feat(terraform): Used parentheses in key for foreach attributes but not count #4520
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rotemavni
approved these changes
Feb 19, 2023
achiar99
added a commit
to rotem-avni/checkov3
that referenced
this pull request
Mar 6, 2023
* feat(sca): Add a --support flag --revert (#4396) Revert "feat(sca): Add a --support flag (#4323)" This reverts commit 9b7a11271fa7f8471c11695e190f54762293538c. * feat(sca): Add a --support flag (#4397) Revert "feat(sca): Add a --support flag --revert (#4396)" This reverts commit dae55bcface259dce41156ba756c3e529a069b90. * Merge aeb1af552b98bc797c2bd762267ccaba6a381be9 into fb0b25a3c01d82964d2cb6ef49e0dd17d7c25b6f * fix(general): Remove empty links from GitLab SAST output (#4393) * adjust Docker labels * remove None links in GitLab SAST output * fix typing * feat(secrets): extract new detector_utils file from entropy keyword combinator (#4385) * extract new detector_utils file from entropy keyword combinator * move import to type checking block * fix according to comments * add detector utils fixes * fix according to comments * change type hint --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): extract new detector_utils file from entropy keyword combinator (#4385) * extract new detector_utils file from entropy keyword combinator * move import to type checking block * fix according to comments * add detector utils fixes * fix according to comments * change type hint --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): add workdir info to secrets scanner (#4400) * add workdir info to secrets scanner * switch path to str --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(secrets): add workdir info to secrets scanner (#4400) * add workdir info to secrets scanner * switch path to str --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * chore: update release notes * fix(general): fix compact json output (#4406) * fix compact json output * pin GHA macOS runner version to 11 * upper bound kustomize version to 4 * Merge 04c058005d39f1c16f943860417851d207e9f1c7 into 2aab752e0faea22368c709dc919e7fe61ab6a811 * chore: update release notes * fix(cloudformation): Don't fail Aurora instances for MultiAZ not being set (#4316) * Fix CKV_AWS_157 CloudFormation false positive for Aurora instances * Add comment to explain Aurora logic * Fix import * Update comments with link to AWS docs * Change MultiAZ test for Aurora to UNKNOWN * Fix DBInstanceClass for Aurora * Fix expected 2 blank lines linting error * Remove fields that failed linting since they are not applicable to Aurora * fix linting --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge 82ef35e360a9787c3e14c3c8666c2bbac17eac5f into 16c7166106b27f40aa5e4177618aaaef2ca0cea6 * chore: update release notes * feat(terraform): [Foreach/Count Handling] Render dynamic foreach/count statement (#4398) * Render dynamic foreach/count statement * CR fixes + UT foe build_sub_graph * CR fixes * Lint fix * chore: fix flake8 issue (#4413) fix flake8 issue * feat(kustomize): support kustomize v5 (#4411) * support kustomize v5 * fix wrong command * nosec subprocess * chore: leverage freezegun to freeze time for a test (#4415) leverage freezegun to freeze time for a test * fix(general): Checks edge-cases fixes in terraform and openapi (#4414) * fix in PathSchemeDefineHTTP check * fix in GoogleKMSKeyIsPublic check * fix in ECRPolicy check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(general): Checks edge-cases fixes in terraform and openapi (#4414) * fix in PathSchemeDefineHTTP check * fix in GoogleKMSKeyIsPublic check * fix in ECRPolicy check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: add GH token to setup-kustomize action (#4417) add GH token to setup-kustomize action * fix(terraform): SQS check was all types of wrong (#4382) * SQS check is all wrong * remove unused import * adjust check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(general): Skip resources with no 'Type' defined + Checks containing wildcards for resource types leads to crash (#4408) Update base_check_registry.py to resolve Issue #4407 Update base_check_registry.py to resolve Issue #4407 Verify `entity` has a value (not the None placeholder when `Type` is not available in the template) before trying to string-match Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge ec5b2cb69c4481fd8ba2a344245702d3968e1f35 into b18e128fc38a80b4f0bfea6264a3af9ef1433c97 * fix(terraform): retire CKV_AWS_128 in favour of CKV_AWS_162 (#4350) retire CKV_AWS_128 in favour of CKV_AWS_162 * fix(terraform): fix getting the module for resource named 'module' (#4418) fix getting the module for resource with the name module * fix(terraform): fix getting the module for resource named 'module' (#4418) fix getting the module for resource with the name module * fix(terraform): fix getting the module for resource named 'module' (#4418) fix getting the module for resource with the name module * chore: update release notes * feat(graph): add validation for graph checks (#4352) * add validation for graph checks * fix solver tests * feat(graph): add validation for graph checks (#4352) * add validation for graph checks * fix solver tests * chore: bump docker/setup-buildx-action from 2.3.0 to 2.4.0 (#4421) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/5e716dcfd653738c2d1db099bfba194a84158be4...15c905b16b06416d2086efa066dd8e3a35cc7f98) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump docker/build-push-action from 3.3.0 to 4.0.0 (#4422) * chore: bump docker/build-push-action from 3.3.0 to 4.0.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.3.0 to 4.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/37abcedcc1da61a57767b7588cb9d03eb57e28b3...3b5e8027fcad23fda98b2e3ac259d8d67585f671) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * change version comment --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): remove secrets dependency in generic record (#4424) first commit to remove secret dependency in generic record Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(secrets): remove secrets dependency in generic record (#4424) first commit to remove secret dependency in generic record Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(kubernetes): support inline skips for Kubernetes graph checks (#4412) support inline skips for Kubernetes graph checks * fix(kustomize): remove redundant error in kustomize runner (#4428) * log error of 'Context for Kustomize runner was not set' only if context is None * Update checkov/kustomize/runner.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(kustomize): remove redundant error in kustomize runner (#4428) * log error of 'Context for Kustomize runner was not set' only if context is None * Update checkov/kustomize/runner.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(ansible): add support for Ansible blocks (#4419) * add support for Ansible blocks * fix linting * feat(ansible): add support for Ansible blocks (#4419) * add support for Ansible blocks * fix linting * feat(ansible): add support for Ansible blocks (#4419) * add support for Ansible blocks * fix linting * feat(general): Control check failure logging level (#4431) introduce CHECKOV_CHECK_FAIL_LEVEL for controlling check failure logging level * feat(general): Control check failure logging level (#4431) introduce CHECKOV_CHECK_FAIL_LEVEL for controlling check failure logging level * docs(general): fix graph check link in docs (#4420) fix graph check link in docs * docs(general): fix graph check link in docs (#4420) fix graph check link in docs * docs(general): fix graph check link in docs (#4420) fix graph check link in docs * chore: update release notes * feat(cloudformation): support new default s3 encryption (#4429) * Updated CKV_AWS_19 to support not specifying SSEAlgorithm as AWS now supports encryption by default * updated local graph checks for terraform to support s3 default encryption * Updated terraform CKV_AWS_19 graph check to support default encryption as well * Updated failed tests * CR * Removed unneeded check from test_enrichment_of_plan_report * feat(cloudformation): support new default s3 encryption (#4429) * Updated CKV_AWS_19 to support not specifying SSEAlgorithm as AWS now supports encryption by default * updated local graph checks for terraform to support s3 default encryption * Updated terraform CKV_AWS_19 graph check to support default encryption as well * Updated failed tests * CR * Removed unneeded check from test_enrichment_of_plan_report * feat(graph): added indices to igraph nodes (#4433) * added indices to igraph nodes * fixed typo * feat(graph): added indices to igraph nodes (#4433) * added indices to igraph nodes * fixed typo * feat(secrets): Add args to analyze line is added and is removed for git history scan (#4426) * add is_added_and_is_removed * is_added and is_removed default False * is_added and is_removed default False * feat(secrets): Add args to analyze line is added and is removed for git history scan (#4426) * add is_added_and_is_removed * is_added and is_removed default False * is_added and is_removed default False * fix(terraform): Fix updating resource config (#4432) * support using variable type and fix setting config * revert changes to renderer * Merge d2e2ed2ec500261ef771821edbf651e28b5d59f1 into 9bc353290e170df637c1638c673b6e28eabca8cf * chore: update bc-jsonpath-ng version to 1.5.9 (#4435) * update bc-jsonpath-ng version * fix typing issues --------- Co-authored-by: gruebel <gruebel@users.noreply.github.com> * chore: update bc-jsonpath-ng version to 1.5.9 (#4435) * update bc-jsonpath-ng version * fix typing issues --------- Co-authored-by: gruebel <gruebel@users.noreply.github.com> * platform(secrets): Add secrets custom regex on file (#4430) * Adding multline regex in custom_regex_detector.py * In case we using multiline regex - we want to wrap the match with fstring with '' in order to simulate a real value and not template one (otherwise _is_filtered_out filtering the secret out - specifically is_templated_secret * Seperate common logic to function * Fix mypy * Fixing pass an exception * Fix UT * Fix CR * . * . * . * First test * Adding tests & set multiline line to 0 instead current check line * . * . --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * chore: update bc-jsonpath-ng version to 1.5.9 (#4435) * update bc-jsonpath-ng version * fix typing issues --------- Co-authored-by: gruebel <gruebel@users.noreply.github.com> * fix(secrets): Comment out checkob multiline regex detectors (#4441) Comment out checkob multiline regex detectors Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * fix(secrets): Comment out checkob multiline regex detectors (#4441) Comment out checkob multiline regex detectors Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * chore: update release notes * feat(terraform): extend CKV2_AWS_5 to support