz - #6149
Bug Fix
- sca: enabling suppression in the cli-output for IR-files and dockerfiles - #6148
v3.2.54
v3.2.53
Feature
- terraform: support s3 bucket name for references in graph - #6134
v3.2.52
Feature
- general: Update the releases' zip file names to be generic - #6141
v3.2.51
Feature
- general: add policy metadata filter exception flag - #6132
v3.2.50
Bug Fix
- general: remove limitation of resource and provider in tf.json file - #6133
v3.2.49
Bug Fix
- general: pin the version of schema to <=0.7.5 - #6125
v3.2.48
v3.2.47
Feature
- secrets: bump manually bc-detect-secrets - #6120
- terraform: add fix for when tf_def is a string - #6121
v3.2.46
v3.2.45
Feature
- terraform: fix for_each resource handling - #6119
v3.2.44
Bug Fix
- sca: Fix suppression integration crashing if licenseTypes is missing - #6117
v3.2.43
Bug Fix
- terraform: Fixed bug in evaluate_conditional_expression and added zipmap support - #6106
v3.2.42
Feature
- sast: support sast skipped checks - #6095
Bug Fix
- secrets: ignore secret check in test file - #6105
Platform
- general: handle API errors with more detail - #6107
v3.2.41
v3.2.40
v3.2.39
Feature
- secrets: fix entropy detector FP - #6090
v3.2.38
Bug Fix
- terraform: prevent side effects when updating variable rendering - #6087
v3.2.37
Feature
- terraform: connect module resource to provider - #6083
v3.2.36
Bug Fix
- gha: make sure to have prisma url - #6084
v3.2.35
Feature
- general: add policy name and guidelines to CSV output - #6082
Bug Fix
- sast: add attribute verification - #6078
v3.2.34
Bug Fix
- terraform: Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - #6072
v3.2.33
Platform
- general: improve upload failure logging and log size of failed files - #6076
v3.2.32
Bug Fix
- sast: do not log warning when using skip framework - #6066
v3.2.31
Bug Fix
- terraform: better handling of interpolation rendering in conditional expressions - #6062
- terraform: Changed a couple of checks from negative to positive check, behavior is the same - #6063
v3.2.30
v3.2.29
v3.2.28
Bug Fix
- sca: handling unknown severity - #6055
- terraform: Add Condition exceptions CKV_AWS_70 - #6044
- terraform: Add k8s 1.29 to CKV_AWS_339 - #6056
v3.2.27
v3.2.26
Bug Fix
- sast: fetch sast custom policieis - #6040
v3.2.25
Feature
-
terraform: Added support for
tryfunction in evaluate_terraform - #6043
v3.2.24
Feature
- cloudformation: add CFN policies for MSK - #6021
v3.2.23
Bug Fix
- terraform: support vertex reference based on foreach key - #6039
v3.2.22
Bug Fix
- terraform: CKV_AWS_308 - checked if caching was enabled and only then check for encryption of cache - #6034
v3.2.21
Bug Fix
- sast: fix cdk checks path - #6029
v3.2.20
Bug Fix
- graph: remove SCA runner v1 - re-enable - #6024
v3.2.19
Feature
v3.2.18
v3.2.17
Feature
- arm: add CKV_AZURE_206 to ensure that Storage Accounts use replication - #6524
- arm: BCE-33785 Support Azure Synapse Analytics policies - #6513
v3.2.16
Documentation
- general: Add Python note - #6521
v3.2.15
Bug Fix
-
arm: fix CKV_AZURE_78:
siteConfigobject should be underproperties- #6477 - general: Mypy issues - #6510
- terraform: ignore comment out modules - #6507
v3.2.14
Documentation
- general: Note for feature requests - #6497
v3.2.13
Feature
- graph: support creation of resource type allow/deny lists - #6451
Bug Fix
- terraform: Fix name of CKV2_AWS_67 to be more clear - #6434
- terraform: Fix when apt is in rm statement - #6437
- terraform: Update CKV_AWS_224 title - #6435
v3.2.12
Feature
- azure: drop support for dotnet v7.0 - #6383
- general: Image Referencer should not run for CI workflow files - #6386
