checkov

Feature

• general: sign and push checkov image to GitHub registry - #3906
• secrets: Add Terraform multiline secrets handling - #3907
• terraform: ensure snapshots use encryption - #3899
• terraform: support cross-modules edges - #3909

Feature

• terraform: add nested module address attribute - #3904

Feature

• general: add output format cyclonedx_json - #3902
• general: add source to contributor metrics report - #3905

Bug Fix

• terraform: Fix an edge case in AbsRDSParameter check - #3903

Feature

• github: add output-file-path flag to checkov-action - #3897

Bug Fix

• terraform: Dynamic blocks - added support for lookup null/true/false values - #3893

Platform

• sca: added dependency tree format - #3892

Feature

• terraform: add CKV NCP rules about NKSPublicAccess - #3822
• terraform: Censor secrets from tfplan graph - #3894
• terraform: create cross-variable edges between resources from the same module - #3881

Bug Fix

• general: remove filter value validation - #3896
• terraform: Fix dynamic blocks nested module - #3890
• terraform: handle empty enabled_cluster_log_types list - #3891

Platform

• sca: add scaCliScanId parameter - #3789

Feature

• terraform: test checks for any port access - #3882

Bug Fix

• terraform: Fixing some broke flow in dynamic blocks rendering - #3879
• terraform: Not adding dynamic blocks attributes to attributes - #3872

Platform

• general: Support s3 client config for govcloud - #3880
• sca: Add repoId to GET request - #3876
• sca: Fix bom report - #3867
• sca: Poll sca scan results using Polling API - #3841
• sca: remove src from repo path - #3884

Feature

• general: number of words larger/less than or equal operators - #3827
• general: remove env var for running contributor metrics report and add logs - #3873
• terraform: add CKV NCP rules about Load Balancer Exposed to Internet - #3819
• terraform: Mask secret values in Terraform plan file reports by resource - #3868
• terraform: Support dynamic blocks with nested attributes - #3869

Bug Fix

• general: Fixed operator name for number_of_words_derivaties - #3875
• terraform: Fix dynamic attributes override each other - #3866

Feature

• general: add reporting contributor metrics - #3823
• terraform: add CKV NCP rules about access key hard coding - #3820
• terraform: NSGRulePortAccessRestricted - Remove the condition for dynamic blocks - #3862

Bug Fix

• kubernetes: handle empty spec object in k8s templates - #3865
• openapi: fixed error in invalid openapi template - #3863
• terraform: app_service Upgrade tests and add web app resources - #3838
• terraform: Handled nested unrendered vars - #3853

Bug Fix

• terraform: fix an issue with dynamics replacing a whole block - #3846

Feature

• terraform: Wrap render dynamic blocks flow with try except - #3837

Bug Fix

• bicep: make ARM AKS checks compatible with Bicep - #3836
• cloudformation: only parse valid tag key-pairs in CloudFormation - #3835
• general: Clear details before next check run to avoid duplications in output - #3711

Feature

• secrets: add abstract multiline parser + implement multiline json parser - #3799
• terraform: Support for nested dynamic modules - #3813

Bug Fix

• kubernetes: fixed unexpected list object - #3833

Feature

• general: Added Number of Words operator - #3801
• terraform: add CKV NCP rules about LBTargetGroupUsingHTTPS - #3797
• terraform: add CKV NCP rules about NASEncrytionEnabled - #3796
• terraform: Add Env Var for rendering Dynamic Blocks - #3816
• terraform: Dynamic blocks breadcrumbs support - #3814
• terraform: PC Policy Team Yaml Policies Check-in - #3785
• terraform: PC-Policy-Team: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports - #3786

Platform

• sca: Run package scan using API - #3812

Feature

• azure: Add get resource names for azure_pipelines - #3798
• github: add graph to GitHub Actions - #3672
• terraform: add CKV NCP rules about LBListenerUsesSecureProtocols - #3782
• terraform: Dynamic Modules Support map type - #3800
• terraform: include pods of kubernetes_deployment in kubernetes_pod checks (1/4) - #3691
• terraform: include pods of kubernetes_deployment in kubernetes_pod checks (2/4) - #3702
• terraform: include pods of kubernetes_deployment in kubernetes_pod checks (3/4) - #3703
• terraform: include pods of kubernetes_deployment in kubernetes_pod checks (4/4) - #3738

Bug Fix

• arm: CKV_AZURE_9 & CKV_AZURE_10 - Scan fails if protocol value is a wildcard - #3750
• azure: Remove redundant file path from resource name in azure pipelines - #3818
• secrets: fix slow secrets scan in yaml files - #3803
• secrets: fixed path of secrets tests to exclude - #3817
• terraform: fix gke resource name not string - #3811

Platform

• general: rationalize policy metadata error handling behavior - #3795
• sca: add new sca package scan - #3802
• sca: Extract checkov check links - #3790

Feature

• kubernetes: Create keyword and network policy edge builders - #3763

Feature

• general: add range_includes and inverted operator - #3752
• secrets: Add multiline detection to entropy keyword combinator - #3788

Bug Fix

• terraform: render list entries via modules correctly - #3781

Feature

• terraform: Add CKV_AWS_276 to ensure that API Gateway Method Settings data_trace_enabled is not set to True - #3761

Bug Fix

• terraform: Fix related_resource_id for ImageReferencer in external_module - #3780

Documentation

• general: Fix typo in docs - #3694

Feature

• github: split repo and org webhooks to separate files - #3764
• gitlab: Adding image detection check to gitlab ci - #3774
• openapi: pre-validate OpenAPI JSON files - #3760

Bug Fix

• azure: Support .yaml extension - #3767
• github: print the result again in GHA - #3751
• terraform: reduce parsing time for large TF plan files - #3757

Feature

• terraform: add CKV2_AWS_40 to Ensure AWS IAM policy does not allow full IAM privileges - #3712

Platform

• general: Get resources from platform and filter taggable resources for policies - #3621

Feature

• graph: add support for modules in graph checks - #3635
• terraform: add CKV NCP rules about Network ACL. - #3668
• terraform: TF Dynamic Blocks support - for_each lists type - #3737

Bug Fix

• terraform: fix a TF plan issue with CKV_AWS_274 - #3747
• terraform: fix false positive for write ACL yaml check - #3745

Documentation

• general: Update Jenkins page to use Checkov image - #3725

Breaking Change

• github: Change github_failed_only output suffix to .md - #3595
• terraform: adjust the check result return for dependant variables to unknown in Python based checks - #3743
• terraform: return UNKNOWN for unrendered values in graph checks - #3689

Feature

• terraform: add CKV NCP rule about block storage encryption. - #3628
• terraform: add CKV NCP rule about vpc volume encryption. - #3629
• terraform: add CKV NCP rules about Network ACL. - #3630
• terraform: Create checks for aws managed admin policy - #3741

Bug Fix

• terraform: local_authentication_disabled - cosmodb check to look at SQL Api only CKV_AZURE_140 - #3648