checkov

Feature

• kustomize: Support inline skips for Kubernetes graph checks - #5070

Bug Fix

• secrets: add filter for suppressed custom secret checks - #5068
• secrets: exclude Kubernetes secretName from secret scanning - #5071
• secrets: omit the code line - #5075

Feature

• terraform: Added caller_file_path and caller_file_line_range to reduced report - #5062
• terraform: AWS IAM don't generate root credentials 348 - #4966
• terraform: Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 - #4965

Bug Fix

• terraform: fix SQS encryption check CKV_AWS_27 - #5065

Documentation

• general: Fix some links - #5064
• general: update Python custom checks docs - #5054

Feature

• terraform: aws ensure delete protection for firewalls 344 - #4870
• terraform: check that WAF rules have an action 342 - #4806
• terraform: Ensure encryption for firewall uses a CMK CKV_AWS_345 - #4871
• terraform: Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 - #4877

Bug Fix

• kubernetes: Update ckv_k8s_31 - #4991

Feature

• general: include missing files in save repository - #5056
• terraform: launch config/template Ensure metadata hop =1 341 - #4817
• terraform: Update CKV_AZURE_43 StorageAccountName.py VARIABLE_REFS - #5045

Bug Fix

• arm: enabled is not true - #5051
• cloudformation: Enable ALB to support tls1.3 policies #4962 - #5035
• secrets: add handling of unicode error - #5055

Platform

• general: Catch None responses from BE - #5033

Feature

• terraform: Elastic beanstalk uses managed updates and fixes the EB check while i… 340 - #4816

Bug Fix

• secrets: don't scan images in git history - #5040
• terraform: fix foreach render value for lookup - #5037
• terraform: Handle entity context for for_each resources - #5036

Feature

• secrets: open the feature - scan git history - #5022
• terraform: Set TF Modules for_each env var to true - #5021
• terraform: Set TF modules for_each env vars as True - #4794

Bug Fix

• secrets: add filter for suppressed custom secret checks - #5016
• terraform: improve attribute performance - #5014
• terraform: Update CKV_AWS_338 message and retention check for 0 - #5018
• terraform: Update CKV2_AZURE_33 to remove checks on unrelated conditions - #5020

Bug Fix

• secrets: Adding quote to required secret in case needed - #5008
• secrets: change color of invalid secret message - #5007

Platform

• general: upload checks code_block to report - #5001

Feature

• kubernetes: support suppressing custom K8s policies - #4990
• terraform: AWS EKS Use only platform supported versions 339 - #4810
• terraform: Azure APIm backend uses only HTTPS - #4811
• terraform: Ensure Cloudwatch retention is a year or more 338 - #4799
• terraform: remove redundant foreach deepcopy - #4982

Bug Fix

• secrets: fix missing history results when history store is used - #4992
• terraform: secret- also check user data in launch config and template - #4969

Bug Fix

• gitlab: fix resource id parsing recursive - #4987

Documentation

• terraform: fix docs formatting - #4988

Feature

• terraform: add support for private terraform registries - #4964
• terraform: remove cross varaibles bad list comprehension - #4948

Bug Fix

• general: log all returned enforcement rules for debugging - #4989
• general: remove invalid URLs in GitLab SAST output - #4960
• secrets: change default value of secret values to empty strings - #4973
• terraform: Added a condition to not override source module object for old parser - #4975

Feature

• terraform: Ensure container defines a readonly root drive 336 - #4788
• terraform: ensure pidmode is not set to host 335 - #4786
• terraform: Ensure SSM params are encrypted using a CMK 337 - #4789
• terraform: Network firewall must define a logging configuration CKV2_AWS_63 - #4872
• terraform: Reduce module loading in TF Parser - #4959

Bug Fix

• kustomize: fix image_referencer paths - #4898
• terraform: support TF provider v3 for lifecycle existence check - #4952

Documentation

• terraform_plan: Add Deep Analysis to docs - #4950

Feature

• general: deserialize report & record from json - #4947
• sca: fix extract fix version in sbom report - #4936
• terraform: cross variable performance improvement - #4946

Bug Fix

• github: make GH Actions delimiter unique in multiline env vars - #4938

Feature

• general: add policy-metadata-filter to gh action - #4941
• secrets: support first commit results - #4927
• terraform: Used generator instead of list comprehension to improve performance for large graphs - #4939

Bug Fix

• terraform: make the ECS cluster logging check more resilient - #4942
• terraform: remove invalid Terraform module reference support - #4931
• terraform: support null values in list of dicts - #4937

Documentation

• bitbucket: Update Bitbucket documentation to match the code. - #4934
• sca: Add more ways to skip CVEs - #4928

Feature

• general: 3D policies syntax refactor - #4865
• secrets: support scanning of secrets in hidden paths - #4925

Bug Fix

• secrets: Revert timeout in unix to work with signals - #4932
• secrets: timeout in unix to work with signals - #4933

Documentation

• secrets: Add readme file for Git History - #4913

Feature

• sca: add is public fix version to sbom report - #4915
• secrets: add more files to ignore list in git history - #4912
• terraform: Ensure that container definition is not privileged 334 - #4779
• terraform: TF provider check support - #4911

Bug Fix

• general: Dedup results contain multiple identical images if using template syntax - #4924
• general: fix wrong abs path in IR record - #4919
• secrets: Save fetched policy destination from current work dir to temp - #4914
• secrets: timeout in unix to work with signals - #4920
• terraform: Fix for_each flow conditions - #4918
• terraform: make sure K8s volume is a dict - #4917

Feature

• arm: add Storage accounts disallow public access check for ARM - #4906
• dockerfile: Add CKV2_DOCKER_16 for PIP_TRUSTED_HOST - #4893
• sca: add is private fix version to sca output - #4891

Bug Fix

• secrets: fix absolute file path cases - #4901
• terraform: fix foreach count is none bug - #4907
• terraform: limit RDS cluster audit logging to MySQL engine - #4897
• terraform: remove duplicate call to convert graph vertices - #4909
• terraform: remove local blocks with just line number - #4902

Feature

• secrets: improve timing git history - #4890
• terraform: add support for list of dicts in for loop - #4895

Bug Fix

• cloudformation: fix invalid fn sub param in cfn - #4900
• secrets: fix error if writing to file when don't have access - #4896
• secrets: fix None in file name - #4899
• secrets: reduce false positives in yaml files - case of serverless and secretmanager - #4892

Feature

• terraform: ECS Service should not auto assign public IPs 333 - #4777
• terraform: EFS access points should define a user and a path 329-330 - #4768
• terraform: Ensure ECS Fargate uses latest version 332 - #4775
• terraform: Transit gateway should not be set up to autoaccept any VPC 331 - #4770

Bug Fix

• general: fix duplicate sarif output - #4886
• secrets: fix slicing in githistory - #4889
• terraform: exclude GCP asymmetric keys from key rotation - #4879
• terraform: Paid is now standard - #4880
• terraform: support empty filter in S3 lifecycle config - #4875