⏫ Updates checkov to v3
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| checkov | major |
==2.5.20 -> ==3.2.109
|
Release Notes
bridgecrewio/checkov (checkov)
v3.2.109
v3.2.108
Bug Fix
- sast: don't scan hidden files - #6349
v3.2.107
Bug Fix
- terraform: Handle registry modules with a version in CKF_TF_2 - #6354
v3.2.106
Feature
- arm: Ensure Databricks Workspace data plane to control plane co… - #6319
- general: TF and ARM - Ensure that Databricks Workspaces enable… - #6313
- secrets: Bump detect-secrets - #6346
v3.2.105
Feature
- arm: add AppServiceJavaVersion - #6258
- arm: add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - #6323
- arm: add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - #6320
- arm: add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - #6270
- arm: add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - #6272
- arm: add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - #6281
- arm: AzureDefenderOStorage - #6269
- arm: MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - #6263
- arm: StorageSyncPublicAccessDisabled - #6331
- secrets: eliminate false positives in entropy keyword combinator detector - #6327
Bug Fix
v3.2.104
v3.2.103
v3.2.102
v3.2.101
v3.2.100
Feature
v3.2.99
v3.2.98
Bug Fix
- terraform: Remove invalid CIDRs in CKV2_AWS_44 - #6301
v3.2.97
Feature
- arm: add CKV_AZURE_73 to ensure that Automation account variables are encrypted - #6271
- arm: add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - #6280
- arm: add FunctionAppDisallowCORS - password correctness check - #6248
- arm: ARM FunctionAppHttpVersionLatest policy - #6244
- arm: CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - #6273
- arm: MSSQLServerMinTLSVersion - #6245
v3.2.96
v3.2.95
Bug Fix
- terraform: handle module source tag ref when it is not the first parameter - #6314
v3.2.94
Bug Fix
- sast: fix random test sast js - #6315
Platform
- general: Double-Encode URI for RelayState Parameter - #6302
v3.2.93
v3.2.92
Feature
Bug Fix
- secrets: secret_filter_block_list filter by file name and suffixes - #6285
- secrets: secret_filter_block_list filter by file name and suffixes 2 - #6306
Platform
- general: Fix policy.name to use the spaces as specified on CLI. - #6296
v3.2.91
Feature
- secrets: bump bc-detect-secrets to 1.5.10 - #6297
v3.2.90
Feature
Bug Fix
- ansible: fix ansible definitions raw type - #6292
Platform
- ansible: add set definitions raw to ansible runner - #6286
- general: Handle SAST suppressions (suppressions V2) - #6109
Documentation
- general: add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - #6291
- general: Update README links for PyPi - #6231
v3.2.89
v3.2.88
v3.2.87
v3.2.86
v3.2.85
Platform
- ansible: add missing arg to ansible runner - #6276
v3.2.84
Feature
- sast: Enable cdk ts integraion test - #6158
Bug Fix
v3.2.83
v3.2.82
Feature
- github: add summary message in github_failed_only output - #6131
- sast: add ts checks to python pack - #6261
- sast: run all cdk integration test - #6256
Bug Fix
- general: fix changed serif path - #6251
v3.2.81
v3.2.80
v3.2.79
Feature
- sast: Add 10 TS CDK - #6194
- sast: add typescript - DONT MERGE - #6193
- sast: Filter js files generate by ts - #6220
- secrets: bump bc-detect-secrets 1.5.9 - #6205
- terraform: Add GCP policy - #6177
- terraform: Add resource attributes to jsonify - #6203
- terraform: Ensure dedicated data endpoints are enabled - #6188
- terraform: support provider in tf_plan graph - #6195
- terraform: Update CloudArmorWAFACLCVE202144228.py - #6217
Bug Fix
- general: add print to random test - #6229
- general: fix integration test in build - #6227
- general: fix integration tests - #6207
- kubernetes: Update checkov-job.yaml - #5985
- sca: remove old test for the depracated workflow github-action - #6232
- terraform_plan: Edges not created because of indexing in resource["address"] when resources in modules use count - #6145
- terraform: CKV_AWS_23 rule description fixed for clarity - #5993
- terraform: Fix CKV_AWS_358 to handle plan files - #6202
Platform
- ansible: add create_definitions function for ansible framework - #6225
