v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration
Patch release resolving all known gaps identified after v6.0.0.
Bug fixes
| Issue |
Fix |
| Helm charts silently skipped |
Added _check_helm() - scans Chart.yaml (deprecated apiVersion, missing appVersion) and values.yaml (hardcoded secrets, privileged: true, :latest image tag) |
Terraform false positives on password = |
Pattern now excludes var.*, data.*, local.*, module.* references - only flags literal hardcoded strings |
Checkov framework field showed raw extension (tf, yml) |
Mapped check_type strings to proper framework names (terraform, kubernetes, etc.) |
| Duplicate findings for repeated patterns in same file |
Added deduplication by (check_id, file_path, line) |
New checks
| ID |
Framework |
Severity |
What's detected |
| TF015 |
Terraform |
CRITICAL |
secret_key hardcoded (not via var.*) |
| TF016 |
Terraform |
MEDIUM |
S3 bucket versioning disabled - ransomware risk |
| TF017 |
Terraform |
CRITICAL |
SSH (22) or RDP (3389) open to 0.0.0.0/0 |
| TF018 |
Terraform |
HIGH |
CloudTrail logging disabled |
| TF019 |
Terraform |
HIGH |
MFA delete disabled on S3 bucket |
| K8S014 |
Kubernetes |
MEDIUM |
Missing NetworkPolicy - default allow-all pod traffic |
| K8S015 |
Kubernetes |
HIGH |
hostPath volume mount - container can read host filesystem |
| HELM001 |
Helm |
LOW |
Chart.yaml missing appVersion |
| HELM002 |
Helm |
LOW |
Deprecated Helm API version v1 |
| HELM003 |
Helm |
CRITICAL |
Hardcoded secret in values.yaml |
| HELM004 |
Helm |
CRITICAL |
privileged: true in Helm values |
| HELM005 |
Helm |
MEDIUM |
Image tag :latest in Helm values |
Report integration
- IaC section added to
report.html - renders in every scan report
- 6-KPI strip: Files Scanned, Frameworks, Critical, High, Medium, Engine
- Collapsible findings table - click any row to expand fix details and resource name
- Handles empty (no findings) and unavailable (scan not run) states