checkov

Feature

• secrets: log and filter potential uuid case - #4486
• terraform: Assign/override main vertices by the first new vertice. - #4493
• terraform: Support for loops in foreach statements - #4483

Bug Fix

• terraform: Handle KeyError in hadle_for_loop func - #4501
• terraform: Handle type error in _handle_for_loop_in_dict - #4495
• terraform: skip loading module that calls to the same dir - #4499

Platform

• general: Use new enforcement categories - #4456

Documentation

• general: update installation on Alpine docs - #4474

Feature

• graph: Add UT as an example of not-exists for the nested list. - #4484
• secrets: Save secrets line number - #4488
• terraform: AWS:check global DocDB cluster is encrypted - #4405
• terraform: check msk nodes are private - #4392
• terraform: support more json encoded objects as part of terraform resource and fix evaluation of true/false in json - #4487

Bug Fix

• ansible: support nested blocks and empty module values - #4479
• cloudformation: Updated AWS_CKV_7 to not require rotation on asymmetric keys - #4476

Feature

• secrets: limit multiline regex detector run - #4453
• terraform: Add foreach_attrs to config objects + UTs - #4463
• terraform: GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) - #4390

Bug Fix

• kustomize: fix kustomize file path cli - #4466
• terraform: Allow different type of value in BaseResourceValueCheck - #4470
• terraform: deny statements with wildcards are valid - #4440

Breaking Change

• gha: adjust the attribute reference for GitHub Actions graph checks - #4445
• terraform: enable nested modules by default - #4448

Feature

• general: Create 3d combinations post runner - #4353

Bug Fix

• gha: fix GHA _get_jobs edge case (string step) - #4444
• graph: added graph init to igraph db connector - #4455

Feature

• sca: Add support for Dotnet files - #4189
• terraform: Create new resources for count/foreach resources - #4427
• terraform: extend CKV2_AWS_5 to support aws_ec2_spot_fleet_request - #4438

Bug Fix

• general: Correct BigQueryDatasetEncryptedWithCMK name field - #4443
• kubernetes: Fix empty spec in k8s file - #4452
• kustomize: Fix kustomize cli file path - #4447
• secrets: remove CKV_SECRET_78 from SECRET_TYPE_TO_ID - #4446
• terraform: change module index separator in full path - #4437

Feature

• cloudformation: support new default s3 encryption - #4429
• graph: added indices to igraph nodes - #4433
• secrets: Add args to analyze line is added and is removed for git history scan - #4426

Bug Fix

• secrets: Comment out checkob multiline regex detectors - #4441
• terraform: Fix updating resource config - #4432

Platform

• secrets: Add secrets custom regex on file - #4430

Feature

• ansible: add support for Ansible blocks - #4419
• general: Control check failure logging level - #4431
• graph: add validation for graph checks - #4352
• kubernetes: support inline skips for Kubernetes graph checks - #4412
• secrets: remove secrets dependency in generic record - #4424

Bug Fix

• kustomize: remove redundant error in kustomize runner - #4428

Documentation

• general: fix graph check link in docs - #4420

Feature

• kustomize: support kustomize v5 - #4411
• terraform: [Foreach/Count Handling] Render dynamic foreach/count statement - #4398

Bug Fix

• general: Checks edge-cases fixes in terraform and openapi - #4414
• general: Skip resources with no 'Type' defined + Checks containing wildcards for resource types leads to crash - #4408
• terraform: fix getting the module for resource named 'module' - #4418
• terraform: retire CKV_AWS_128 in favour of CKV_AWS_162 - #4350
• terraform: SQS check was all types of wrong - #4382

Bug Fix

• cloudformation: Don't fail Aurora instances for MultiAZ not being set - #4316

Bug Fix

• general: fix compact json output - #4406

Feature

• sca: Add a --support flag - #4397
• sca: Add a --support flag --revert - #4396
• secrets: add workdir info to secrets scanner - #4400
• secrets: extract new detector_utils file from entropy keyword combinator - #4385

Bug Fix

• general: Remove empty links from GitLab SAST output - #4393

Feature

• gha: add gha permissions lines - #4372
• sca: add extract nodes igraph - #4359
• sca: create bom report when extra_resources is not empty - #4388
• secrets: add support for runnable secrets plugins - #4368
• terraform: add CKV_GCP_114 to ensure that Public Access Prevention is enforced on GoogleCloudStorage bucket. - #4347
• terraform: Add cloudsplaining checks to tf aws_iam_policy CKV_AWS_287-290 - #4386
• terraform: get static foreach/count values of resources - #4374

Feature

• sca: Add a --support flag - #4323
• sca: added extra supported package files to find_scannable_files - #4378
• terraform: add reset edges function to terraform local graph - #4373
• terraform: Added base class for cloudsplaining iam checks to be integrated between data and resource objects - #4338
• terraform: Added basic check with test for tf resource with IAM privilege escalation - #4376

Bug Fix

• cloudformation: Skip SAM Global Tags propagation - #4383
• sca: extend image name validation - #4377
• terraform: simple check naming fix - #4371

Feature

• sca: ignore package.json file when yarn.lock exists - #4370
• terraform: GCP check kms policy does not define public access - #4190
• terraform: GCP check policy isn't public - #4194

Bug Fix

• sca: support BC_VUL_X IDs in GitLab SAST output - #4360

Feature

• azure: fix container latest tag missing results - #4337

Bug Fix

• azure: Add .*. in azure checks to check in lists as well - #4355
• azure: Azure checks fixes - #4342
• azure: Azure checks fixes - #4354
• azure: Support string function_app min_tls_version as well - #4357
• kubernetes: k8s checks fixes - #4343
• sca: Fix multiple issues related to IR - #4358
• terraform: Terraform checks fixes - #4344

Feature

• general: Add GitLab SAST output - #4315

Bug Fix

• kubernetes: skip extracting pods for custom resources - #4334
• sca: require requests 2.27.0 - #4339

Documentation

• general: fix env var name to CKV_IGNORE_HIDDEN_DIRECTORIES - #4335

Feature

• general: igraph library support - #4327

Bug Fix

• general: add missing header in --list output - #4329
• kubernetes: extract pods only for supported resources - #4330
• sca: catch exceptional error during SCA results polling - #4331
• terraform: change terraform nested modules path separators - #4319
• terraform: handle unexpected container definition type - #4328

Feature

• azure: change detect image source - #4320
• general: add empty azure image check - #4308
• general: add logs for async license and image retrieval - #4317
• sca: Support the new --image flag along the --docker-image flag - #4314

Bug Fix

• general: ignore repo_id setting when list flag is set - #4313
• kubernetes: handle k8s resource with missing required data - #4318
• secrets: Change s3 path for enriched secrets upload - #4275
• terraform: handle unexpected container type - #4311

Documentation

• general: Update README for supported Python versions - #4305

Feature

• terraform: new app service checks for azurerm - #4072

Bug Fix

• general: In case of a non-JSON response, log the response - #4304
• terraform_plan: fix in deep analysis - #4306
• terraform: fix default behaviour of CKV_GCP_19 - #4289