Skip to content

v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration

Choose a tag to compare

@OmarRao OmarRao released this 19 Jun 15:39

v6.1.0 - IaC Scanner: Helm support, false positive fixes, report integration

Patch release resolving all known gaps identified after v6.0.0.


Bug fixes

Issue Fix
Helm charts silently skipped Added _check_helm() - scans Chart.yaml (deprecated apiVersion, missing appVersion) and values.yaml (hardcoded secrets, privileged: true, :latest image tag)
Terraform false positives on password = Pattern now excludes var.*, data.*, local.*, module.* references - only flags literal hardcoded strings
Checkov framework field showed raw extension (tf, yml) Mapped check_type strings to proper framework names (terraform, kubernetes, etc.)
Duplicate findings for repeated patterns in same file Added deduplication by (check_id, file_path, line)

New checks

ID Framework Severity What's detected
TF015 Terraform CRITICAL secret_key hardcoded (not via var.*)
TF016 Terraform MEDIUM S3 bucket versioning disabled - ransomware risk
TF017 Terraform CRITICAL SSH (22) or RDP (3389) open to 0.0.0.0/0
TF018 Terraform HIGH CloudTrail logging disabled
TF019 Terraform HIGH MFA delete disabled on S3 bucket
K8S014 Kubernetes MEDIUM Missing NetworkPolicy - default allow-all pod traffic
K8S015 Kubernetes HIGH hostPath volume mount - container can read host filesystem
HELM001 Helm LOW Chart.yaml missing appVersion
HELM002 Helm LOW Deprecated Helm API version v1
HELM003 Helm CRITICAL Hardcoded secret in values.yaml
HELM004 Helm CRITICAL privileged: true in Helm values
HELM005 Helm MEDIUM Image tag :latest in Helm values

Report integration

  • IaC section added to report.html - renders in every scan report
  • 6-KPI strip: Files Scanned, Frameworks, Critical, High, Medium, Engine
  • Collapsible findings table - click any row to expand fix details and resource name
  • Handles empty (no findings) and unavailable (scan not run) states