aws_ec2_spot_fleet_request (#4438) * KV2_AWS_5: aws_spot_fleet_request launch_specification * Update tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge a5fb6f0c0507ba47f14160140cdc9cddec9f33e8 into 1e9138e176a6ac79adfd1556d7ff3aac7f7284ce * fix(secrets): remove CKV_SECRET_78 from SECRET_TYPE_TO_ID (#4446) remove CKV_SECRET_78 from SECRET_TYPE_TO_ID * Merge f28539f9a9248063fda1a05498afd1f1a0050dac into 0f04fbf84c1f91d0a5a2cb6acbcda511ebabb24c * fix(secrets): remove CKV_SECRET_78 from SECRET_TYPE_TO_ID (#4446) remove CKV_SECRET_78 from SECRET_TYPE_TO_ID * fix(terraform): change module index separator in full path (#4437) * create TERRAFORM_NESTED_MODULE_INDEX_SEPARATOR const * fixes * fixes * fix UT * fix UT * fix(terraform): change module index separator in full path (#4437) * create TERRAFORM_NESTED_MODULE_INDEX_SEPARATOR const * fixes * fixes * fix UT * fix UT * fix(kustomize): Fix kustomize cli file path (#4447) * Fix kustomize cli record file path * fix * add test * add test * fix * fix * Merge 23777d12810a3a62b24163541de6eaef74d00719 into 8b42295979f6788a255e64100ac2a56fe1c7b192 * fix(general): Correct BigQueryDatasetEncryptedWithCMK name field (#4443) * conflict * Revert "conflict" This reverts commit ced544749b6e2c7989f8ca124e06bc23ba72ee47. * revert * revert * revert * Correct BigQueryDatasetEncryptedWithCMK name field It should be `Datasets`, not `Tables` --------- Co-authored-by: achia <achiar99@gmail.com> Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge 80cfb2a60a962253c22ae3d9310b59072c999ae5 into f8b6dbb159f0cc820d493f8dd5010d9e006c1ca7 * fix(general): Correct BigQueryDatasetEncryptedWithCMK name field (#4443) * conflict * Revert "conflict" This reverts commit ced544749b6e2c7989f8ca124e06bc23ba72ee47. * revert * revert * revert * Correct BigQueryDatasetEncryptedWithCMK name field It should be `Datasets`, not `Tables` --------- Co-authored-by: achia <achiar99@gmail.com> Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Create new resources for count/foreach resources (#4427) * Create the new resources for count/foreach resource * CR changes * flake8 * pop foreach/count for attrs * CR changes * Arrange graph data after handling foreach * Add UT * try without realpath * Add UT to a real check * fix ut * fix ut * fix ut * fix ut * fix ut * CR fixes * CR fixes * add ut for _update_attributes func * add ut for _update_attributes func * feat(terraform): Create new resources for count/foreach resources (#4427) * Create the new resources for count/foreach resource * CR changes * flake8 * pop foreach/count for attrs * CR changes * Arrange graph data after handling foreach * Add UT * try without realpath * Add UT to a real check * fix ut * fix ut * fix ut * fix ut * fix ut * CR fixes * CR fixes * add ut for _update_attributes func * add ut for _update_attributes func * fix(kubernetes): Fix empty spec in k8s file (#4452) Fix empty spec in k8s file * fix(kubernetes): Fix empty spec in k8s file (#4452) Fix empty spec in k8s file * feat(sca): Add support for Dotnet files (#4189) * add support for paket files * Added support for package files which are based on suffixes * Updated t ests * Fix test * Fix test * feat(sca): Add support for Dotnet files (#4189) * add support for paket files * Added support for package files which are based on suffixes * Updated t ests * Fix test * Fix test * chore: update release notes * fix(graph): added graph init to igraph db connector (#4455) added graph init to igraph db connector * fix(gha): fix GHA _get_jobs edge case (string step) (#4444) * fix gha get jobs edge case * adjust condition and type ignore --------- Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * feat(general): Create 3d combinations post runner (#4353) * add a new bc_integration and modify existing * 3d policy * implement new post runner class * 3d runner * typing * linting * add guideline and severity to check * fix existing tests * change var names + add comment * add runner test * remove redundant attributes from base check * typing * fix test * remove list type response * run_check -> collect_check * fw -> framework * make cve attribute generic * include cve details in output * output enhancements * fix typing and linting * output enhancements * output enhancements * remove duplications * typing and linting * abstractmethod * antons comments * fix sca tests to uppercase severities * implement "AND" logic for iac checks * code category to IMAGED (3d policies TBD) * remove test_cve_severity - moved to common utils * map 3d policies to IAC code category * print error in logs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(general): Create 3d combinations post runner (#4353) * add a new bc_integration and modify existing * 3d policy * implement new post runner class * 3d runner * typing * linting * add guideline and severity to check * fix existing tests * change var names + add comment * add runner test * remove redundant attributes from base check * typing * fix test * remove list type response * run_check -> collect_check * fw -> framework * make cve attribute generic * include cve details in output * output enhancements * fix typing and linting * output enhancements * output enhancements * remove duplications * typing and linting * abstractmethod * antons comments * fix sca tests to uppercase severities * implement "AND" logic for iac checks * code category to IMAGED (3d policies TBD) * remove test_cve_severity - moved to common utils * map 3d policies to IAC code category * print error in logs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * break(terraform): enable nested modules by default (#4448) * change default value * fix updating address fix ut * fixes * ? --------- Co-authored-by: achia <achiar99@gmail.com> * break(gha): adjust the attribute reference for GitHub Actions graph checks (#4445) adjust the attribute reference for GitHub Actions graph checks * break(gha): adjust the attribute reference for GitHub Actions graph checks (#4445) adjust the attribute reference for GitHub Actions graph checks * chore: update release notes * chore: update bc-detect-secrets version to 1.4.11 (#4451) update bc-detect-secrets version Co-authored-by: gruebel <gruebel@users.noreply.github.com> Co-authored-by: LirShindalman <49649760+lirshindalman@users.noreply.github.com> * fix(terraform): deny statements with wildcards are valid (#4440) deny statements with wildcards are valid * feat(secrets): limit multiline regex detector run (#4453) * Adding fixes to limit multiline regex run * remoce redundant import * . * . * . * . * . * . * adding tests * Adding tests for file utils & load secret detectors * Add support to empty ympl array - [None] * Remove redundant line --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * fix(kustomize): fix kustomize file path cli (#4466) fix kustomize file path cli * feat(terraform): Add foreach_attrs to config objects + UTs (#4463) Add foreach_attrs to config objects + UTs * feat(terraform): Add foreach_attrs to config objects + UTs (#4463) Add foreach_attrs to config objects + UTs * feat(terraform): Add foreach_attrs to config objects + UTs (#4463) Add foreach_attrs to config objects + UTs * feat(terraform): GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) (#4390) * feat(terraform/gcp): add CKV_GCP_115, CKV_GCP_116 & CKV_GCP_117 * feat(terraform/gcp): add tests * improve base GCP role check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) (#4390) * feat(terraform/gcp): add CKV_GCP_115, CKV_GCP_116 & CKV_GCP_117 * feat(terraform/gcp): add tests * improve base GCP role check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) (#4390) * feat(terraform/gcp): add CKV_GCP_115, CKV_GCP_116 & CKV_GCP_117 * feat(terraform/gcp): add tests * improve base GCP role check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(terraform): Allow different type of value in BaseResourceValueCheck (#4470) * added checking against different type of expected value * Added a test case * fix(terraform): Allow different type of value in BaseResourceValueCheck (#4470) * added checking against different type of expected value * Added a test case * chore: update release notes * feat(secrets): Save secrets line number (#4488) * Adding line number * . --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * chore: bump thehanimo/pr-title-checker from 1.3.6 to 1.3.7 (#4480) Bumps [thehanimo/pr-title-checker](https://github.com/thehanimo/pr-title-checker) from 1.3.6 to 1.3.7. - [Release notes](https://github.com/thehanimo/pr-title-checker/releases) - [Commits](https://github.com/thehanimo/pr-title-checker/compare/8464c95d2f82d7ab89496f544d48c799497c130b...cdafc664bf9b25678d4e6df76ff67b2fe21bb5d2) --- updated-dependencies: - dependency-name: thehanimo/pr-title-checker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump github/codeql-action from 2.2.1 to 2.2.4 (#4481) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.1 to 2.2.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3ebbd71c74ef574dbc558c82f70e52732c8b44fe...17573ee1cc1b9d061760f3a006fc4aac4f944fd5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#4482) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/15c905b16b06416d2086efa066dd8e3a35cc7f98...f03ac48505955848960e80bbb68046aa35c7b9e7) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(graph): Add UT as an example of not-exists for the nested list. (#4484) * Add UT as example for not-exists for nested list * Fix check ID * feat(graph): Add UT as an example of not-exists for the nested list. (#4484) * Add UT as example for not-exists for nested list * Fix check ID * feat(terraform): support more json encoded objects as part of terraform resource and fix evaluation of true/false in json (#4487) * Change base attribute solver to always try to render json from object * Added test to check support for custom policy configuration * Added support for 'true' in terraform value, inside evaluate_terraform value * used json.loads instead of string manipulation * Updated base_attribute_solver to check if the value looks like json before trying to parse it * Added another test case for using attributes with strings like "5" and "true" * Fixed failing tests * Merge 8254c38401b350646ac78b1556957e47eb38c187 into 9a5f7310408ddeea53d7a005e79aab26537f2b83 * fix(cloudformation): Updated AWS_CKV_7 to not require rotation on asymmetric keys (#4476) * Updated to fix AWS_CKV_7 to not expect rotation on assymetric keys * Fixing some extraneous stuff spotted in PR review * Update checkov/cloudformation/checks/resource/aws/KMSRotation.