Documentation
v3.2.78
v3.2.77
v3.2.76
v3.2.75
v3.2.74
Feature
- general: Update range includes to handle lists of ranges and lists of values - #6192
v3.2.73
Feature
- sast: TypeScript cdk policies p7 - #6186
v3.2.72
Feature
- bicep: Add bicep version of policy - #6191
v3.2.71
Feature
- sca: support licenses custom policies enforcement rules - #6173
v3.2.70
Feature
- sast: Add 5 cdk for TS - #6179
Bug Fix
- sast: fix skipped_checks paths before upload to the platform - #6183
v3.2.69
v3.2.68
Feature
- sast: adding extended code block - #6178
- sca: using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - #6174
Bug Fix
- sca: Revert "feat(sca): using the new api license/get-licenses-violations … - #6176
v3.2.67
v3.2.66
v3.2.65
Bug Fix
- sast: save suppress_comment for sast inline suppressions - #6171
- secrets: Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - #6168
v3.2.64
v3.2.63
Feature
- sast: CDK TS policies p2 - #6165
v3.2.62
v3.2.61
v3.2.60
Feature
Bug Fix
- terraform: Fix conditional expression evaluation logic with compare - #6160
- terraform: Fixed flaky test for CKV_AWS_356 - #6162
v3.2.59
v3.2.58
v3.2.57
v3.2.56
v3.2.55
Feature
- sast: Adding typescript cdk part 6 paz - #6149
Bug Fix
- sca: enabling suppression in the cli-output for IR-files and dockerfiles - #6148
v3.2.54
v3.2.53
Feature
- terraform: support s3 bucket name for references in graph - #6134
v3.2.52
Feature
- general: Update the releases' zip file names to be generic - #6141
v3.2.51
Feature
- general: add policy metadata filter exception flag - #6132
v3.2.50
Bug Fix
- general: remove limitation of resource and provider in tf.json file - #6133
v3.2.49
Bug Fix
- general: pin the version of schema to <=0.7.5 - #6125
v3.2.48
v3.2.47
Feature
- secrets: bump manually bc-detect-secrets - #6120
- terraform: add fix for when tf_def is a string - #6121
v3.2.46
v3.2.45
Feature
- terraform: fix for_each resource handling - #6119
v3.2.44
Bug Fix
- sca: Fix suppression integration crashing if licenseTypes is missing - #6117
v3.2.43
Bug Fix
- terraform: Fixed bug in evaluate_conditional_expression and added zipmap support - #6106
v3.2.42
Feature
- sast: support sast skipped checks - #6095
Bug Fix
- secrets: ignore secret check in test file - #6105
Platform
- general: handle API errors with more detail - #6107
v3.2.41
v3.2.40
v3.2.39
Feature
- secrets: fix entropy detector FP - #6090
v3.2.38
Bug Fix
- terraform: prevent side effects when updating variable rendering - #6087
v3.2.37
Feature
- terraform: connect module resource to provider - #6083
v3.2.36
Bug Fix
- gha: make sure to have prisma url - #6084
v3.2.35
Feature
- general: add policy name and guidelines to CSV output - #6082
Bug Fix
- sast: add attribute verification - #6078
v3.2.34
Bug Fix
- terraform: Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - #6072
v3.2.33
Platform
- general: improve upload failure logging and log size of failed files - #6076
v3.2.32
Bug Fix
- sast: do not log warning when using skip framework - #6066
v3.2.31
Bug Fix
- terraform: better handling of interpolation rendering in conditional expressions - #6062
- terraform: Changed a couple of checks from negative to positive check, behavior is the same - #6063
v3.2.30
v3.2.29
v3.2.28
Bug Fix
- sca: handling unknown severity - #6055
- terraform: Add Condition exceptions CKV_AWS_70 - #6044
- terraform: Add k8s 1.29 to CKV_AWS_339 - #6056
v3.2.27
v3.2.26
Bug Fix
- sast: fetch sast custom policieis - #6040
v3.2.25
Feature
-
terraform: Added support for
tryfunction in evaluate_terraform - #6043
v3.2.24
Feature
- cloudformation: add CFN policies for MSK - #6021
v3.2.23
Bug Fix
- terraform: support vertex reference based on foreach key - #6039
v3.2.22
Bug Fix
- terraform: CKV_AWS_308 - checked if caching was enabled and only then check for encryption of cache - #6034
v3.2.21
Bug Fix
- sast: fix cdk checks path - #6029
v3.2.20
Bug Fix
- graph: remove SCA runner v1 - re-enable - #6024
v3.2.19
Feature
v3.2.18
v3.2.17
Bug Fix
- general: downgrade botocore dependency - #6016
- graph: remove SCA runner v1 - #6005
