checkov

Bug Fix

• secrets: add support to conditionQuery - #4086
• terraform: fix edge-case in CKV_AZURE_183 check - #4145

Feature

• gha: support on directive in workflow files - #4125
• sca: run old package scanning for IDE scan - #4133
• secrets: expose maximum 6 characters of secret values - #4140

Bug Fix

• circleci: add resource to ir - #4135
• general: Reformat PR template - #4139
• kubernetes: move Kubernetes context error message - #4132
• terraform: add aws_transfer_server to CKV2_AWS_5 check - #4137
• terraform: Add some more supported keys to bigquery public acl check ignore list to avoid false positive - #3969
• terraform: fix azure network address invalid value - #4131

Feature

• general: add the stack trace to the error message when caught by main.py - #4121
• sca: add GCP Terraform resources for Image Referencer - #4094
• sca: protecting checkov with try/catch wrapping - #4104

Bug Fix

• kubernetes: removed obsolete error logging - #4126
• terraform: fix azure dns invalid ip - #4128

Feature

• general: move the jsonpath try/catch up a level to catch more errors - #3911
• sca: returning exit code 2 in case of error for downloading twistcli - #4105

Bug Fix

• dockerfile: adjust the file abs path for Dockerfile graph results - #4118
• openapi: fix an open API CKV_OPENAPI_6 check - #4109
• sca: fixing integration tests - #4117
• terraform_plan: use abs path for repo_root_for_plan_enrichment - #4115
• terraform: CKV2_AZURE_21 changed blob access type to private - #3898
• terraform: fix support for getting module-referenced resources context - #4110

Platform

• terraform: add previous get_tf_definition_key function - #4114

Feature

• general: Use --no-fail-on-crash to gracefully exit commit_repository and setup_bridgecrew_credentials - #4099
• terraform_plan: add check details to TF plan scan results - #4091
• terraform: new azurerm checks - App config - #3988
• terraform: Omit values from graph checks - #4076

Bug Fix

• general: change env var name for no-fail-on-crash flag - #4107
• github: Fix GHA IR resource names in case of 2 identical images - #4108
• terraform: azurerm storage defaults - fix for storage case #3516 - #4083
• terraform: fix nested module resources ids in the report - #4098

Feature

• general: Add no-fail-on-crash flag - #4097
• gha: add fix for gha graphs and UT - #4084
• kubernetes: inject k8s FF flags to instance instead of constructor - #4096

Bug Fix

• terraform: add a method for get the entity definition path from the entity itself - #4095
• terraform: add address attribute to all scanned terraform blocks - #4074

Feature

• kubernetes: Add kubernetes YAML checks to checkov packaging - #4073
• kubernetes: move whorf to dedicated repo - #4062
• terraform_plan: add Image Referencer for Terraform plan files - #4063
• terraform: add CKV NCP rules about AutoScalingGroup, Load Balancer - #3821
• terraform: add CKV NCP rules about Nat Gateways and Route - #3854
• terraform: combine tf plan and tf graphs for nested modules - #4066
• terraform: More azurerm checks for terraform - #3970

Bug Fix

• openapi: Fix in PathSchemeDefineHTTP opeAPI check - #4079
• terraform: CKV_AZURE_43 add new test case - #4082

Feature

• github: more CIS checks- part3 - #4057
• terraform: Adding yaml based build time policies for corresponding PC run time policies - #3962

Bug Fix

• secrets: fix secrets crash when secret is non string - #4077

Feature

• github: more CIS checks- part2 - #4017
• kubernetes: added CKV2_K8S_EXAMPLE_1 only in tests as an example for k8s graph check for pod which is publicly accessible - #4060
• kubernetes: added deployment name to pod resource id - #4040
• sca: fix root packages fixed version - #4070

Bug Fix

• sca: invoke packaging.Version instead of parse - #4065
• secrets: fix error when secret is None - #4071
• terraform: checkov fix as resource container_group modified - #4061
• terraform: fixed unexpected data for IAMPublicActionsPolicy - #4067
• terraform: fixed unexpected data for MonitorLogProfileRetentionDays - #4068

Platform

• general: Apply licensing from platform - #3961

Feature

• gha: Add gha graph infra - #4058
• gha: add infra for gha graphs - #4052
• sca: fixed dependencies default value - #4056
• sca: added indirect cves fix versions - #4023
• secrets: Inject secrets omitter to runner registry - #4054
• terraform_plan: support jsonpath queries in AWS IAM policy strings for Terraform plan - #4033
• terraform: Extend secret attributes to omit mapping - #4028
• terraform: tf plan combine graphs pass params - #4051

