checkov

Documentation

• general: Note for feature requests - #6497

Bug Fix

• kubernetes: ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - #6459
• terraform: Add more conditions for CKV_AWS_70 - #6464

Bug Fix

• secrets: dedup secrets history values - #6462

Feature

• azure: fix ckv_azure_189 according to docs - #6413

Bug Fix

• sca: Support parsing json with comments - #6466

Documentation

• general: fix pre-commit link - #6433

Feature

• graph: support creation of resource type allow/deny lists - #6451

Bug Fix

• terraform: Fix name of CKV2_AWS_67 to be more clear - #6434
• terraform: Fix when apt is in rm statement - #6437
• terraform: Update CKV_AWS_224 title - #6435

Bug Fix

• arm: Correct AzureMLWorkspacePrivateEndpoint rule check logic - #6432
• general: removed references Putin references - #6445

Feature

• general: add AI_AND_ML to CheckCategories - #6423

Bug Fix

• sast: Update CKV IDs for CDK policies - #6415

Feature

• arm: add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2. - #6364
• arm: add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - #6329
• arm: add CKV_AZURE_163 Enable vulnerability scanning for container images - #6339
• arm: add MariaDbPublicAccessDisabled convert policy to arm - #6246
• arm: AKSLocalAdminDisabled - #6334
• arm: AppServiceFTPSState - #6363
• arm: AzureServiceFabricClusterProtectionLevel - #6366
• arm: ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - #6373
• arm: KeyVaultDisablesPublicNetworkAccess - #6342
• arm: PostgreSQLServerPublicAccessDisabled - #6330
• terraform: extract image referencers for AWS SageMaker - #6408

Bug Fix

• ansible: add dict check in create_tasks_vertices - #6417

Feature

• azure: drop support for dotnet v7.0 - #6383
• general: Image Referencer should not run for CI workflow files - #6386
• secrets: Add _prioritise_secrets by 3 levels of severity - #6390
• terraform: add 5 policies - #6401
• terraform: add 6 policies - #6396
• terraform: add fix for ckv_aws_300 - #6404
• terraform: add fix for not contains solver - #6389

Bug Fix

• ansible: filter conf if its int or float - #6409
• general: add try except gihub_action read file - #6411
• general: bitbucket integration test failure - #6407
• general: CKV2_AZURE_50 generates false positive azurerm_storage_account violations - #6391
• sast: add log for sast on windows - #6397

Feature

• arm: Add check for AzureML workspace not configured with private endpoint - #6387

Feature

• azure: Add policy to ensure proper AzureML Workspace network access - #6362
• azure: Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - #6368

Feature

• arm: AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - #6282

Feature

• terraform: AWS SageMaker notebook instance KMS Key - #6374
• terraform: CognitiveServicesConfigureIdentity - new check - #6378
• terraform: Ensure that Cognitive Services accounts enable local authentication - new check - #6377

Feature

• arm: add FunctionAppsEnableAuthentication - Checking if a certain field exists - #6250
• terraform: Add more conditions to CKV_AWS_70 - #6371
• terraform: Added the CKV2_AWS_68 Check for TF and CFN - #6369

Bug Fix

• ansible: set task as ansible vertices config - #6376
• terraform: for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - #6372

Feature

• terraform: Add provider address to resources - #6266
• terraform: Support for count & for_each in data blocks - #6359

Bug Fix

• terraform: Fix an issue for loading tfvars + issue in the dynamic rendering - #6360

Bug Fix

• sast: don't scan hidden files - #6349

Bug Fix

• terraform: Handle registry modules with a version in CKF_TF_2 - #6354

Feature

• arm: Ensure Databricks Workspace data plane to control plane co… - #6319
• general: TF and ARM - Ensure that Databricks Workspaces enable… - #6313
• secrets: Bump detect-secrets - #6346

Feature

• arm: add AppServiceJavaVersion - #6258
• arm: add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - #6323
• arm: add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - #6320
• arm: add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - #6270
• arm: add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - #6272
• arm: add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - #6281
• arm: AzureDefenderOStorage - #6269
• arm: MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - #6263
• arm: StorageSyncPublicAccessDisabled - #6331
• secrets: eliminate false positives in entropy keyword combinator detector - #6327

Bug Fix

• ansible: fix ansible resource id in local graph - #6344
• secrets: fix entropy type - #6347

Feature

• sast: TS-legacy-checks - #6311
• secrets: entropy limit as env variable - #6332