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Switched asymmetric keys to UNKNOWN for aws checks * Updated examples for terraform to unknown rather than pass --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): check msk nodes are private (#4392) * check nodes are private * change category --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS:check global DocDB cluster is encrypted (#4405) * checko global cluster is encrypted * add type hints --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS:check global DocDB cluster is encrypted (#4405) * checko global cluster is encrypted * add type hints --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS:check global DocDB cluster is encrypted (#4405) * checko global cluster is encrypted * add type hints --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(ansible): support nested blocks and empty module values (#4479) * support nested blocks in Ansible playbooks * support empty values for Ansible modules * Merge 7962c8bcee5e51430747a72bab2eb47d74a8fdaf into c8df8a2cd432f2a6ea4242d2fa3ce60b8c77627b * fix(ansible): support nested blocks and empty module values (#4479) * support nested blocks in Ansible playbooks * support empty values for Ansible modules * docs(general): update installation on Alpine docs (#4474) * update installation on Alpine docs * adjust text Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * remove text --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * chore: update release notes * feat(terraform): Support for loops in foreach statements (#4483) * Support for loop in foreach statements * Move the logic to Variable Rendering * Fix typing * flake8 and Performance tests * Fix UTs * Fix UTs * Fix UTs * CR Fix * Fix UTs * CR fixes * Add UTs * Nicer code * feat(terraform): Support for loops in foreach statements (#4483) * Support for loop in foreach statements * Move the logic to Variable Rendering * Fix typing * flake8 and Performance tests * Fix UTs * Fix UTs * Fix UTs * CR Fix * Fix UTs * CR fixes * Add UTs * Nicer code * feat(secrets): log and filter potential uuid case (#4486) * log and filter potential uuid case * fix mypy issue --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * Merge 558abf9fd8722de1ac5c321d7d5506181e02b3d5 into 78e10c02945bc564c8e909d7a5cb14af1baa045f * feat(terraform): Assign/override main vertices by the first new vertice. (#4493) * Assign/override main vertices by the first new vertice. * CR fix, flake8 fix * CR fix * feat(terraform): Assign/override main vertices by the first new vertice. (#4493) * Assign/override main vertices by the first new vertice. * CR fix, flake8 fix * CR fix * fix(terraform): Handle type error in `_handle_for_loop_in_dict` (#4495) Handle type error in _handle_for_loop_in_dict * Merge d8885a63ac1fe5c446be218c16ecd749ea3e0f96 into 9af68bf90c1533cde2cf060513a185915417a630 * fix(terraform): skip loading module that calls to the same dir (#4499) skip loading module that calls to the same dir * fix(terraform): skip loading module that calls to the same dir (#4499) skip loading module that calls to the same dir * fix(terraform): Handle KeyError in hadle_for_loop func (#4501) Update evaluate_terraform.py * fix(terraform): Handle KeyError in hadle_for_loop func (#4501) Update evaluate_terraform.py * platform(general): Use new enforcement categories (#4456) * fetch new enforcement rule categories * pick correct enforcement rule for SCA checks * handle two enforcement categories for SCA runners * add sca exit code tests * exclude local test outputs * add new enforcement rule tests for SCA * change CodeCategoryType to enum * fix some types * fix tests * linting and type checking * mypy is not fly * mypy will not defeat me * OR WILL IT * fix mypy * fix mypy * improve comments for SCA threshold logic * fix test and adjust typing * fix linting --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * platform(general): Use new enforcement categories (#4456) * fetch new enforcement rule categories * pick correct enforcement rule for SCA checks * handle two enforcement categories for SCA runners * add sca exit code tests * exclude local test outputs * add new enforcement rule tests for SCA * change CodeCategoryType to enum * fix some types * fix tests * linting and type checking * mypy is not fly * mypy will not defeat me * OR WILL IT * fix mypy * fix mypy * improve comments for SCA threshold logic * fix test and adjust typing * fix linting --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * fix(terraform): Fix an str split edge case in function (#4507) * Fix str split edge case * CR Fix * fix(terraform): Fix an str split edge case in function (#4507) * Fix str split edge case * CR Fix * feat(sca): add registry urls and description to the output report and to the csv report (#4485) * adding to the report the registry * adding the registry in the csv report * fix tests * add description to the report * add description to the report * fix bug * fix bug * display registry only in case it exists * fix tests * usign env variable * usign env variable * fix tests * adjust tests * rename * adjust test --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): add registry urls and description to the output report and to the csv report (#4485) * adding to the report the registry * adding the registry in the csv report * fix tests * add description to the report * add description to the report * fix bug * fix bug * display registry only in case it exists * fix tests * usign env variable * usign env variable * fix tests * adjust tests * rename * adjust test --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * fix(ansible): skip unsupported Ansible resources (#4504) * skip unsupported Ansible resources * change logic * fix(ansible): skip unsupported Ansible resources (#4504) * skip unsupported Ansible resources * change logic * fix(terraform): fix enforcement rules mapping (#4509) Revert "platform(general): Use new enforcement categories (#4456)" This reverts commit b7f05bb643c75883401e2030b154e5b0e922ed8c. Co-authored-by: Saar Ettinger <Saarett@users.noreply.github.com> * fix(terraform): fix enforcement rules mapping (#4509) Revert "platform(general): Use new enforcement categories (#4456)" This reverts commit b7f05bb643c75883401e2030b154e5b0e922ed8c. Co-authored-by: Saar Ettinger <Saarett@users.noreply.github.com> * chore: update release notes * feat(sca): adding registry-url to the cyclonedx output report (#4511) * add registryu url to the cyclonedx * add registryu url to the cyclonedx --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * Merge de3c592e5147167f31e8b032da9816b928c27bb1 into 5cd79904b8bce211b1562b6cbe0f9c58ae3277c8 * feat(terraform): Adding yaml based build time policies for corresponding PC run time policies (#4425) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC run time policies (#4425) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC run time policies (#4425) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): Add capability to iterate over git history (#4469) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * update Pipfile.lock * . * . * . * . * . * . * . * . * . * . * . * split the scan_history to be able to crete mock * split the scan_history to be able to crete mock * . * . * . * . --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): Add capability to iterate over git history (#4469) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * update Pipfile.lock * . * . * . * . * . * . * . * . * . * . * . * split the scan_history to be able to crete mock * split the scan_history to be able to crete mock * . * . * . * . --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(secrets): import git (#4514) * add try except to the import * add try except to the import * add os.environ["GIT_PYTHON_REFRESH"] = "quiet" * fix(secrets): import git (#4514) * add try except to the import * add try except to the import * add os.environ["GIT_PYTHON_REFRESH"] = "quiet" * chore: update release notes * fix(gha): now looks for GHA on windows (#4515) * looks for GHA in windows * looks for GHA in windows * Update utils.py * Update checkov/github_actions/utils.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(ansible): Add checks for the ansible builtin apt module (#4500) * Add checks for the ansible builtin apt module * Update wording on CKV_ANSIBLE_6 * fix(gha): now looks for GHA on windows (#4515) * looks for GHA in windows * looks for GHA in windows * Update utils.py * Update checkov/github_actions/utils.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(ansible): Add checks for the ansible builtin apt module (#4500) * Add checks for the ansible builtin apt module * Update wording on CKV_ANSIBLE_6 * chore: update release notes * feat(secrets): add flag for scan secrets history (#4513) * feat(secrets): add flag for scan secrets history (#4513) * platform(general): Use new enforcement categories (#4456) (#4519) * fetch new enforcement rule categories * pick correct enforcement rule for SCA checks * handle two enforcement categories for SCA runners * add sca exit code tests * exclude local test outputs * add new enforcement rule tests for SCA * change CodeCategoryType to enum * fix some types * fix tests * linting and type checking * mypy is not fly * mypy will not defeat me * OR WILL IT * fix mypy * fix mypy * improve comments for SCA threshold logic * fix test and adjust typing * fix linting --------- Co-authored-by: Mike Urbanski <murbanski@paloaltonetworks.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore(general): Added forbidden error for visibility (#4521) * Added forbidden message for visibility * Fix lint * chore(general): Added forbidden error for visibility (#4521) * Added forbidden message for visibility * Fix lint * feat(terraform): Used parentheses in key for foreach attributes but not count (#4520) Used parentheses in key for foreach attributes but not count * chore(general): Added forbidden error for visibility (#4521) * Added forbidden message for visibility * Fix lint * fix(terraform): add datasource option for headers check (#4496) add datasource option * fix(terraform): optimize check CKV2_AWS_60 (#4512) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(terraform): optimize check CKV2_AWS_60 (#4512) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(gha): fix output flag for usage in checkov-action (#4517) fix output flag for usage in checkov-action * fix(gha): fix output flag for usage in checkov-action (#4517) fix output flag for usage in checkov-action * chore: update release notes * chore: bump mikepenz/release-changelog-builder-action from 3.6.0 to 3.6.1 (#4527) chore: bump mikepenz/release-changelog-builder-action Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 3.6.0 to 3.6.1. - [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases) - [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/da6847f9fdcb3211124cd0c078c1d0359b103ee5...0c962418dfc901f7d3c249e58f7fcf73293d082e) --- updated-dependencies: - dependency-name: mikepenz/release-changelog-builder-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(cloudformation): Update CKV_AWS_46 to handle base64 encoded userdata (#4530) * Update to handle base64encoded string * Remove print statement from test * Fix Linter --------- Co-authored-by: Joseph de Clerck <clerckj@amazon.com> Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr> * fix(cloudformation): Update CKV_AWS_46 to handle base64 encoded userdata (#4530) * Update to handle base64encoded string * Remove print statement from test * Fix Linter --------- Co-authored-by: Joseph de Clerck <clerckj@amazon.com> Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr> * chore: update release notes * feat(sca): adding is_registry_url and printing in the cyclonedx only private registries urls (#4533) add is_registry_url and print in the cyclonedx only for private registry Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): adding is_registry_url and printing in the cyclonedx only private registries urls (#4533) add is_registry_url and print in the cyclonedx only for private registry Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): support also the key "registryUrl" when extracting registry_url for the report (#4535) support also registryUrl Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): support also the key "registryUrl" when extracting registry_url for the report (#4535) support also registryUrl Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(gitlab): fix gitlab ci yaml file processing (#4536) fix gitlab ci yaml file processing Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(gitlab): fix gitlab ci yaml file processing (#4536) fix gitlab ci yaml file processing Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * fix(terraform): Optional module content path (#4537) fix optional igraph module content path * fix(terraform): Optional module content path (#4537) fix optional igraph module content path * chore: update release notes * feat(secrets): add timeout for scan history checks (#4523) * feat(secrets): add timeout for scan history checks (#4523) * feat(secrets): Support secret findings in git history (#4525) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * todo * add added_commit_hash/removed_commit_hash * fix lint * fix lint * update * add merge between added and removed secret * add merge between added and removed secret * . * . * . * . * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * add more test * add more tests * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * fix comments * fix comments * ץ * merge main * merge main * merge main * merge main * merge main * feat(secrets): Support secret findings in git history (#4525) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * todo * add added_commit_hash/removed_commit_hash * fix lint * fix lint * update * add merge between added and removed secret * add merge between added and removed secret * . * . * . * . * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * add more test * add more tests * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * fix comments * fix comments * ץ * merge main * merge main * merge main * merge main * merge main * feat(arm): add graph capabilities to ARM framework (#4526) * add graph capabilities to ARM framework * fix UTF-16 issue * Apply suggestions from code review Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * fix PR comments --------- Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * Merge a72a3fef9f4310a6f253db49b340d070be46c001 into e54e15f5f63e04793f0230b3bd0cb3d057765b09 * feat(arm): add graph capabilities to ARM framework (#4526) * add graph capabilities to ARM framework * fix UTF-16 issue * Apply suggestions from code review Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * fix PR comments --------- Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * chore: update release notes * feat(terraform): New classes for the TF module model (#4546) * New classes for TF module model * CR Fixes * CR Fixes * chore: remove unneeded version check (#4545) remove unneeded version check * chore: remove unneeded version check (#4545) remove unneeded version check * fix(gha): Align GHA resource ids (Graph vs Python checks) (#4549) * Align gha resource ids * align steps resource ids * roll back unnecessary change * fix signatures of get resource (mypy) * flake8 --------- Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * fix(gha): Align GHA resource ids (Graph vs Python checks) (#4549) * Align gha resource ids * align steps resource ids * roll back unnecessary change * fix signatures of get resource (mypy) * flake8 --------- Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * feat(dockerfile): Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf (#4404) * apk --allow-untrusted * apt-get --allow-unauthenticated * rpm/dnf/yum --nogpgcheck * rpm --nosignature --nodigest --noverify * Add --force-yes to apt-get --allow-unauthenticated check * Changes for rpm options * Add detail to names of CKV2_DOCKER_7 CKV2_DOCKER_8 CKV2_DOCKER_9 CKV2_DOCKER_10 * Split out the --force-yes check into CKV2_DOCKER_11 --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge ddd30ed3374d62778082f2f5c87df74fcfbb9e1c into d7c2e118c0ce5793595096644b4ea0bb117665ea * feat(dockerfile): Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf (#4404) * apk --allow-untrusted * apt-get --allow-unauthenticated * rpm/dnf/yum --nogpgcheck * rpm --nosignature --nodigest --noverify * Add --force-yes to apt-get --allow-unauthenticated check * Changes for rpm options * Add detail to names of CKV2_DOCKER_7 CKV2_DOCKER_8 CKV2_DOCKER_9 CKV2_DOCKER_10 * Split out the --force-yes check into CKV2_DOCKER_11 --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: update release notes * feat(terraform): TF Parser - Move funcs and consts to utils file (#4550) * Move funcs and consts to utils file * Move static funcs to utils file p1 * Lint fix * modules to package * Move static funcs to utils file p2 * Fix UTs * Small update * Fix a wrong import * feat(terraform): TF Parser - Move funcs and consts to utils file (#4550) * Move funcs and consts to utils file * Move static funcs to utils file p1 * Lint fix * modules to package * Move static funcs to utils file p2 * Fix UTs * Small update * Fix a wrong import * fix(terraform): Move get_module back to parser (#4560) * Move get_module back to parser * Move get_module back to parser * Remove import * fix(terraform): Move get_module back to parser (#4560) * Move get_module back to parser * Move get_module back to parser * Remove import * fix(terraform): fix for #4518 (#4528) * fix for #4518 * dogdfood tests * dogdfood tests * confirm object is a dict * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(dockerfile): Add check for the environment variable NPM_CONFIG_STRICT_SSL (#4553) Add check for the env var NPM_CONFIG_STRICT_SSL * fix(terraform): fix for #4518 (#4528) * fix for #4518 * dogdfood tests * dogdfood tests * confirm object is a dict * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(dockerfile): Add check for the environment variable NPM_CONFIG_STRICT_SSL (#4553) Add check for the env var NPM_CONFIG_STRICT_SSL * fix(terraform_plan): Fix tf plan nested modules (#4562) * fix tf plan same resource type with modules * ANOTHER FIX * add test * lint * pr comments * fix(terraform_plan): Fix tf plan nested modules (#4562) * fix tf plan same resource type with modules * ANOTHER FIX * add test * lint * pr comments * fix(terraform): remove dynamic warning exc_info (#4563) * remove exc_info and change to warning * fix lint * change to info * fix(terraform): remove dynamic warning exc_info (#4563) * remove exc_info and change to warning * fix lint * change to info * chore: update release notes * fix(ansible): support skip check for Ansible Python-based checks (#4556) * support skip check for Ansible Python-based checks * fix tests * fix(ansible): support skip check for Ansible Python-based checks (#4556) * support skip check for Ansible Python-based checks * fix tests * chore: bump mikepenz/release-changelog-builder-action from 3.6.1 to 3.7.0 (#4572) chore: bump mikepenz/release-changelog-builder-action Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 3.6.1 to 3.7.0. - [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases) - [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/0c962418dfc901f7d3c249e58f7fcf73293d082e...c73ff7421c59fa0d090dcfe62e24a758977c699d) --- updated-dependencies: - dependency-name: mikepenz/release-changelog-builder-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump github/codeql-action from 2.2.4 to 2.2.5 (#4571) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.4 to 2.2.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/17573ee1cc1b9d061760f3a006fc4aac4f944fd5...32dc499307d133bb5085bae78498c0ac2cf762d5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add warning when using severity filter without API key (#4568) add warning when using severity filter without API key * chore: update bc-detect-secrets version to 1.4.13 (#4561) update bc-detect-secrets version Co-authored-by: Eliran-Turgeman <Eliran-Turgeman@users.noreply.github.com> * feat(secrets): track complete file deletion and renaming (#4551) * Track complete file deletion * Track complete file renaming * Track complete file renaming * Track complete file renaming * Track complete file renaming * update bc-detect-secrets * add class * add class * . * . * merge main * feat(secrets): track complete file deletion and renaming (#4551) * Track complete file deletion * Track complete file renaming * Track complete file renaming * Track complete file renaming * Track complete file renaming * update bc-detect-secrets * add class * add class * . * . * merge main * fix(terraform): Handle unescaped lookup values (#4565) * set escape_unrendered * implement _find_new_value_for_interpolation and added tests * fixed condition * delete commented test * extracted method _string_changed_except_interpolation * fix(terraform): Handle unescaped lookup values (#4565) * set escape_unrendered * implement _find_new_value_for_interpolation and added tests * fixed condition * delete commented test * extracted method _string_changed_except_interpolation * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#4529) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Deleted GCP SQL network based policy * Modified main.tf of GCPMySQLdbInstanceBinaryLogsConfigIsEnabled * Optimised policy: AzurePostgreSQLFlexServerNotOverlyPermissive and modified name of other policy (GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled) * Optimised and modified policy: GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled * Optimised GCPdisableAlphaClusterFeatureInKubernetesEngineClusters policy * Updated 'test_yaml_policies.py' with new policies * Updated 'test_yaml_policies.py' with new policies * Optimised terraform checks for GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#4529) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual n…
rotemavni
added a commit
to rotem-avni/checkov3
that referenced
this pull request
Oct 5, 2023