Bug Fix

• terraform: add missing resource aws_route53_resolver_endpoint #3968 - #3995
• terraform: fix getting local dest module path - #4055
• terraform: Fix some errors in Dynamic Blocks rendering - #4050

Feature

• graph: Added not_within attribute solver for graph checks - #4041
• kubernetes: Add CKV2_K8S_2 graph check for potential privilege escalation in nodes/proxy or pods/exec with create permissions - #4034
• kubernetes: Add CKV2_K8S_3 no impersonate permissions for ServiceAccount/Node - #4037
• kubernetes: Added CKV2_K8S_4 check to not allow modifying of services/status - #4038
• kubernetes: Added CKV2_K8S_5 check that no service account or node can read all secrets - #4042
• secrets: Accepting json reports from bucket in secrets_omitter - #4039
• terraform: add CKV NCP rules about Route Table Association - #3856

Bug Fix

• kubernetes: Corrected list format for yaml files in new k8s graph check tests - #4035
• secrets: custom secret add support for value str and not only list - #4024
• terraform: Fix in dot separator in the dynamic argument - #4036

Feature

• general: Apply policy-level suppressions as skipped checks - #4020
• github: Add 3 CIS checks: 1.1.3, 1.1.8, 1.1.10 - #4003
• kubernetes: Added CKV2_K8S_1 to ensure RoleBinding do not allow privilege escalation to a ServiceAccount/Node - #4004
• secrets: Omit secrets from reports based on secrets reports - #3991
• secrets: Omit secrets from reports based on secrets reports - #4015

Bug Fix

• github: remove secrets from schema example - #4019
• terraform: fix resource block address - #4018

Feature

• sca: change sca packages output to include dependencies structure - #3957
• secrets: Adding check length for secret - #3985
• terraform: nested modules support in graph - #3935

Bug Fix

• circleci: fix executors in resource_id - #4008
• secrets: Bump detect secrets version - #3997
• terraform: Fix an issue in dynamic blocks - #4006
• terraform: fix CKV_AWS_283 check - #4005
• terraform: Fix CKV_AZURE_168 check - #4000
• terraform: Fix some issues in dynamic blocks flow - #4002
• terraform: Fix TF checks crashes - #3992

Feature

• general: Report failed attempts at reporting contributor metrics - #3984
• kubernetes: create simple resources id for pods; allow enabling k8s graph features using env vars - #3975
• terraform: check for insecure protocols - #3958
• terraform: Check resource-based policies for public access - #3989
• terraform: Dynamic Blocks support for loop in for_each attribute - #3982
• terraform: new aks checks for Azure - #3951

Bug Fix

• dockerfile: fix Dockerfile inline skip handling - #3976
• secrets: fix_Record_code_block_secrets - #3987
• terraform: azurerm kusto cluster encryption - wrong attribute tested for - #3972

Feature

• terraform: add CKV NCP rules about ncloud access control group rule - #3860

Bug Fix

• secrets: fix Issue with 'NoneType' error in the custom detectors load_detectors - #3973

Platform

• terraform: remove redundant exc_info for module without source - #3974

Feature

• dockerfile: add graph to Dockerfile - #3948
• terraform: add CKV NCP rules about access control group Inbound rule. - #3859
• terraform: Implement relative file path standard for tf plan file runs - #3918

Bug Fix

• general: fix doc links on windows - #3959
• secrets: Fix omitting of secrets that are json encoded - #3964
• terraform_plan: Fix k8s checks edgecases for terraform plan - #3966
• terraform: OCI Security Group Control Problem - #3933

Platform

• secrets: remove the use of enable_secret_scan_all_files for custom secrets - #3954

Documentation

• terraform: update Terraform modules docs - #3965

• no noteworthy changes

Feature

• terraform: add CKV NCP rules about Load Balancer Listener Using HTTPS - #3858
• terraform: add CKV NCP rules about server instance and public IP - #3857
• terraform: azurerm ACR check for retention policy - #3927

Feature

• github: add CIS checks part 1. Most of the 1.1.x - #3937
• terraform: Azure ACR Enable Image Quarantine - #3925
• terraform: Azure use signed image in ACR - #3923

Bug Fix

• bicep: ignore unresolvable properties for Bicep storage account checks - #3946
• gha: added test for step with no step name - #3945

Feature

• terraform: add CKV_AWS_282 to ensure that Redshift Serverless namespace is encrypted by KMS - #3915

Bug Fix

• terraform: Remove cross variables edges duplications - #3920