checkov

Feature

• kubernetes: Create label selector edge builder - #3715
• terraform: add CKV NCP rules about access control group Inbound rule. - #3627
• terraform: add versioned kubernetes resources to terraform kubernetes checks (5/5) - #3657

Bug Fix

• general: skip scanning VCS configuration if only files are passed in - #3729

Feature

• circleci: CircleCI Image Reference using Mixin class - #3707

Bug Fix

• kubernetes: fix in CPURequests check - #3727

Bug Fix

• github: fix GITHUB_OUTPUT and GITHUB_ENV issues of checkov-action - #3726
• gitlab: Modify gitlab ci resource id - #3706

Feature

• graph: equals/not_equals_ignore_case operators (solvers) - #3698

Bug Fix

• github: Fix GHA off value error resulting in checkov hanging - #3713
• gitlab: vcs gitlab groups retrieval - #3716
• kubernetes: fix in ServiceAccountTokens check - #3717
• terraform: Add debug logs to yaml parsing logic - #3718

Bug Fix

• general: Custom Policies integration must run before Suppresion integration - #3701
• terraform: Add or condition for TLS 1.3 policy, supporting CKV_AWS_103 - #3700
• terraform: Fix TF AbsGoogleComputeFirewallUnrestrictedIngress check - #3704

Feature

• terraform: add CKV NCP rules about access control group outbound rule. - #3624
• terraform: add versioned kubernetes resources to terraform kubernetes checks (2/5) - #3654
• terraform: add versioned kubernetes resources to terraform kubernetes checks (3/5) - #3655
• terraform: add versioned kubernetes resources to terraform kubernetes checks (4/5) - #3656

Bug Fix

• cloudformation: Fix ALBListenerTLS12 check - #3697
• helm: undo file_abs_path manipulation for helm files - #3692
• kubernetes: Couple of fixes in Checks - #3686
• terraform: Fix CloudArmorWAFACLCVE202144228 check - #3696

Feature

• kustomize: stop kustomize run, if there is nothing to process - #3681
• sca: Enable multiple image referencer framework results in the same scan - #3652
• terraform: add versioned kubernetes resources to terraform kubernetes checks (1/5) - #3653

Documentation

• general: Fix broken links - #3685

Bug Fix

• terraform: Outdated check for google_container_cluster binary authorization - #3612

Feature

• terraform: Added new Terraform-AWS python IAMUserNotUsedForAccess(CKV_AWS_273) policy - #3574

Bug Fix

• argo: only scan Argo Workflows files - #3644
• kubernetes: minor fix for getting entity type from template - #3645
• kustomize: add --client=true to kubectl version command, to prevent checkov waiting for timeout if cluster is unreachable - #3641
• terraform: update CKV_AWS_213 to also cover AWS predefined security policies - #3615

Feature

• general: add Azure Pipelines framework - #3579

Bug Fix

• dockerfile: handle quoted absolute path in CKV_DOCKER_10 - #3626
• kubernetes: handled missing field secretKeyRef in template - #3639
• kubernetes: handled missing key in k8s templates - #3640
• terraform: extend CKV2_AWS_15 to support aws_lb_target_group - #3617
• terraform: handle unexpected value for enabled_cloudwatch_logs_exports - #3638

Feature

• dockerfile: add Image Referencer for Dockerfile - #3571

Bug Fix

• cloudformation: Fixed unexpected null properties for LaunchConfigurationEBSEncryption - #3620

Feature

• general: allow file destination mapping via output-file-path flag - #3593

Feature

• github: GHA Image Referencer using IR Mixin class - #3583
• graph: add support for guideline field to custom graph checks - #3600
• sca: Add root path references to shorten file paths in Image Referencer results - #3609
• sca: support Image referencer in CLI - #3601

Bug Fix

• github: bug fixes in CKV_GITHUB_6, CKV_GITHUB_7, CKV_GITHUB_9 - #3605
• github: Fix resource id and file path for GHA IR - #3610
• terraform: extend check for google cloud functions 2nd generation - #3607
• terraform: fix port is bool ingress rule - #3606

Feature

• general: added cli argument for extra resources in report - #3588
• serverless: added extra resources for serverless and dockerfile - #3576
• terraform: add CKV_NCP_1 about lb target group health check, CKV_NCP_2 about access control group description - #3569

Bug Fix

• cloudformation: fix lc ebs encryption - #3598
• github: changed the schema to accept no description for org - #3589
• secrets: Skip secrets from files encoded with special codecs - #3597

Breaking Change

• general: switch from black-list to block-list - #3581

Feature

• kubernetes: added resources mappings for roles objects - #3582

Bug Fix

• github: fix variables initialization - #3585
• kubernetes: Handle templates without name for PeerClientCertAuthTrue check - #3577
• openapi: fix openapi schema bug - #3587
• sca: fix CycloneDX output for Docker images - #3586
• secrets: change entropy limit in Combinator plugin - #3575
• terraform: fix external modules ids in graph report - #3584
• terraform: Handle malformed database_flags for GCP DB checks - #3578

Feature

• general: Add enforcement rules to entrypoint.sh - #3573
• openapi: add CKV_OPENAPI_7 to ensure http is not used in path definition - #3547
• sca: add Image Referencer for Kubernetes, Helm and Kustomize - #3505
• terraform: add CKV_AWS_272 to validate Lambda function code-signing - #3556
• terraform: add new gcp postgresql checks - #3532
• terraform: allow resources without values in TF plan - #3563

Bug Fix

• kubernetes: [CKV_K8S_68] Remove unnecessary condition check from ApiServerAnonymousAuth.py - #3543

Bug Fix

• general: use current branch name instead of master for the checkov-action - #3568

Documentation

• general: Multi skip docs - #3561

Feature

• gitlab: GitlabCI ImageReferencer - #3544

Bug Fix

• secrets: Bump bc-detect-secrets - #3555
• terraform: fix check CKV2_AZURE_8 - #3554

Documentation

• general: Fix TOC rendering issue on checkov.io - #3551