- secrets: Add _prioritise_secrets by 3 levels of severity - #6390
- terraform: add 5 policies - #6401
- terraform: add 6 policies - #6396
- terraform: add fix for ckv_aws_300 - #6404
- terraform: add fix for not contains solver - #6389
Bug Fix
- ansible: filter conf if its int or float - #6409
- general: add try except gihub_action read file - #6411
- general: bitbucket integration test failure - #6407
- general: CKV2_AZURE_50 generates false positive azurerm_storage_account violations - #6391
- sast: add log for sast on windows - #6397
v3.2.11
Feature
- arm: add FunctionAppsEnableAuthentication - Checking if a certain field exists - #6250
- terraform: Add more conditions to CKV_AWS_70 - #6371
- terraform: Added the CKV2_AWS_68 Check for TF and CFN - #6369
Bug Fix
- ansible: set task as ansible vertices config - #6376
- terraform: for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - #6372
v3.2.10
Bug Fix
- sast: don't scan hidden files - #6349
v3.2.9
Bug Fix
- terraform: Remove invalid CIDRs in CKV2_AWS_44 - #6301
v3.2.8
Platform
- ansible: add missing arg to ansible runner - #6276
v3.2.7
Feature
- sast: Add 10 TS CDK - #6194
- sast: add typescript - DONT MERGE - #6193
- sast: Filter js files generate by ts - #6220
- secrets: bump bc-detect-secrets 1.5.9 - #6205
- terraform: Add GCP policy - #6177
- terraform: Add resource attributes to jsonify - #6203
- terraform: Ensure dedicated data endpoints are enabled - #6188
- terraform: support provider in tf_plan graph - #6195
- terraform: Update CloudArmorWAFACLCVE202144228.py - #6217
Bug Fix
- general: add print to random test - #6229
- general: fix integration test in build - #6227
- general: fix integration tests - #6207
- kubernetes: Update checkov-job.yaml - #5985
- sca: remove old test for the depracated workflow github-action - #6232
- terraform_plan: Edges not created because of indexing in resource["address"] when resources in modules use count - #6145
- terraform: CKV_AWS_23 rule description fixed for clarity - #5993
- terraform: Fix CKV_AWS_358 to handle plan files - #6202
Platform
- ansible: add create_definitions function for ansible framework - #6225
Documentation
v3.2.6
Feature
- sast: adding extended code block - #6178
- sca: using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - #6174
Bug Fix
- sca: Revert "feat(sca): using the new api license/get-licenses-violations … - #6176
v3.2.5
Feature
- sast: Adding typescript cdk part 6 paz - #6149
Bug Fix
- sca: enabling suppression in the cli-output for IR-files and dockerfiles - #6148
v3.2.4
Bug Fix
- general: pin the version of schema to <=0.7.5 - #6125
v3.2.3
Feature
- secrets: fix entropy detector FP - #6090
v3.2.2
Bug Fix
- sca: handling unknown severity - #6055
- terraform: Add Condition exceptions CKV_AWS_70 - #6044
- terraform: Add k8s 1.29 to CKV_AWS_339 - #6056
v3.2.1
Feature
- arm: add CKV_AZURE_206 to ensure that Storage Accounts use replication - #6524
- arm: BCE-33785 Support Azure Synapse Analytics policies - #6513
v3.2.0
Bug Fix
- terraform: and cdk/cloudformation: inconsistent naming of AWS resources in checks - #5966
Platform
- general: remove igraph - #5781
v3.1.72
v3.1.71
v3.1.70
Bug Fix
- terraform: Manually fixed test for loading terraform registry to be with commit hash instead of version tag - #5971
v3.1.69
Bug Fix
- sast: replaced TBD with owasp and removed "sast engine" - #5959
- terraform: External module test - #5963
v3.1.68
v3.1.67
Feature
- sast: Add policies to executable - #5955
v3.1.66
Bug Fix
- sast: change the path for taint mode match - #5953
- sast: fix report with only reachability - #5951