- terraform: Deleted deprecated check CKV_GCP_19 - #6010
v3.2.16
v3.2.15
v3.2.14
v3.2.13
v3.2.12
Bug Fix
v3.2.11
v3.2.10
Bug Fix
- sast: don't scan hidden files - #6349
v3.2.9
Bug Fix
- terraform: Remove invalid CIDRs in CKV2_AWS_44 - #6301
v3.2.8
Platform
- ansible: add missing arg to ansible runner - #6276
v3.2.7
Feature
- sast: Add 10 TS CDK - #6194
- sast: add typescript - DONT MERGE - #6193
- sast: Filter js files generate by ts - #6220
- secrets: bump bc-detect-secrets 1.5.9 - #6205
- terraform: Add GCP policy - #6177
- terraform: Add resource attributes to jsonify - #6203
- terraform: Ensure dedicated data endpoints are enabled - #6188
- terraform: support provider in tf_plan graph - #6195
- terraform: Update CloudArmorWAFACLCVE202144228.py - #6217
Bug Fix
- general: add print to random test - #6229
- general: fix integration test in build - #6227
- general: fix integration tests - #6207
- kubernetes: Update checkov-job.yaml - #5985
- sca: remove old test for the depracated workflow github-action - #6232
- terraform_plan: Edges not created because of indexing in resource["address"] when resources in modules use count - #6145
- terraform: CKV_AWS_23 rule description fixed for clarity - #5993
- terraform: Fix CKV_AWS_358 to handle plan files - #6202
Platform
- ansible: add create_definitions function for ansible framework - #6225
Documentation
v3.2.6
Feature
- sast: adding extended code block - #6178
- sca: using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - #6174
Bug Fix
- sca: Revert "feat(sca): using the new api license/get-licenses-violations … - #6176
v3.2.5
Feature
- sast: Adding typescript cdk part 6 paz - #6149
Bug Fix
- sca: enabling suppression in the cli-output for IR-files and dockerfiles - #6148
v3.2.4
Bug Fix
- general: pin the version of schema to <=0.7.5 - #6125
v3.2.3
Feature
- secrets: fix entropy detector FP - #6090
v3.2.2
Bug Fix
- sca: handling unknown severity - #6055
- terraform: Add Condition exceptions CKV_AWS_70 - #6044
- terraform: Add k8s 1.29 to CKV_AWS_339 - #6056
v3.2.1
Bug Fix
- sast: don't scan hidden files - #6349
v3.2.0
Bug Fix
- terraform: and cdk/cloudformation: inconsistent naming of AWS resources in checks - #5966
Platform
- general: remove igraph - #5781
v3.1.72
v3.1.71
v3.1.70
Bug Fix
- terraform: Manually fixed test for loading terraform registry to be with commit hash instead of version tag - #5971
v3.1.69
Bug Fix
- sast: replaced TBD with owasp and removed "sast engine" - #5959
- terraform: External module test - #5963
v3.1.68
v3.1.67
Feature
- sast: Add policies to executable - #5955
v3.1.66
Bug Fix
- sast: change the path for taint mode match - #5953
- sast: fix report with only reachability - #5951
Platform
- general: Change SAST enforcement rule to weaknesses - #5950
- general: handle weaknesses rename - #5954
v3.1.65
v3.1.64
v3.1.63
Bug Fix
- sast: Fix serialize for sast report with taint mode - #5949
v3.1.62
v3.1.61
Bug Fix
- general: allow colorama version >=0.4.3,<0.5.0 in setup - #5944
v3.1.60
Bug Fix
- sast: fix relative paths in sast cdk reports - #5932
- sast: fix sast cdk code location paths - #5938
- terraform: CKV_GCP_79 Upgrade CloudSQL SQLSERVER major version to 2022 - #5936
- terraform: Improved bad performance pathlib check - #5939
v3.1.59
v3.1.58
v3.1.57
Bug Fix
- general: fix multiprocess abilities - #5887
- general: fixing hidden dependencies & state breaking tests - #5911
- general: Reenabling cdk-integration-tests - #5922
v3.1.56
v3.1.55
Bug Fix
- terraform: Support "pass_prefix_list" for SG ingress rules correctly - #5918
v3.1.54
Bug Fix
- general: temporary disable runtime config - #5921
v3.1.53
Feature
- terraform: node pools should be configured separately from a cl… - #5916
Bug Fix
- terraform: handle no action in aws_dlm_lifecycle_policy - #5905
v3.1.52
v3.1.51
- no noteworthy changes
v3.1.50
Feature
- sast: Add sast metadata to sast report - #5910
- terraform: Add various vertex related policies - #5898
Bug Fix
v3.1.49
v3.1.48
v3.1.47
v3.1.46
Feature
- terraform: CLI output - add indication if repository was discovered In a running environment - #5908