* feat(sca): Add a --support flag --revert (#4396) Revert "feat(sca): Add a --support flag (#4323)" This reverts commit 9b7a11271fa7f8471c11695e190f54762293538c. * feat(sca): Add a --support flag (#4397) Revert "feat(sca): Add a --support flag --revert (#4396)" This reverts commit dae55bcface259dce41156ba756c3e529a069b90. * Merge aeb1af552b98bc797c2bd762267ccaba6a381be9 into fb0b25a3c01d82964d2cb6ef49e0dd17d7c25b6f * fix(general): Remove empty links from GitLab SAST output (#4393) * adjust Docker labels * remove None links in GitLab SAST output * fix typing * feat(secrets): extract new detector_utils file from entropy keyword combinator (#4385) * extract new detector_utils file from entropy keyword combinator * move import to type checking block * fix according to comments * add detector utils fixes * fix according to comments * change type hint --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): extract new detector_utils file from entropy keyword combinator (#4385) * extract new detector_utils file from entropy keyword combinator * move import to type checking block * fix according to comments * add detector utils fixes * fix according to comments * change type hint --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): add workdir info to secrets scanner (#4400) * add workdir info to secrets scanner * switch path to str --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(secrets): add workdir info to secrets scanner (#4400) * add workdir info to secrets scanner * switch path to str --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * chore: update release notes * fix(general): fix compact json output (#4406) * fix compact json output * pin GHA macOS runner version to 11 * upper bound kustomize version to 4 * Merge 04c058005d39f1c16f943860417851d207e9f1c7 into 2aab752e0faea22368c709dc919e7fe61ab6a811 * chore: update release notes * fix(cloudformation): Don't fail Aurora instances for MultiAZ not being set (#4316) * Fix CKV_AWS_157 CloudFormation false positive for Aurora instances * Add comment to explain Aurora logic * Fix import * Update comments with link to AWS docs * Change MultiAZ test for Aurora to UNKNOWN * Fix DBInstanceClass for Aurora * Fix expected 2 blank lines linting error * Remove fields that failed linting since they are not applicable to Aurora * fix linting --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge 82ef35e360a9787c3e14c3c8666c2bbac17eac5f into 16c7166106b27f40aa5e4177618aaaef2ca0cea6 * chore: update release notes * feat(terraform): [Foreach/Count Handling] Render dynamic foreach/count statement (#4398) * Render dynamic foreach/count statement * CR fixes + UT foe build_sub_graph * CR fixes * Lint fix * chore: fix flake8 issue (#4413) fix flake8 issue * feat(kustomize): support kustomize v5 (#4411) * support kustomize v5 * fix wrong command * nosec subprocess * chore: leverage freezegun to freeze time for a test (#4415) leverage freezegun to freeze time for a test * fix(general): Checks edge-cases fixes in terraform and openapi (#4414) * fix in PathSchemeDefineHTTP check * fix in GoogleKMSKeyIsPublic check * fix in ECRPolicy check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(general): Checks edge-cases fixes in terraform and openapi (#4414) * fix in PathSchemeDefineHTTP check * fix in GoogleKMSKeyIsPublic check * fix in ECRPolicy check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: add GH token to setup-kustomize action (#4417) add GH token to setup-kustomize action * fix(terraform): SQS check was all types of wrong (#4382) * SQS check is all wrong * remove unused import * adjust check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(general): Skip resources with no 'Type' defined + Checks containing wildcards for resource types leads to crash (#4408) Update base_check_registry.py to resolve Issue #4407 Update base_check_registry.py to resolve Issue #4407 Verify `entity` has a value (not the None placeholder when `Type` is not available in the template) before trying to string-match Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge ec5b2cb69c4481fd8ba2a344245702d3968e1f35 into b18e128fc38a80b4f0bfea6264a3af9ef1433c97 * fix(terraform): retire CKV_AWS_128 in favour of CKV_AWS_162 (#4350) retire CKV_AWS_128 in favour of CKV_AWS_162 * fix(terraform): fix getting the module for resource named 'module' (#4418) fix getting the module for resource with the name module * fix(terraform): fix getting the module for resource named 'module' (#4418) fix getting the module for resource with the name module * fix(terraform): fix getting the module for resource named 'module' (#4418) fix getting the module for resource with the name module * chore: update release notes * feat(graph): add validation for graph checks (#4352) * add validation for graph checks * fix solver tests * feat(graph): add validation for graph checks (#4352) * add validation for graph checks * fix solver tests * chore: bump docker/setup-buildx-action from 2.3.0 to 2.4.0 (#4421) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.3.0 to 2.4.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/5e716dcfd653738c2d1db099bfba194a84158be4...15c905b16b06416d2086efa066dd8e3a35cc7f98) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump docker/build-push-action from 3.3.0 to 4.0.0 (#4422) * chore: bump docker/build-push-action from 3.3.0 to 4.0.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3.3.0 to 4.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/37abcedcc1da61a57767b7588cb9d03eb57e28b3...3b5e8027fcad23fda98b2e3ac259d8d67585f671) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * change version comment --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): remove secrets dependency in generic record (#4424) first commit to remove secret dependency in generic record Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(secrets): remove secrets dependency in generic record (#4424) first commit to remove secret dependency in generic record Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(kubernetes): support inline skips for Kubernetes graph checks (#4412) support inline skips for Kubernetes graph checks * fix(kustomize): remove redundant error in kustomize runner (#4428) * log error of 'Context for Kustomize runner was not set' only if context is None * Update checkov/kustomize/runner.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(kustomize): remove redundant error in kustomize runner (#4428) * log error of 'Context for Kustomize runner was not set' only if context is None * Update checkov/kustomize/runner.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(ansible): add support for Ansible blocks (#4419) * add support for Ansible blocks * fix linting * feat(ansible): add support for Ansible blocks (#4419) * add support for Ansible blocks * fix linting * feat(ansible): add support for Ansible blocks (#4419) * add support for Ansible blocks * fix linting * feat(general): Control check failure logging level (#4431) introduce CHECKOV_CHECK_FAIL_LEVEL for controlling check failure logging level * feat(general): Control check failure logging level (#4431) introduce CHECKOV_CHECK_FAIL_LEVEL for controlling check failure logging level * docs(general): fix graph check link in docs (#4420) fix graph check link in docs * docs(general): fix graph check link in docs (#4420) fix graph check link in docs * docs(general): fix graph check link in docs (#4420) fix graph check link in docs * chore: update release notes * feat(cloudformation): support new default s3 encryption (#4429) * Updated CKV_AWS_19 to support not specifying SSEAlgorithm as AWS now supports encryption by default * updated local graph checks for terraform to support s3 default encryption * Updated terraform CKV_AWS_19 graph check to support default encryption as well * Updated failed tests * CR * Removed unneeded check from test_enrichment_of_plan_report * feat(cloudformation): support new default s3 encryption (#4429) * Updated CKV_AWS_19 to support not specifying SSEAlgorithm as AWS now supports encryption by default * updated local graph checks for terraform to support s3 default encryption * Updated terraform CKV_AWS_19 graph check to support default encryption as well * Updated failed tests * CR * Removed unneeded check from test_enrichment_of_plan_report * feat(graph): added indices to igraph nodes (#4433) * added indices to igraph nodes * fixed typo * feat(graph): added indices to igraph nodes (#4433) * added indices to igraph nodes * fixed typo * feat(secrets): Add args to analyze line is added and is removed for git history scan (#4426) * add is_added_and_is_removed * is_added and is_removed default False * is_added and is_removed default False * feat(secrets): Add args to analyze line is added and is removed for git history scan (#4426) * add is_added_and_is_removed * is_added and is_removed default False * is_added and is_removed default False * fix(terraform): Fix updating resource config (#4432) * support using variable type and fix setting config * revert changes to renderer * Merge d2e2ed2ec500261ef771821edbf651e28b5d59f1 into 9bc353290e170df637c1638c673b6e28eabca8cf * chore: update bc-jsonpath-ng version to 1.5.9 (#4435) * update bc-jsonpath-ng version * fix typing issues --------- Co-authored-by: gruebel <gruebel@users.noreply.github.com> * chore: update bc-jsonpath-ng version to 1.5.9 (#4435) * update bc-jsonpath-ng version * fix typing issues --------- Co-authored-by: gruebel <gruebel@users.noreply.github.com> * platform(secrets): Add secrets custom regex on file (#4430) * Adding multline regex in custom_regex_detector.py * In case we using multiline regex - we want to wrap the match with fstring with '' in order to simulate a real value and not template one (otherwise _is_filtered_out filtering the secret out - specifically is_templated_secret * Seperate common logic to function * Fix mypy * Fixing pass an exception * Fix UT * Fix CR * . * . * . * First test * Adding tests & set multiline line to 0 instead current check line * . * . --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * chore: update bc-jsonpath-ng version to 1.5.9 (#4435) * update bc-jsonpath-ng version * fix typing issues --------- Co-authored-by: gruebel <gruebel@users.noreply.github.com> * fix(secrets): Comment out checkob multiline regex detectors (#4441) Comment out checkob multiline regex detectors Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * fix(secrets): Comment out checkob multiline regex detectors (#4441) Comment out checkob multiline regex detectors Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * chore: update release notes * feat(terraform): extend CKV2_AWS_5 to support aws_ec2_spot_fleet_request (#4438) * KV2_AWS_5: aws_spot_fleet_request launch_specification * Update tests/terraform/graph/checks/resources/SGAttachedToResource/main.tf Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge a5fb6f0c0507ba47f14160140cdc9cddec9f33e8 into 1e9138e176a6ac79adfd1556d7ff3aac7f7284ce * fix(secrets): remove CKV_SECRET_78 from SECRET_TYPE_TO_ID (#4446) remove CKV_SECRET_78 from SECRET_TYPE_TO_ID * Merge f28539f9a9248063fda1a05498afd1f1a0050dac into 0f04fbf84c1f91d0a5a2cb6acbcda511ebabb24c * fix(secrets): remove CKV_SECRET_78 from SECRET_TYPE_TO_ID (#4446) remove CKV_SECRET_78 from SECRET_TYPE_TO_ID * fix(terraform): change module index separator in full path (#4437) * create TERRAFORM_NESTED_MODULE_INDEX_SEPARATOR const * fixes * fixes * fix UT * fix UT * fix(terraform): change module index separator in full path (#4437) * create TERRAFORM_NESTED_MODULE_INDEX_SEPARATOR const * fixes * fixes * fix UT * fix UT * fix(kustomize): Fix kustomize cli file path (#4447) * Fix kustomize cli record file path * fix * add test * add test * fix * fix * Merge 23777d12810a3a62b24163541de6eaef74d00719 into 8b42295979f6788a255e64100ac2a56fe1c7b192 * fix(general): Correct BigQueryDatasetEncryptedWithCMK name field (#4443) * conflict * Revert "conflict" This reverts commit ced544749b6e2c7989f8ca124e06bc23ba72ee47. * revert * revert * revert * Correct BigQueryDatasetEncryptedWithCMK name field It should be `Datasets`, not `Tables` --------- Co-authored-by: achia <achiar99@gmail.com> Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge 80cfb2a60a962253c22ae3d9310b59072c999ae5 into f8b6dbb159f0cc820d493f8dd5010d9e006c1ca7 * fix(general): Correct BigQueryDatasetEncryptedWithCMK name field (#4443) * conflict * Revert "conflict" This reverts commit ced544749b6e2c7989f8ca124e06bc23ba72ee47. * revert * revert * revert * Correct BigQueryDatasetEncryptedWithCMK name field It should be `Datasets`, not `Tables` --------- Co-authored-by: achia <achiar99@gmail.com> Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Create new resources for count/foreach resources (#4427) * Create the new resources for count/foreach resource * CR changes * flake8 * pop foreach/count for attrs * CR changes * Arrange graph data after handling foreach * Add UT * try without realpath * Add UT to a real check * fix ut * fix ut * fix ut * fix ut * fix ut * CR fixes * CR fixes * add ut for _update_attributes func * add ut for _update_attributes func * feat(terraform): Create new resources for count/foreach resources (#4427) * Create the new resources for count/foreach resource * CR changes * flake8 * pop foreach/count for attrs * CR changes * Arrange graph data after handling foreach * Add UT * try without realpath * Add UT to a real check * fix ut * fix ut * fix ut * fix ut * fix ut * CR fixes * CR fixes * add ut for _update_attributes func * add ut for _update_attributes func * fix(kubernetes): Fix empty spec in k8s file (#4452) Fix empty spec in k8s file * fix(kubernetes): Fix empty spec in k8s file (#4452) Fix empty spec in k8s file * feat(sca): Add support for Dotnet files (#4189) * add support for paket files * Added support for package files which are based on suffixes * Updated t ests * Fix test * Fix test * feat(sca): Add support for Dotnet files (#4189) * add support for paket files * Added support for package files which are based on suffixes * Updated t ests * Fix test * Fix test * chore: update release notes * fix(graph): added graph init to igraph db connector (#4455) added graph init to igraph db connector * fix(gha): fix GHA _get_jobs edge case (string step) (#4444) * fix gha get jobs edge case * adjust condition and type ignore --------- Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * feat(general): Create 3d combinations post runner (#4353) * add a new bc_integration and modify existing * 3d policy * implement new post runner class * 3d runner * typing * linting * add guideline and severity to check * fix existing tests * change var names + add comment * add runner test * remove redundant attributes from base check * typing * fix test * remove list type response * run_check -> collect_check * fw -> framework * make cve attribute generic * include cve details in output * output enhancements * fix typing and linting * output enhancements * output enhancements * remove duplications * typing and linting * abstractmethod * antons comments * fix sca tests to uppercase severities * implement "AND" logic for iac checks * code category to IMAGED (3d policies TBD) * remove test_cve_severity - moved to common utils * map 3d policies to IAC code category * print error in logs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(general): Create 3d combinations post runner (#4353) * add a new bc_integration and modify existing * 3d policy * implement new post runner class * 3d runner * typing * linting * add guideline and severity to check * fix existing tests * change var names + add comment * add runner test * remove redundant attributes from base check * typing * fix test * remove list type response * run_check -> collect_check * fw -> framework * make cve attribute generic * include cve details in output * output enhancements * fix typing and linting * output enhancements * output enhancements * remove duplications * typing and linting * abstractmethod * antons comments * fix sca tests to uppercase severities * implement "AND" logic for iac checks * code category to IMAGED (3d policies TBD) * remove test_cve_severity - moved to common utils * map 3d policies to IAC code category * print error in logs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * break(terraform): enable nested modules by default (#4448) * change default value * fix updating address fix ut * fixes * ? --------- Co-authored-by: achia <achiar99@gmail.com> * break(gha): adjust the attribute reference for GitHub Actions graph checks (#4445) adjust the attribute reference for GitHub Actions graph checks * break(gha): adjust the attribute reference for GitHub Actions graph checks (#4445) adjust the attribute reference for GitHub Actions graph checks * chore: update release notes * chore: update bc-detect-secrets version to 1.4.11 (#4451) update bc-detect-secrets version Co-authored-by: gruebel <gruebel@users.noreply.github.com> Co-authored-by: LirShindalman <49649760+lirshindalman@users.noreply.github.com> * fix(terraform): deny statements with wildcards are valid (#4440) deny statements with wildcards are valid * feat(secrets): limit multiline regex detector run (#4453) * Adding fixes to limit multiline regex run * remoce redundant import * . * . * . * . * . * . * adding tests * Adding tests for file utils & load secret detectors * Add support to empty ympl array - [None] * Remove redundant line --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * fix(kustomize): fix kustomize file path cli (#4466) fix kustomize file path cli * feat(terraform): Add foreach_attrs to config objects + UTs (#4463) Add foreach_attrs to config objects + UTs * feat(terraform): Add foreach_attrs to config objects + UTs (#4463) Add foreach_attrs to config objects + UTs * feat(terraform): Add foreach_attrs to config objects + UTs (#4463) Add foreach_attrs to config objects + UTs * feat(terraform): GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) (#4390) * feat(terraform/gcp): add CKV_GCP_115, CKV_GCP_116 & CKV_GCP_117 * feat(terraform/gcp): add tests * improve base GCP role check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) (#4390) * feat(terraform/gcp): add CKV_GCP_115, CKV_GCP_116 & CKV_GCP_117 * feat(terraform/gcp): add tests * improve base GCP role check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) (#4390) * feat(terraform/gcp): add CKV_GCP_115, CKV_GCP_116 & CKV_GCP_117 * feat(terraform/gcp): add tests * improve base GCP role check --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(terraform): Allow different type of value in BaseResourceValueCheck (#4470) * added checking against different type of expected value * Added a test case * fix(terraform): Allow different type of value in BaseResourceValueCheck (#4470) * added checking against different type of expected value * Added a test case * chore: update release notes * feat(secrets): Save secrets line number (#4488) * Adding line number * . --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com> * chore: bump thehanimo/pr-title-checker from 1.3.6 to 1.3.7 (#4480) Bumps [thehanimo/pr-title-checker](https://github.com/thehanimo/pr-title-checker) from 1.3.6 to 1.3.7. - [Release notes](https://github.com/thehanimo/pr-title-checker/releases) - [Commits](https://github.com/thehanimo/pr-title-checker/compare/8464c95d2f82d7ab89496f544d48c799497c130b...cdafc664bf9b25678d4e6df76ff67b2fe21bb5d2) --- updated-dependencies: - dependency-name: thehanimo/pr-title-checker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump github/codeql-action from 2.2.1 to 2.2.4 (#4481) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.1 to 2.2.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3ebbd71c74ef574dbc558c82f70e52732c8b44fe...17573ee1cc1b9d061760f3a006fc4aac4f944fd5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump docker/setup-buildx-action from 2.4.0 to 2.4.1 (#4482) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.4.0 to 2.4.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/15c905b16b06416d2086efa066dd8e3a35cc7f98...f03ac48505955848960e80bbb68046aa35c7b9e7) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(graph): Add UT as an example of not-exists for the nested list. (#4484) * Add UT as example for not-exists for nested list * Fix check ID * feat(graph): Add UT as an example of not-exists for the nested list. (#4484) * Add UT as example for not-exists for nested list * Fix check ID * feat(terraform): support more json encoded objects as part of terraform resource and fix evaluation of true/false in json (#4487) * Change base attribute solver to always try to render json from object * Added test to check support for custom policy configuration * Added support for 'true' in terraform value, inside evaluate_terraform value * used json.loads instead of string manipulation * Updated base_attribute_solver to check if the value looks like json before trying to parse it * Added another test case for using attributes with strings like "5" and "true" * Fixed failing tests * Merge 8254c38401b350646ac78b1556957e47eb38c187 into 9a5f7310408ddeea53d7a005e79aab26537f2b83 * fix(cloudformation): Updated AWS_CKV_7 to not require rotation on asymmetric keys (#4476) * Updated to fix AWS_CKV_7 to not expect rotation on assymetric keys * Fixing some extraneous stuff spotted in PR review * Update checkov/cloudformation/checks/resource/aws/KMSRotation.