Platform
- general: Change SAST enforcement rule to weaknesses - #5950
- general: handle weaknesses rename - #5954
v3.1.65
v3.1.64
v3.1.63
Bug Fix
- sast: Fix serialize for sast report with taint mode - #5949
v3.1.62
v3.1.61
Bug Fix
- general: allow colorama version >=0.4.3,<0.5.0 in setup - #5944
v3.1.60
Bug Fix
- sast: fix relative paths in sast cdk reports - #5932
- sast: fix sast cdk code location paths - #5938
- terraform: CKV_GCP_79 Upgrade CloudSQL SQLSERVER major version to 2022 - #5936
- terraform: Improved bad performance pathlib check - #5939
v3.1.59
v3.1.58
v3.1.57
Bug Fix
- general: fix multiprocess abilities - #5887
- general: fixing hidden dependencies & state breaking tests - #5911
- general: Reenabling cdk-integration-tests - #5922
v3.1.56
v3.1.55
Bug Fix
- terraform: Support "pass_prefix_list" for SG ingress rules correctly - #5918
v3.1.54
Bug Fix
- general: temporary disable runtime config - #5921
v3.1.53
Feature
- terraform: node pools should be configured separately from a cl… - #5916
Bug Fix
- terraform: handle no action in aws_dlm_lifecycle_policy - #5905
v3.1.52
v3.1.51
- no noteworthy changes
v3.1.50
Feature
- sast: Add sast metadata to sast report - #5910
- terraform: Add various vertex related policies - #5898
Bug Fix
v3.1.49
v3.1.48
v3.1.47
v3.1.46
Feature
- terraform: CLI output - add indication if repository was discovered In a running environment - #5908
Bug Fix
- sast: add missing field in MatchMetadata - #5907
v3.1.45
v3.1.44
Feature
- sast: add dataflow to checkov report from sast - #5892
v3.1.43
Feature
- terraform: add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access - #5888
- terraform: Ensure SES Configuration Set enforces TLS usage - #5891
Bug Fix
- terraform: pod security policy removed in GKE 1.25 - #5675
v3.1.42
Feature
- sast: Split sast and cdk reports - #5889
Bug Fix
- terraform: Fix CKV_Azure_234 - #5886
v3.1.41
v3.1.40
Feature
- terraform_plan: Add PY graph checks for tf plan - #5875
Bug Fix
- terraform: Remove CKV_AWS_188 as dupe - #5884
v3.1.39
v3.1.38
Feature
- sast: add integration test platform report - #5856
- sast: python Cdk policies batch 3 - #5820
- sast: python Cdk policies batch 4 - #5857
Bug Fix
- sast: add save local sast report to run integration script - #5863
v3.1.37
v3.1.36
v3.1.35
v3.1.34
Feature
- terraform: Used parallel run to run all split_graph iterations - #5840
v3.1.33
Feature
- general: anchor cyclonedx to last non breaking version - #5846
- general: Revert pipfile lock changes - #5848
- sast: add back commented checks - #5851
Bug Fix
- sast: fix reachability with no regular matches - #5847
- sca: not printing reachability data for lines without cves - #5849
v3.1.32
v3.1.31
v3.1.30
v3.1.29
Feature
- terraform: fix for check VPCPeeringRouteTableOverlyPermissive and add tests - #5837
Bug Fix
- sast: fix sast report format - #5811
v3.1.28
v3.1.27
Feature
- secrets: used 10 characters in secret violation - #5835
v3.1.26
Bug Fix
- general: check both path types for suppression - #5834
- terraform: Fix range issue in OCI RDP check - #5832
v3.1.25
v3.1.24
Bug Fix
- sca: Update the log level of specific logs - #5828
- terraform: CKV_GCP_26 Added additional google_compute_subnetwork purposes that do not support flow logs - #5812
- terraform: Fix CKV_GCP_30 for unknown service account - #5818
- terraform: Fixed to_dict of terraform block regarding source_module_object - #5822
v3.1.23
v3.1.22
v3.1.21
Feature
- ansible: add CKV_PAN_17 - Check for src and dst zone any - #5803
- sast: sast enabled from integration - #5780
- terraform: Adding Python based build time policies for corresponding PC runtime policies - #5762