Bug Fix
- sast: add missing field in MatchMetadata - #5907
v3.1.45
v3.1.44
Feature
- sast: add dataflow to checkov report from sast - #5892
v3.1.43
Feature
- terraform: add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access - #5888
- terraform: Ensure SES Configuration Set enforces TLS usage - #5891
Bug Fix
- terraform: pod security policy removed in GKE 1.25 - #5675
v3.1.42
Feature
- sast: Split sast and cdk reports - #5889
Bug Fix
- terraform: Fix CKV_Azure_234 - #5886
v3.1.41
v3.1.40
Feature
- terraform_plan: Add PY graph checks for tf plan - #5875
Bug Fix
- terraform: Remove CKV_AWS_188 as dupe - #5884
v3.1.39
v3.1.38
Feature
- sast: add integration test platform report - #5856
- sast: python Cdk policies batch 3 - #5820
- sast: python Cdk policies batch 4 - #5857
Bug Fix
- sast: add save local sast report to run integration script - #5863
v3.1.37
v3.1.36
v3.1.35
v3.1.34
Feature
- terraform: Used parallel run to run all split_graph iterations - #5840
v3.1.33
Feature
- general: anchor cyclonedx to last non breaking version - #5846
- general: Revert pipfile lock changes - #5848
- sast: add back commented checks - #5851
Bug Fix
- sast: fix reachability with no regular matches - #5847
- sca: not printing reachability data for lines without cves - #5849
v3.1.32
v3.1.31
v3.1.30
v3.1.29
Feature
- terraform: fix for check VPCPeeringRouteTableOverlyPermissive and add tests - #5837
Bug Fix
- sast: fix sast report format - #5811
v3.1.28
v3.1.27
Feature
- secrets: used 10 characters in secret violation - #5835
v3.1.26
Bug Fix
- general: check both path types for suppression - #5834
- terraform: Fix range issue in OCI RDP check - #5832
v3.1.25
v3.1.24
Bug Fix
- sca: Update the log level of specific logs - #5828
- terraform: CKV_GCP_26 Added additional google_compute_subnetwork purposes that do not support flow logs - #5812
- terraform: Fix CKV_GCP_30 for unknown service account - #5818
- terraform: Fixed to_dict of terraform block regarding source_module_object - #5822
v3.1.23
v3.1.22
v3.1.21
Feature
- ansible: add CKV_PAN_17 - Check for src and dst zone any - #5803
- sast: sast enabled from integration - #5780
- terraform: Adding Python based build time policies for corresponding PC runtime policies - #5762
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5810
v3.1.20
Platform
- general: handle the updated on prem response from the platform - #5809
v3.1.19
Feature
- sca: Using alias data from assets.json for giving Package Used indication for aliased packages - #5808
v3.1.18
Bug Fix
- terraform: Add source_module_object to blocks from_dict func - #5806
v3.1.17
Feature
- ansible: PAN-OS IPsec checks - #5802
v3.1.16
v3.1.15
Feature
- ansible: add CKV_PAN_16 PAN-OS BPA Check for session log at start - #5794
- sast: Add alias data to imports assets - #5788
Bug Fix
- bicep: Update AppServiceHttps20Enabled to consider newer ApiVersion - #5795
v3.1.14
v3.1.13
v3.1.12
v3.1.11
Bug Fix
- general: Policy metadata API fixes - #5761
v3.1.10
v3.1.9
Bug Fix
- gha: Update GitHub Actions Workflow Schema #5742 - #5759
- terraform_plan: load terraform registry checks when using terraform plan - #5778
- terraform: Ensure HTTPS in Azure Function App and App Slots - #5766
Platform
- general: do not display an auth error when the runconfig endpoint returns a 500 - #5779
v3.1.8
v3.1.7
Bug Fix
- terraform: Manually fixed test for loading terraform registry to be with commit hash instead of version tag - #5971
v3.1.6
Bug Fix
- sast: replaced TBD with owasp and removed "sast engine" - #5959
- terraform: External module test - #5963
v3.1.5
Bug Fix
- general: fix multiprocess abilities - #5887
- general: fixing hidden dependencies & state breaking tests - #5911
- general: Reenabling cdk-integration-tests - #5922
v3.1.4
Feature
- terraform: CLI output - add indication if repository was discovered In a running environment - #5908
Bug Fix
- sast: add missing field in MatchMetadata - #5907
v3.1.3
Feature
- sast: add integration test platform report - #5856
- sast: python Cdk policies batch 3 - #5820
