checkov

Feature

• arm: add CKV_AZURE_191 to ensure that Managed identity provider is enabled for Azure Event Grid Topic - #6496

Bug Fix

• sast: BCE-36172 fix cdk policies - #6588

Feature

• terraform: add 14 rules for tencentcloud provider - #6448

Bug Fix

• secrets: fix secrets prerun bug - #6594
• terraform: Exclude String in CKV_AWS_337 - #6592

Feature

• arm: add CKV_AZURE_87 to ensure that Azure Defender is set to On for Key Vault - #6418
• arm: ARM VnetSingleDNSServer - #6379
• secrets: Adding the option to prerun before multiline pattern executing - #6586
• secrets: If the prrun regex found but we already scanned file we already scann… - #6591

Feature

• general: Add metadata exception filter to GHA - #6583
• general: Refactor all resource type handling in Checkov - #6572

Feature

• arm: AKSEncryptionAtHostEnable - #6575
• arm: AKSEphemeralOSDisks - #6578
• arm: CKV_AZURE_92 to Ensure that Virtual Machines use managed disks - #6455
• arm: FrontDoorWAFACLCVE202144228 - Mitigates the Log4j2 vulnerability CVE-2021-44228. - #6419

Bug Fix

• general: fix the right numbers in TestSkipJsonRegexPattern - #6580
• terraform: Fix title of CKV_AZURE_238 - #6570

Bug Fix

• terraform: fix failures of no caller on definition context - #6573
• terraform: TFPlan + TF fixes for google_project_iam_policy + google_iam_policy - #6577

Bug Fix

• general: fix sca unit tests for python 3.12 - #6574

• no noteworthy changes

Feature

• arm: add CKV_AZURE_169 to ensure that AKS use the Paid Sku for its SLA - #6545
• arm: add CKV_AZURE_177 to ensure that Windows VM enables automatic updates - #6484
• cloudformation: Update audit_logs valid values - #6566

Feature

• azure: add new policies for Azure Synapse (tf and arm) - #6554
• bicep: support bicep custom policy - #6561

Bug Fix

• arm: CKV_AZURE_56 just for authsettingsV2 name - #6557
• secrets: filter secrets that have vault: in them - #6565

Feature

• terraform_plan: support tf_plan after_unknown enrichment - #6517

Bug Fix

• secrets: small fix for filtering - #6562

Platform

• general: pass repo ID to runconfig - #6560

Feature

• arm: add CKV_AZURE_206 to ensure that Storage Accounts use replication - #6524
• arm: BCE-33785 Support Azure Synapse Analytics policies - #6513

Bug Fix

• sast: fix cdk policies - #6552

Feature

• arm: AzureSearchSQLQueryUpdates - #6543

Feature

• arm: add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - #6533
• arm: add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - #6478
• arm: AppServicePlanZoneRedundant - #6472
• arm: AzureSearchSLAIndex - #6530
• arm: SQLDatabaseZoneRedundant - #6515
• azure: add new policies for Azure Synapse - #6520
• general: update detect secrets package - #6535

Feature

• arm: add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - #6532
• arm: add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - #6523
• arm: add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - #6486
• arm: add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - #6279
• arm: CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - #6498
• arm: DataFactoryNoPublicNetworkAccess - #6479
• arm: DataLakeStoreEncryption - #6516
• arm: EventHubNamespaceMinTLS12 - #6485

Bug Fix

• openapi: [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - #6406
• terraform_json: support locals block in CDKTF output - #6452
• terraform: Deprecate CKV2_AWS_67 - #6529

Documentation

• general: Add Python note - #6521

Feature

• arm: add CKV_AZURE_174 to ensure that API management public access is disabled - #6480
• arm: AppServicePHPVersion - #6436
• arm: AppServicePublicAccessDisabled - #6467
• arm: KeyVaultEnablesPurgeProtection - #6465
• arm: PubsubSpecifyIdentity - #6483

Bug Fix

• arm: fix CKV_AZURE_78: siteConfig object should be under properties - #6477
• general: Mypy issues - #6510
• terraform: ignore comment out modules - #6507

Feature

• arm: add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups - #6427
• arm: add CKV_AZURE_137 Ensure ACR admin account is disabled - #6430
• arm: add CKV_AZURE_139 Ensure ACR set to disable public networking - #6428
• arm: add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - #6431
• arm: add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - #6385
• arm: add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - #6422
• arm: add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - #6457
• arm: ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - #6453
• arm: ARM AppServiceSlotHTTPSOnly - #6454
• arm: ARM VnetLocalDNS - #6424
• arm: PostgressSQLGeoBackupEnabled - #6456
• arm: StorageAccountName - #6426
• secrets: dont filter secrets - #6508

Bug Fix

• azure: fix description of CKV_AZURE_236 - #6503
• kubernetes: Fix CKV_K8S_31 for CronJobs - #6506
• sca: fix parsing json with comments - #6509
• terraform: CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - #6353
• terraform: remove print from CKV_AWS_364 - #6504