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5810
v3.1.20
Platform
- general: handle the updated on prem response from the platform - #5809
v3.1.19
Feature
- sca: Using alias data from assets.json for giving Package Used indication for aliased packages - #5808
v3.1.18
Bug Fix
- terraform: Add source_module_object to blocks from_dict func - #5806
v3.1.17
Feature
- ansible: PAN-OS IPsec checks - #5802
v3.1.16
v3.1.15
Feature
- ansible: add CKV_PAN_16 PAN-OS BPA Check for session log at start - #5794
- sast: Add alias data to imports assets - #5788
Bug Fix
- bicep: Update AppServiceHttps20Enabled to consider newer ApiVersion - #5795
v3.1.14
v3.1.13
v3.1.12
v3.1.11
Bug Fix
- general: Policy metadata API fixes - #5761
v3.1.10
v3.1.9
Bug Fix
- gha: Update GitHub Actions Workflow Schema #5742 - #5759
- terraform_plan: load terraform registry checks when using terraform plan - #5778
- terraform: Ensure HTTPS in Azure Function App and App Slots - #5766
Platform
- general: do not display an auth error when the runconfig endpoint returns a 500 - #5779
v3.1.8
v3.1.7
Bug Fix
- terraform: Manually fixed test for loading terraform registry to be with commit hash instead of version tag - #5971
v3.1.6
Bug Fix
- sast: replaced TBD with owasp and removed "sast engine" - #5959
- terraform: External module test - #5963
v3.1.5
Bug Fix
- general: fix multiprocess abilities - #5887
- general: fixing hidden dependencies & state breaking tests - #5911
- general: Reenabling cdk-integration-tests - #5922
v3.1.4
Feature
- terraform: CLI output - add indication if repository was discovered In a running environment - #5908
Bug Fix
- sast: add missing field in MatchMetadata - #5907
v3.1.3
Feature
- sast: add integration test platform report - #5856
- sast: python Cdk policies batch 3 - #5820
- sast: python Cdk policies batch 4 - #5857
Bug Fix
- sast: add save local sast report to run integration script - #5863
v3.1.2
Feature
- terraform: fix for check VPCPeeringRouteTableOverlyPermissive and add tests - #5837
Bug Fix
- sast: fix sast report format - #5811
v3.1.1
Feature
- sca: Using alias data from assets.json for giving Package Used indication for aliased packages - #5808
v3.1.0
v3.0.40
Bug Fix
- terraform_plan: TF plan resources connection fix - #5767
v3.0.39
v3.0.38
Feature
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5714
v3.0.37
Bug Fix
- terraform: fix valid value for aws keyspaces_table encryption_specification type - #5756
v3.0.36
Bug Fix
- terraform: check min TLS version also on azure app slots - #5753
v3.0.35
v3.0.34
Feature
- general: add possibility to change parallelization type - #5737
Bug Fix
- cloudformation: ignore unresolved references in CKV_AWS_45 - #5747
v3.0.33
v3.0.32
Feature
- sast: Python cdk policies batch 2 - #5725
Bug Fix
-
general: add option to pass
--skip-downloadwith github-action - #5734
Platform
- general: print the log upload location if the --support flag is used - #5738
v3.0.31
v3.0.30
v3.0.29
v3.0.28
Bug Fix
- terraform: Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - #5687
Documentation
- general: Switch references to Bridgecrew with Prisma Cloud - #5704
v3.0.27
v3.0.26
v3.0.25
Bug Fix
- general: do not require a repo ID when using an API key and --list - #5726
v3.0.24
Feature
- sast: add new python CDK policies - #5706
- terraform: Ensure that only critical system pods run on system nodes - #5665
v3.0.23
v3.0.22
v3.0.21
Feature
- terraform: Ensure App Service Environment is zone redundant - #5662
- terraform: Ensure that Standard Replication is enabled - #5649
Bug Fix
