checkov

Bug Fix

• general: catch unexpected errors when querying OpenAI - #4883

Feature

• secrets: Add fields to record of secrets in git history - #4838

Bug Fix

• terraform_plan: Handled TFDefinitionKey in plan runner as well - #4864

Feature

• cloudformation: support inline suppression of CFN graph checks - #4843
• terraform: Aurora DB should enable backtrack - #4739
• terraform: Desync must be set to defensive or strictest - #4766
• terraform: Ensure that RDS clusters are encrypted using a CMK - #4742
• terraform: RDS Cluster - make sure rds cluster defined defaults for logging and audit logging - #4736

Bug Fix

• general: be more forgiving of skipped checks without comment - #4844
• terraform: default case should pass for auto updates - #4847
• terraform: False negative for CKV_AZURE_179 - #4846
• terraform: Only update config if len is bigger than 0 - #4855

Feature

• dockerfile: Add CKV2_DOCKER_15 for yum-config-manager sslverify - #4622

Bug Fix

• cloudformation: Security Group check now work for ranges and strings - #4797
• terraform: Ensure APPService default action is to ignore not fail - #4790
• terraform: Subnetworks with internal purpose can have private_ipv6_google_access… - #4804

Feature

• terraform: Adding yaml based build time policies for corresponding PC runtime policies - #4800

Bug Fix

• terraform: Fix for edge cases in for_each modules - #4831

Feature

• kubernetes: support non-utf-8 encoded Kubernetes manifest files - #4820
• terraform: ElasticCache for Redis cluster should automatically take minor updates - #4726
• terraform: Ensure opensearch is configured for HA - #4717
• terraform: Ensure Redshift specifies a DB name - #4723
• terraform: Ensure Redshift uses enhanced vpc routing - #4724
• terraform: Fix up ES logging check - #4720

Bug Fix

• general: don't add an invalid URL to helpUri field in SARIF output - #4814
• graph: support string values for resource_types in graph checks properly - #4819
• kubernetes: Don't require ImagePullPolicy when digest (#4776) - #4781
• secrets: catch errors in middle of process of getting commit diffs - #4823
• terraform: Fix add_to_block condition to support more edge cases - #4822
• terraform: fix false positive CKV2_GCP_20 (fails for any non-MySQL instance) - #4813
• terraform: Length resolvers evaluate length of dict as 1. - #4808

Platform

• general: Save error lines in IR records - #4821

Feature

• general: add OpenAI integration - #4782
• terraform: Ensure that cloudwatch alarms are set on - #4805

Bug Fix

• general: fix scan all files entrypoint - #4801
• terraform: Set back CHECKOV_ENABLE_FOREACH_HANDLING to False to check perfomence - #4798
• terraform: TF new parser - Check for tfvars block - #4796

Feature

• ansible: PAN-OS policy and zone checks - #4737
• terraform_plan: support data blocks in Terraform plan files - #4758
• terraform: Set CHECKOV_ENABLE_FOREACH_HANDLING as True - #4774

Bug Fix

• terraform: Correctly serialize/deserialize TFModule object - #4780
• terraform: Fix nested each.value replacement in for_each handler - #4787

Feature

• secrets: make git history scan run in parallel - #4769
• terraform: Add source_module_object_ to block attributes - #4773
• terraform: codebuild dont enable privilege mode - #4714

Bug Fix

• terraform: Fix nested statements in _is_static_foreach_statement - #4772

Feature

• terraform: AWS Use Launch templates in ASG - #4698
• terraform: Codebuild defines and uses logs - #4696

Bug Fix

• terraform: Foreach - Fix regex on an empty list - #4765

Feature

• general: Add scan all files to entrypoint - #4746
• terraform: check routes are authorised - #4682
• terraform: CloudDistribution set Failover origin - #4686
• terraform: code build s3 logs are encrypted - #4687
• terraform: Elasticbeanstalk should use enhanced health reporting - #4692
• terraform: RDS cluster copy tags to snapshot - #4693
• terraform: Support for_each/count statements in TF Modules - #4708

Bug Fix

• secrets: Don't show stack trace in failures when uploading secrets to verify - #4734
• secrets: Compare abs paths in SecretsOmitter - #4756
• terraform: refine IAM assume role check CKV_AWS_61 - #4749
• terraform: refine S3 lifecycle check CKV_AWS_300 - #4750

Platform

• terraform: external module from git fail - log warning - #4755

Documentation

• terraform: Document no private registry - #4745

Bug Fix

• general: fix default log levels for support stream - #4741

Feature

• ansible: Ansible panos int mgmt checks - #4683
• terraform: api gateway ensure api cache is encrypted - #4681
• terraform: AWS ensure Sagemaker Notebook users are not Root - #4676
• terraform: Sagemaker Notebook In Custom VPC - #4675
• terraform: Terraform runner with the new TF parser - #4728

Bug Fix

• gitlab: fixing include scope that predominant all others - #4735

Documentation

• general: fix small typo - #4725

Bug Fix

• graph: Fix an issue in and connection solver - #4719

Feature

• secrets: add option to get and set the secret store - #4707

Platform

• graph: Ignore SyntaxWarning in variable rendering - #4718

Feature

• general: add flag to skip cert verification - #4641
• secrets: Override secrets validation flag with tenant config - #4701

Feature

• terraform: AWS Ensure cloudfront has a default root - #4673
• terraform: AWS ensure secret rotation is less than 90 days - #4672
• terraform: AWS Secrets are rotated - #4671
• terraform: ensure DB snapshots arent public - #4667
• terraform: ensure SSM docs are private - #4668
• terraform: lambda permission is not public - #4666

Bug Fix

• general: Custom policies integration correct check IDs filtering - #4700
• sca: return empty result when using BC API key in IDE - #4694
• terraform: add extra handling around private GitHub Terraform modules - #4699

Feature

• ansible: Ansible panos security policy checks - #4639
• terraform: s3 bucket has event notifications - #4660
• terraform: s3 ensure failed uploads are deleted id=300!!!! - #4662

Bug Fix

• gitlab: index_out_of_range - #4677
• terraform: Revert "feat(terraform): support provider blocks yaml policy checks (… - #4680

Feature

• sca: filter twistcli results with empty package name and version - #4670
• terraform: Support new TFParser in the local graph (under env var) - #4664
• terraform: support provider blocks yaml policy checks - #4656

Feature

• sca: fix unexpected maven packageName - cycloneDX - #4663
• sca: skipping finding IsPrivateFixVersion by default - #4648
• sca: support inline CVE suppression in requirements.txt - #4630
• secrets: allow scanning just partial history of commits - #4659
• terraform: Refactor Module mapping objects - #4661
• terraform: s3 to have lifecycle policy - #4658

Bug Fix

• secrets: fix git history partial scan - #4665