- sast: python Cdk policies batch 4 - #5857
Bug Fix
- sast: add save local sast report to run integration script - #5863
v3.1.2
Feature
- terraform: fix for check VPCPeeringRouteTableOverlyPermissive and add tests - #5837
Bug Fix
- sast: fix sast report format - #5811
v3.1.1
Feature
- sca: Using alias data from assets.json for giving Package Used indication for aliased packages - #5808
v3.1.0
v3.0.40
Bug Fix
- terraform_plan: TF plan resources connection fix - #5767
v3.0.39
v3.0.38
Feature
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5714
v3.0.37
Bug Fix
- terraform: fix valid value for aws keyspaces_table encryption_specification type - #5756
v3.0.36
Bug Fix
- terraform: check min TLS version also on azure app slots - #5753
v3.0.35
v3.0.34
Feature
- general: add possibility to change parallelization type - #5737
Bug Fix
- cloudformation: ignore unresolved references in CKV_AWS_45 - #5747
v3.0.33
v3.0.32
Feature
- sast: Python cdk policies batch 2 - #5725
Bug Fix
-
general: add option to pass
--skip-downloadwith github-action - #5734
Platform
- general: print the log upload location if the --support flag is used - #5738
v3.0.31
v3.0.30
v3.0.29
v3.0.28
Bug Fix
- terraform: Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - #5687
Documentation
- general: Switch references to Bridgecrew with Prisma Cloud - #5704
v3.0.27
v3.0.26
v3.0.25
Bug Fix
- general: do not require a repo ID when using an API key and --list - #5726
v3.0.24
Feature
- sast: add new python CDK policies - #5706
- terraform: Ensure that only critical system pods run on system nodes - #5665
v3.0.23
v3.0.22
v3.0.21
Feature
- terraform: Ensure App Service Environment is zone redundant - #5662
- terraform: Ensure that Standard Replication is enabled - #5649
Bug Fix
- sca: Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - #5715
- terraform: CKV_AWS_208 valid Amazon MQ versions - #5653
v3.0.20
v3.0.19
Feature
- sca: adjusting the cli-output to support indicating of reachable functions - #5713
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5637
- terraform: bigtable deletion protection [depends on #5625] - #5626
- terraform: drop and deletion checks for spanner - #5625
Bug Fix
- sast: add cveid to reachability report - #5708
v3.0.18
v3.0.17
v3.0.16
Feature
- sca: Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - #5707
v3.0.15
Bug Fix
- general: fix duplicate components in CycloneDX report - #5705
v3.0.14
Bug Fix
- general: address python 3.12 SyntaxWarning - #5699
- terraform: fix variable rendering for foreach resources with dot included names - #5701
v3.0.13
Bug Fix
- sast: comment out SAST JS integration test - #5697
v3.0.12
Bug Fix
- general: Fix sast & cdk integration tests - #5688
- sast: Adding exit code in sast integration test - #5690
- sast: adjust SAST file pattern search - #5694
- sast: fix sast reachability report format - #5686
- terraform: Fixing the typo within the name of the Terraform check CKV_AZURE_158 - #5696
Platform
- general: Do not crash the run if S3 integration fails during setup, upload, or finalize - #5691
v3.0.11
v3.0.10
v3.0.9
v3.0.8
v3.0.7
Bug Fix
- secrets: fix secret FP of client_secret_setting_name - #5679
Platform
- general: Add SAST enforcement rules and check severity thresholds - #5684
- general: do not get fixes for on prem integrations - #5668
v3.0.6
v3.0.5
v3.0.4
Bug Fix
- terraform_plan: TF plan resources connection fix - #5767
v3.0.3
Feature
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5714
v3.0.2
Bug Fix
- terraform: Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - #5687
Documentation
- general: Switch references to Bridgecrew with Prisma Cloud - #5704
v3.0.1
Feature
- sca: adjusting the cli-output to support indicating of reachable functions - #5713
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5637
- terraform: bigtable deletion protection [depends on #5625] - #5626
- terraform: drop and deletion checks for spanner - #5625
Bug Fix
- sast: add cveid to reachability report - #5708
v3.0.0
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.
Edited by Pipeline Components Bot