- sca: Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - #5715
- terraform: CKV_AWS_208 valid Amazon MQ versions - #5653
v3.0.20
v3.0.19
Feature
- sca: adjusting the cli-output to support indicating of reachable functions - #5713
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5637
- terraform: bigtable deletion protection [depends on #5625] - #5626
- terraform: drop and deletion checks for spanner - #5625
Bug Fix
- sast: add cveid to reachability report - #5708
v3.0.18
v3.0.17
v3.0.16
Feature
- sca: Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - #5707
v3.0.15
Bug Fix
- general: fix duplicate components in CycloneDX report - #5705
v3.0.14
Bug Fix
- general: address python 3.12 SyntaxWarning - #5699
- terraform: fix variable rendering for foreach resources with dot included names - #5701
v3.0.13
Bug Fix
- sast: comment out SAST JS integration test - #5697
v3.0.12
Bug Fix
- general: Fix sast & cdk integration tests - #5688
- sast: Adding exit code in sast integration test - #5690
- sast: adjust SAST file pattern search - #5694
- sast: fix sast reachability report format - #5686
- terraform: Fixing the typo within the name of the Terraform check CKV_AZURE_158 - #5696
Platform
- general: Do not crash the run if S3 integration fails during setup, upload, or finalize - #5691
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
Bug Fix
- secrets: fix secret FP of client_secret_setting_name - #5679
Platform
- general: Add SAST enforcement rules and check severity thresholds - #5684
- general: do not get fixes for on prem integrations - #5668
v3.0.6
v3.0.5
v3.0.4
Bug Fix
- terraform_plan: TF plan resources connection fix - #5767
v3.0.3
Feature
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5714
v3.0.2
Bug Fix
- terraform: Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - #5687
Documentation
- general: Switch references to Bridgecrew with Prisma Cloud - #5704
v3.0.1
Feature
- sca: adjusting the cli-output to support indicating of reachable functions - #5713
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5637
- terraform: bigtable deletion protection [depends on #5625] - #5626
- terraform: drop and deletion checks for spanner - #5625
Bug Fix
- sast: add cveid to reachability report - #5708
v3.0.0
v2.5.20
v2.5.19
v2.5.18
Feature
- general: Adds GHA support for skip-frameworks, skip-cve-package & output-bc-ids flags - #5619
- terraform: Ensure that the SQL database is zone-redundant - #5540
- terraform: Ensure the Azure Event Hub Namespace is zone redundant - #5538
Bug Fix
- bicep: enforce encryption flag to be string for CKV_AZURE_97 - #5669
- terraform_plan: Add provisioners to TF Plan parser - #5622
v2.5.17
v2.5.16
v2.5.15
Feature
- terraform: Support for merge func inside jsondecode - #5656
Bug Fix
- sca: make the abs path to be correcnt - #5660
v2.5.14
v2.5.13
Feature
- arm: implement CKV_AZURE_103 for ARM - #5527
- arm: implement CKV_AZURE_96 for ARM - #5506
- arm: implement CKV_AZURE_97 for ARM - #5515
Bug Fix
- terraform: Added a check to make sure dynamic "blocks" are of the expected type - #5642
- terraform: update CKV_AWS_339 valid EKS versions - #5652
v2.5.12
v2.5.11
Feature
- sca: giving file path on relative the the current dir for cases there is no either specified root_folder and the is no repo scan dir - #5654
v2.5.10
Feature
- terraform: support scanning of Terraform managed modules instead of downloading them - #5635
Bug Fix
- terraform: Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - #5638
v2.5.9
Feature
- sca: support case where there are no cves suppressions - #5636
v2.5.8
Feature
