checkov

Feature

• secrets: support git history scan in multiline parsers - #4637
• terraform: Definitions serialization with new definitions key/module objects - #4655
• terraform: support variable rendering for default objects in vars - #4650

Bug Fix

• arm: Fix resource type check in SQLServerAuditingRetention90Days - #4657
• general: check suppression id instead of policy id - #4646
• gitlab: Modify GitLab CI resource ids - #4647

Feature

• terraform: Fix for foreach subgraph rendering - #4649
• terraform: new checks on new resources - #4491

Platform

• general: skip uploading repo for VSCode source - #4643

Feature

• general: add Terraform JSON support - #4626
• terraform: Adding yaml based build time policies for corresponding PC runtime policies - #4605

Bug Fix

• arm: ignore incomplete resource in ARM templates - #4636
• terraform: stop handle resource for_each as dynamic attribute - #4632

Bug Fix

• terraform: v2 settings valid for windows and linux web apps - #4628

Feature

• ansible: add Ansible check for CKV_PAN_4 for PAN-OS DSRI - #4608
• dockerfile: Add tdnf support for CKV2_DOCKER_9 - #4620
• terraform: Check added for AWS Database instance deletion protection - #4616
• terraform: CloudtrailEventDataStoreUsesCMK - #4621

Bug Fix

• bicep: handle malformed files in bicep parser - #4629
• cloudformation: KMSKeyWildCardPrincipal modification - Check for wildcards inside of lists - #4590
• terraform: in sg rules ignore self referencing - #4603

Feature

• gitlab: fix wrong resource in gitlab-ci - #4610
• terraform: Support the -1 protocol on SG checks - #4611
• terraform: TF Parser support of new modules keys - #4601

Bug Fix

• bicep: extend CKV_AZURE_4 to consider omsAgent to be written in camelCase - #4614
• general: refactor SARIF output - #4606
• general: skip scanning invalid resources - #4617
• sca: Added an error log for Twistcli failures - #4613
• terraform: stop evaluating a string ... to the Ellipsis object - #4623

Bug Fix

• general: do not stop getting fixes if one attempt results in a 403 - #4607
• gha: skip schema validity check if parsing returned None - #4609
• secrets: Adjust output to include the additional Git History info - #4566

Feature

• ansible: Add checks for the ansible builtin dnf module - #4570
• dockerfile: Add new dockerfile checks - #4569
• terraform: Create a new TF parser - #4584

Bug Fix

• secrets: only check secrets framework when scanning history - #4592
• terraform: AWS - there's a new sg vpc ingress rule - #4575
• terraform: Azurerm NSG UDP check should work for old style but still valid tf - #4454

Feature

• terraform: Add foreach_attrs in saved graph - #4587
• terraform: Set foreach_attrs directly under the block - #4586
• terraform: TF foreach - Support updating each.value in nested dict - #4588

Bug Fix

• sca: Set prisma token and scan packages by v2 for IDE scans - #4580
• terraform: fix CKV_AWS_70 test and add graph for coverage of data source - #4542
• terraform: TF foreach - Avoid rendering in static statements - #4583

Documentation

• ansible: add Ansible policy docs generation - #4582

Bug Fix

• terraform: add not exists conditional to CKV2_AWS_16 to account for defaults - #4578

Feature

• secrets: track complete file deletion and renaming - #4551
• terraform: Adding yaml based build time policies for corresponding PC runtime policies - #4529

Bug Fix

• ansible: support skip check for Ansible Python-based checks - #4556
• terraform: Handle unescaped lookup values - #4565

Feature

• dockerfile: Add check for the environment variable NPM_CONFIG_STRICT_SSL - #4553
• terraform: TF Parser - Move funcs and consts to utils file - #4550

Bug Fix

• terraform_plan: Fix tf plan nested modules - #4562
• terraform: fix for #4518 - #4528
• terraform: Move get_module back to parser - #4560
• terraform: remove dynamic warning exc_info - #4563

Feature

• dockerfile: Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf - #4404
• terraform: New classes for the TF module model - #4546

Bug Fix

• gha: Align GHA resource ids (Graph vs Python checks) - #4549

Feature

• arm: add graph capabilities to ARM framework - #4526
• secrets: add timeout for scan history checks - #4523
• secrets: Support secret findings in git history - #4525

Feature

• gitlab: fix gitlab ci yaml file processing - #4536
• sca: adding is_registry_url and printing in the cyclonedx only private registries urls - #4533
• sca: support also the key "registryUrl" when extracting registry_url for the report - #4535

Bug Fix

• terraform: Optional module content path - #4537

Bug Fix

• cloudformation: Update CKV_AWS_46 to handle base64 encoded userdata - #4530

Feature

• secrets: add flag for scan secrets history - #4513
• terraform: Used parentheses in key for foreach attributes but not count - #4520

Bug Fix

• gha: fix output flag for usage in checkov-action - #4517
• terraform: add datasource option for headers check - #4496
• terraform: optimize check CKV2_AWS_60 - #4512

Platform

• general: Use new enforcement categories (#4456) - #4519

Feature

• ansible: Add checks for the ansible builtin apt module - #4500

Bug Fix

• gha: now looks for GHA on windows - #4515

Feature

• sca: adding registry-url to the cyclonedx output report - #4511
• secrets: Add capability to iterate over git history - #4469
• terraform: Adding yaml based build time policies for corresponding PC run time policies - #4425

Bug Fix

• secrets: import git - #4514

Feature

• sca: add registry urls and description to the output report and to the csv report - #4485

Bug Fix

• ansible: skip unsupported Ansible resources - #4504
• terraform: Fix an str split edge case in function - #4507
• terraform: fix enforcement rules mapping - #4509