- general: Remove code upload for on-prem integrations - #5624
v2.5.7
v2.5.6
Feature
Bug Fix
- terraform_plan: add azurerm_portal_dashboard to jsonify list - #5618
- terraform: check if the dynamic name is one of the resources block - #5607
v2.5.5
v2.5.4
v2.5.3
Breaking Change
- general: remove Python 3.7 - #5605
- graph: remove CHECKOV_CREATE_GRAPH env var to control graph creation - #5606
Bug Fix
- dockerfile: fix Docker image scan - #5617
- openapi: Take into account that security is at the root level of your OpenAPI specification. - #5603
- terraform: stop CKV_GCP_43 crashing when not a string - #5561
v2.5.2
v2.5.1
Feature
- general: Adds GHA support for skip-frameworks, skip-cve-package & output-bc-ids flags - #5619
- terraform: Ensure that the SQL database is zone-redundant - #5540
- terraform: Ensure the Azure Event Hub Namespace is zone redundant - #5538
Bug Fix
- bicep: enforce encryption flag to be string for CKV_AZURE_97 - #5669
- terraform_plan: Add provisioners to TF Plan parser - #5622
v2.5.0
v2.4.61
Bug Fix
- terraform: fix upload resource_subgraph_maps - #5615
Platform
- terraform: Upload resource subgraph map - #5612
v2.4.60
v2.4.59
Platform
- terraform: fix in subgraphs uploads - #5610
v2.4.58
Platform
- terraform: upload tf sub graphs - #5596
v2.4.57
Feature
- terraform: Ensure ephemeral disks are used for OS disks - #5584
- terraform: Ensure that App Service plan is zone redundant - #5577
- terraform: Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources - #5588
v2.4.56
v2.4.55
Feature
- general: Add image referencer rustworkx support - #5564
- general: Add rustworkx support - #5595
- terraform: Adding 2 new AWS policies - #5599
- terraform: simply IMDSv2 checks - #5601
v2.4.54
v2.4.53
v2.4.52
v2.4.51
Feature
Bug Fix
- terraform: Adding missing null checks - #5589
v2.4.50
Feature
v2.4.49
v2.4.48
Platform
- general: expose retry and timeout configuration for interaction with the platform - #5585
v2.4.47
Feature
- sca: creating alias mapping for javascript - #5567
- sca: creating alias mapping for javascript - #5582
- sca: revert creating alias mapping for javascript - #5581
Bug Fix
- general: fix print to encode in windows - #5572
- terraform: Nested source_module_objects with missing foreach key - #5580
v2.4.46
v2.4.45
v2.4.44
v2.4.43
v2.4.42
v2.4.41
v2.4.40
v2.4.39
Feature
- arm: implement CKV2_AZURE_27 for arm - #5534
- terraform: Add new policy for deprecated runtimes - #5555
- terraform: Ensure Event Hub Namespace uses at least TLS 1.2 - #5535
- terraform: Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity - #5541
v2.4.38
v2.4.37
v2.4.36
Feature
- general: add rustworkx - #5511
Bug Fix
- terraform: Module from_dict func to static func - #5562
v2.4.35
v2.4.34
v2.4.33
Feature
- general: attempt to fix overload in loaders and add tests - #5549
- general: remove 3.7 integ. test - #5556
- general: remove line to force code change - #5558
- terraform: add check Neptune DB clusters should be configured to copy tags to snapshots - #5552
- terraform: add CKV_AWS_361 to ensure Neptune DB cluster has adequate backup retention - #5548
Bug Fix
- terraform: Fix external_modules_source_map serialization - #5546
v2.4.32
Feature
- terraform: add check for Neptune DB clusters IAM database auth enabled - #5545
- terraform: add CKV_AWS_360 to ensure backup retention period on AWS Document DB - #5547
v2.4.31
v2.4.30
Feature
- terraform: add public network checks for Azure Function and Web Apps - #5533
v2.4.29
Feature
- arm: Implement CKV_AZURE_111 in ARM - #5528
- arm: implement CKV_AZURE_134 for ARM - #5518
- arm: implement CKV_AZURE_160 for arm - #5526
- arm: implement CKV_AZURE_89 for ARM - #5529
Bug Fix
- terraform: CKV_AWS_208 bug fix - #5512
v2.4.28
v2.4.27
Feature
v2.4.26
v2.4.25
Feature
- arm: Implement CKV_AZURE_101 for ARM - #5516
- arm: implement CKV_AZURE_107 for arm - #5514
- arm: implement CKV_AZURE_113 for ARM - #5510
v2.4.24
v2.4.23
v2.4.22
Feature
- arm: implement CKV_AZURE_112 for arm - #5507
- arm: implement CKV_AZURE_40 for ARM - #5499
- arm: implement CKV_AZURE_58 for ARM - #5497
- arm: implement CKV_AZURE_94 for arm - #5508
Bug Fix
- helm: Changed error message to failure to better differentiate problems - #5517
- terraform_json: correctly parse data blocks in Terraform JSON - #5509
- terraform: continue processing of TF modules in the same file - #5503
- terraform: fix error type - #5513
v2.4.21
v2.4.20
v2.4.19
v2.4.18
Feature
- arm: implement CKV_AZURE_100 for arm - #5490
- arm: implement CKV_AZURE_114 for arm - #5489
- arm: implement CKV_AZURE_130 for arm - #5485
- arm: implement CKV_AZURE_151 for arm - #5484
Bug Fix
- arm: correctly handle json files with comments and output parsing errors - #5495
v2.4.17
v2.4.16
v2.4.15
v2.4.14
Feature
- arm: CKV_AZURE_66 implement config logging check for arm - #5464
- arm: convert CKV_AZURE_65 to arm - #5467
- arm: Implement CKV_AZURE_109 in arm - #5483
- arm: implement CKV_AZURE_63 for arm - #5475
- arm: implement CKV_AZURE_80 in arm - #5476
- secrets: fix resource in git history scan - #5482
Bug Fix
v2.4.13
v2.4.12
v2.4.11
v2.4.10
Feature
- arm: migrate check CKV_AZURE_50 to arm - #5453
- arm: translate tf CKV_AZURE_93 check to arm - #5450
- kubernetes: Added new endpoint for both helm and kustomize - #5481
Bug Fix
- dockerfile: consider platform flag in CKV_DOCKER_7 - #5468
- kustomize: support kubectl 1.28+ - #5480
v2.4.9
v2.4.8
v2.4.7
Feature
- secrets: handle non iac secrets FP - #5478
v2.4.6
Bug Fix
- terraform: fix upload resource_subgraph_maps - #5615
Platform
- terraform: Upload resource subgraph map - #5612
v2.4.5
Platform
- terraform: fix in subgraphs uploads - #5610
v2.4.4
Platform
- general: expose retry and timeout configuration for interaction with the platform - #5585
v2.4.3
Feature
- arm: implement CKV2_AZURE_27 for arm - #5534
- terraform: Add new policy for deprecated runtimes - #5555
- terraform: Ensure Event Hub Namespace uses at least TLS 1.2 - #5535
- terraform: Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity - #5541
v2.4.2
Feature
- arm: Implement CKV_AZURE_111 in ARM - #5528
- arm: implement CKV_AZURE_134 for ARM - #5518
- arm: implement CKV_AZURE_160 for arm - #5526
- arm: implement CKV_AZURE_89 for ARM - #5529
Bug Fix
- terraform: CKV_AWS_208 bug fix - #5512
v2.4.1
Feature
- arm: implement CKV_AZURE_100 for arm - #5490
- arm: implement CKV_AZURE_114 for arm - #5489
- arm: implement CKV_AZURE_130 for arm - #5485
- arm: implement CKV_AZURE_151 for arm - #5484
Bug Fix
- arm: correctly handle json files with comments and output parsing errors - #5495
v2.4.0
v2.3.366
v2.3.365
Feature
- terraform: Removed most usages of enable_nested_modules - #5415
v2.3.364
Feature
- sca: update spdx-tools dep to version 0.8.0 and lower bound it - #5431
- terraform: Add address field on vertices even if render_variables is set to False - #5434
Bug Fix
- terraform: add new attached resource possibility to CKV2_AWS_23 #5424 - #5429
- terraform: fix ordering issue in CKV_AWS_358 - #5425
v2.3.363
v2.3.362
v2.3.361
Bug Fix
- arm: improve CKV_AZURE_24 check - #5427
v2.3.360
Bug Fix
- general: Fix empty credentials file issue - #5421
v2.3.359
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.
Edited by renovate-bot token