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Switched asymmetric keys to UNKNOWN for aws checks * Updated examples for terraform to unknown rather than pass --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): check msk nodes are private (#4392) * check nodes are private * change category --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS:check global DocDB cluster is encrypted (#4405) * checko global cluster is encrypted * add type hints --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS:check global DocDB cluster is encrypted (#4405) * checko global cluster is encrypted * add type hints --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS:check global DocDB cluster is encrypted (#4405) * checko global cluster is encrypted * add type hints --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(ansible): support nested blocks and empty module values (#4479) * support nested blocks in Ansible playbooks * support empty values for Ansible modules * Merge 7962c8bcee5e51430747a72bab2eb47d74a8fdaf into c8df8a2cd432f2a6ea4242d2fa3ce60b8c77627b * fix(ansible): support nested blocks and empty module values (#4479) * support nested blocks in Ansible playbooks * support empty values for Ansible modules * docs(general): update installation on Alpine docs (#4474) * update installation on Alpine docs * adjust text Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * remove text --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * chore: update release notes * feat(terraform): Support for loops in foreach statements (#4483) * Support for loop in foreach statements * Move the logic to Variable Rendering * Fix typing * flake8 and Performance tests * Fix UTs * Fix UTs * Fix UTs * CR Fix * Fix UTs * CR fixes * Add UTs * Nicer code * feat(terraform): Support for loops in foreach statements (#4483) * Support for loop in foreach statements * Move the logic to Variable Rendering * Fix typing * flake8 and Performance tests * Fix UTs * Fix UTs * Fix UTs * CR Fix * Fix UTs * CR fixes * Add UTs * Nicer code * feat(secrets): log and filter potential uuid case (#4486) * log and filter potential uuid case * fix mypy issue --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * Merge 558abf9fd8722de1ac5c321d7d5506181e02b3d5 into 78e10c02945bc564c8e909d7a5cb14af1baa045f * feat(terraform): Assign/override main vertices by the first new vertice. (#4493) * Assign/override main vertices by the first new vertice. * CR fix, flake8 fix * CR fix * feat(terraform): Assign/override main vertices by the first new vertice. (#4493) * Assign/override main vertices by the first new vertice. * CR fix, flake8 fix * CR fix * fix(terraform): Handle type error in `_handle_for_loop_in_dict` (#4495) Handle type error in _handle_for_loop_in_dict * Merge d8885a63ac1fe5c446be218c16ecd749ea3e0f96 into 9af68bf90c1533cde2cf060513a185915417a630 * fix(terraform): skip loading module that calls to the same dir (#4499) skip loading module that calls to the same dir * fix(terraform): skip loading module that calls to the same dir (#4499) skip loading module that calls to the same dir * fix(terraform): Handle KeyError in hadle_for_loop func (#4501) Update evaluate_terraform.py * fix(terraform): Handle KeyError in hadle_for_loop func (#4501) Update evaluate_terraform.py * platform(general): Use new enforcement categories (#4456) * fetch new enforcement rule categories * pick correct enforcement rule for SCA checks * handle two enforcement categories for SCA runners * add sca exit code tests * exclude local test outputs * add new enforcement rule tests for SCA * change CodeCategoryType to enum * fix some types * fix tests * linting and type checking * mypy is not fly * mypy will not defeat me * OR WILL IT * fix mypy * fix mypy * improve comments for SCA threshold logic * fix test and adjust typing * fix linting --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * platform(general): Use new enforcement categories (#4456) * fetch new enforcement rule categories * pick correct enforcement rule for SCA checks * handle two enforcement categories for SCA runners * add sca exit code tests * exclude local test outputs * add new enforcement rule tests for SCA * change CodeCategoryType to enum * fix some types * fix tests * linting and type checking * mypy is not fly * mypy will not defeat me * OR WILL IT * fix mypy * fix mypy * improve comments for SCA threshold logic * fix test and adjust typing * fix linting --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * fix(terraform): Fix an str split edge case in function (#4507) * Fix str split edge case * CR Fix * fix(terraform): Fix an str split edge case in function (#4507) * Fix str split edge case * CR Fix * feat(sca): add registry urls and description to the output report and to the csv report (#4485) * adding to the report the registry * adding the registry in the csv report * fix tests * add description to the report * add description to the report * fix bug * fix bug * display registry only in case it exists * fix tests * usign env variable * usign env variable * fix tests * adjust tests * rename * adjust test --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): add registry urls and description to the output report and to the csv report (#4485) * adding to the report the registry * adding the registry in the csv report * fix tests * add description to the report * add description to the report * fix bug * fix bug * display registry only in case it exists * fix tests * usign env variable * usign env variable * fix tests * adjust tests * rename * adjust test --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * fix(ansible): skip unsupported Ansible resources (#4504) * skip unsupported Ansible resources * change logic * fix(ansible): skip unsupported Ansible resources (#4504) * skip unsupported Ansible resources * change logic * fix(terraform): fix enforcement rules mapping (#4509) Revert "platform(general): Use new enforcement categories (#4456)" This reverts commit b7f05bb643c75883401e2030b154e5b0e922ed8c. Co-authored-by: Saar Ettinger <Saarett@users.noreply.github.com> * fix(terraform): fix enforcement rules mapping (#4509) Revert "platform(general): Use new enforcement categories (#4456)" This reverts commit b7f05bb643c75883401e2030b154e5b0e922ed8c. Co-authored-by: Saar Ettinger <Saarett@users.noreply.github.com> * chore: update release notes * feat(sca): adding registry-url to the cyclonedx output report (#4511) * add registryu url to the cyclonedx * add registryu url to the cyclonedx --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * Merge de3c592e5147167f31e8b032da9816b928c27bb1 into 5cd79904b8bce211b1562b6cbe0f9c58ae3277c8 * feat(terraform): Adding yaml based build time policies for corresponding PC run time policies (#4425) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC run time policies (#4425) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC run time policies (#4425) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): Add capability to iterate over git history (#4469) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * update Pipfile.lock * . * . * . * . * . * . * . * . * . * . * . * split the scan_history to be able to crete mock * split the scan_history to be able to crete mock * . * . * . * . --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): Add capability to iterate over git history (#4469) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * update Pipfile.lock * . * . * . * . * . * . * . * . * . * . * . * split the scan_history to be able to crete mock * split the scan_history to be able to crete mock * . * . * . * . --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(secrets): import git (#4514) * add try except to the import * add try except to the import * add os.environ["GIT_PYTHON_REFRESH"] = "quiet" * fix(secrets): import git (#4514) * add try except to the import * add try except to the import * add os.environ["GIT_PYTHON_REFRESH"] = "quiet" * chore: update release notes * fix(gha): now looks for GHA on windows (#4515) * looks for GHA in windows * looks for GHA in windows * Update utils.py * Update checkov/github_actions/utils.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(ansible): Add checks for the ansible builtin apt module (#4500) * Add checks for the ansible builtin apt module * Update wording on CKV_ANSIBLE_6 * fix(gha): now looks for GHA on windows (#4515) * looks for GHA in windows * looks for GHA in windows * Update utils.py * Update checkov/github_actions/utils.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(ansible): Add checks for the ansible builtin apt module (#4500) * Add checks for the ansible builtin apt module * Update wording on CKV_ANSIBLE_6 * chore: update release notes * feat(secrets): add flag for scan secrets history (#4513) * feat(secrets): add flag for scan secrets history (#4513) * platform(general): Use new enforcement categories (#4456) (#4519) * fetch new enforcement rule categories * pick correct enforcement rule for SCA checks * handle two enforcement categories for SCA runners * add sca exit code tests * exclude local test outputs * add new enforcement rule tests for SCA * change CodeCategoryType to enum * fix some types * fix tests * linting and type checking * mypy is not fly * mypy will not defeat me * OR WILL IT * fix mypy * fix mypy * improve comments for SCA threshold logic * fix test and adjust typing * fix linting --------- Co-authored-by: Mike Urbanski <murbanski@paloaltonetworks.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore(general): Added forbidden error for visibility (#4521) * Added forbidden message for visibility * Fix lint * chore(general): Added forbidden error for visibility (#4521) * Added forbidden message for visibility * Fix lint * feat(terraform): Used parentheses in key for foreach attributes but not count (#4520) Used parentheses in key for foreach attributes but not count * chore(general): Added forbidden error for visibility (#4521) * Added forbidden message for visibility * Fix lint * fix(terraform): add datasource option for headers check (#4496) add datasource option * fix(terraform): optimize check CKV2_AWS_60 (#4512) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(terraform): optimize check CKV2_AWS_60 (#4512) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(gha): fix output flag for usage in checkov-action (#4517) fix output flag for usage in checkov-action * fix(gha): fix output flag for usage in checkov-action (#4517) fix output flag for usage in checkov-action * chore: update release notes * chore: bump mikepenz/release-changelog-builder-action from 3.6.0 to 3.6.1 (#4527) chore: bump mikepenz/release-changelog-builder-action Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 3.6.0 to 3.6.1. - [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases) - [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/da6847f9fdcb3211124cd0c078c1d0359b103ee5...0c962418dfc901f7d3c249e58f7fcf73293d082e) --- updated-dependencies: - dependency-name: mikepenz/release-changelog-builder-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(cloudformation): Update CKV_AWS_46 to handle base64 encoded userdata (#4530) * Update to handle base64encoded string * Remove print statement from test * Fix Linter --------- Co-authored-by: Joseph de Clerck <clerckj@amazon.com> Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr> * fix(cloudformation): Update CKV_AWS_46 to handle base64 encoded userdata (#4530) * Update to handle base64encoded string * Remove print statement from test * Fix Linter --------- Co-authored-by: Joseph de Clerck <clerckj@amazon.com> Co-authored-by: Joseph de CLERCK <clerckj@amazon.fr> * chore: update release notes * feat(sca): adding is_registry_url and printing in the cyclonedx only private registries urls (#4533) add is_registry_url and print in the cyclonedx only for private registry Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): adding is_registry_url and printing in the cyclonedx only private registries urls (#4533) add is_registry_url and print in the cyclonedx only for private registry Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): support also the key "registryUrl" when extracting registry_url for the report (#4535) support also registryUrl Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(sca): support also the key "registryUrl" when extracting registry_url for the report (#4535) support also registryUrl Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(gitlab): fix gitlab ci yaml file processing (#4536) fix gitlab ci yaml file processing Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * feat(gitlab): fix gitlab ci yaml file processing (#4536) fix gitlab ci yaml file processing Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * fix(terraform): Optional module content path (#4537) fix optional igraph module content path * fix(terraform): Optional module content path (#4537) fix optional igraph module content path * chore: update release notes * feat(secrets): add timeout for scan history checks (#4523) * feat(secrets): add timeout for scan history checks (#4523) * feat(secrets): Support secret findings in git history (#4525) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * todo * add added_commit_hash/removed_commit_hash * fix lint * fix lint * update * add merge between added and removed secret * add merge between added and removed secret * . * . * . * . * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * add more test * add more tests * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * fix comments * fix comments * ץ * merge main * merge main * merge main * merge main * merge main * feat(secrets): Support secret findings in git history (#4525) * add _scan_history * Add_capability_to_iterate_over_Git_history * . * add ut * add ut * fix lint * . * add mock for UT * crete scan_git_history.py * . * . * . * . * . * . * . * . * . * . * todo * add added_commit_hash/removed_commit_hash * fix lint * fix lint * update * add merge between added and removed secret * add merge between added and removed secret * . * . * . * . * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * SECRET_NOT_BEEN_REMOVED * add more test * add more tests * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * add rewrite of enable_git_history_secret_scan * fix comments * fix comments * ץ * merge main * merge main * merge main * merge main * merge main * feat(arm): add graph capabilities to ARM framework (#4526) * add graph capabilities to ARM framework * fix UTF-16 issue * Apply suggestions from code review Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * fix PR comments --------- Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * Merge a72a3fef9f4310a6f253db49b340d070be46c001 into e54e15f5f63e04793f0230b3bd0cb3d057765b09 * feat(arm): add graph capabilities to ARM framework (#4526) * add graph capabilities to ARM framework * fix UTF-16 issue * Apply suggestions from code review Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * fix PR comments --------- Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Rotem Avni <52502521+rotemavni@users.noreply.github.com> * chore: update release notes * feat(terraform): New classes for the TF module model (#4546) * New classes for TF module model * CR Fixes * CR Fixes * chore: remove unneeded version check (#4545) remove unneeded version check * chore: remove unneeded version check (#4545) remove unneeded version check * fix(gha): Align GHA resource ids (Graph vs Python checks) (#4549) * Align gha resource ids * align steps resource ids * roll back unnecessary change * fix signatures of get resource (mypy) * flake8 --------- Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * fix(gha): Align GHA resource ids (Graph vs Python checks) (#4549) * Align gha resource ids * align steps resource ids * roll back unnecessary change * fix signatures of get resource (mypy) * flake8 --------- Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * feat(dockerfile): Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf (#4404) * apk --allow-untrusted * apt-get --allow-unauthenticated * rpm/dnf/yum --nogpgcheck * rpm --nosignature --nodigest --noverify * Add --force-yes to apt-get --allow-unauthenticated check * Changes for rpm options * Add detail to names of CKV2_DOCKER_7 CKV2_DOCKER_8 CKV2_DOCKER_9 CKV2_DOCKER_10 * Split out the --force-yes check into CKV2_DOCKER_11 --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge ddd30ed3374d62778082f2f5c87df74fcfbb9e1c into d7c2e118c0ce5793595096644b4ea0bb117665ea * feat(dockerfile): Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf (#4404) * apk --allow-untrusted * apt-get --allow-unauthenticated * rpm/dnf/yum --nogpgcheck * rpm --nosignature --nodigest --noverify * Add --force-yes to apt-get --allow-unauthenticated check * Changes for rpm options * Add detail to names of CKV2_DOCKER_7 CKV2_DOCKER_8 CKV2_DOCKER_9 CKV2_DOCKER_10 * Split out the --force-yes check into CKV2_DOCKER_11 --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: update release notes * feat(terraform): TF Parser - Move funcs and consts to utils file (#4550) * Move funcs and consts to utils file * Move static funcs to utils file p1 * Lint fix * modules to package * Move static funcs to utils file p2 * Fix UTs * Small update * Fix a wrong import * feat(terraform): TF Parser - Move funcs and consts to utils file (#4550) * Move funcs and consts to utils file * Move static funcs to utils file p1 * Lint fix * modules to package * Move static funcs to utils file p2 * Fix UTs * Small update * Fix a wrong import * fix(terraform): Move get_module back to parser (#4560) * Move get_module back to parser * Move get_module back to parser * Remove import * fix(terraform): Move get_module back to parser (#4560) * Move get_module back to parser * Move get_module back to parser * Remove import * fix(terraform): fix for #4518 (#4528) * fix for #4518 * dogdfood tests * dogdfood tests * confirm object is a dict * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(dockerfile): Add check for the environment variable NPM_CONFIG_STRICT_SSL (#4553) Add check for the env var NPM_CONFIG_STRICT_SSL * fix(terraform): fix for #4518 (#4528) * fix for #4518 * dogdfood tests * dogdfood tests * confirm object is a dict * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Update checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(dockerfile): Add check for the environment variable NPM_CONFIG_STRICT_SSL (#4553) Add check for the env var NPM_CONFIG_STRICT_SSL * fix(terraform_plan): Fix tf plan nested modules (#4562) * fix tf plan same resource type with modules * ANOTHER FIX * add test * lint * pr comments * fix(terraform_plan): Fix tf plan nested modules (#4562) * fix tf plan same resource type with modules * ANOTHER FIX * add test * lint * pr comments * fix(terraform): remove dynamic warning exc_info (#4563) * remove exc_info and change to warning * fix lint * change to info * fix(terraform): remove dynamic warning exc_info (#4563) * remove exc_info and change to warning * fix lint * change to info * chore: update release notes * fix(ansible): support skip check for Ansible Python-based checks (#4556) * support skip check for Ansible Python-based checks * fix tests * fix(ansible): support skip check for Ansible Python-based checks (#4556) * support skip check for Ansible Python-based checks * fix tests * chore: bump mikepenz/release-changelog-builder-action from 3.6.1 to 3.7.0 (#4572) chore: bump mikepenz/release-changelog-builder-action Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 3.6.1 to 3.7.0. - [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases) - [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/0c962418dfc901f7d3c249e58f7fcf73293d082e...c73ff7421c59fa0d090dcfe62e24a758977c699d) --- updated-dependencies: - dependency-name: mikepenz/release-changelog-builder-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump github/codeql-action from 2.2.4 to 2.2.5 (#4571) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.4 to 2.2.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/17573ee1cc1b9d061760f3a006fc4aac4f944fd5...32dc499307d133bb5085bae78498c0ac2cf762d5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add warning when using severity filter without API key (#4568) add warning when using severity filter without API key * chore: update bc-detect-secrets version to 1.4.13 (#4561) update bc-detect-secrets version Co-authored-by: Eliran-Turgeman <Eliran-Turgeman@users.noreply.github.com> * feat(secrets): track complete file deletion and renaming (#4551) * Track complete file deletion * Track complete file renaming * Track complete file renaming * Track complete file renaming * Track complete file renaming * update bc-detect-secrets * add class * add class * . * . * merge main * feat(secrets): track complete file deletion and renaming (#4551) * Track complete file deletion * Track complete file renaming * Track complete file renaming * Track complete file renaming * Track complete file renaming * update bc-detect-secrets * add class * add class * . * . * merge main * fix(terraform): Handle unescaped lookup values (#4565) * set escape_unrendered * implement _find_new_value_for_interpolation and added tests * fixed condition * delete commented test * extracted method _string_changed_except_interpolation * fix(terraform): Handle unescaped lookup values (#4565) * set escape_unrendered * implement _find_new_value_for_interpolation and added tests * fixed condition * delete commented test * extracted method _string_changed_except_interpolation * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#4529) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Deleted GCP SQL network based policy * Modified main.tf of GCPMySQLdbInstanceBinaryLogsConfigIsEnabled * Optimised policy: AzurePostgreSQLFlexServerNotOverlyPermissive and modified name of other policy (GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled) * Optimised and modified policy: GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled * Optimised GCPdisableAlphaClusterFeatureInKubernetesEngineClusters policy * Updated 'test_yaml_policies.py' with new policies * Updated 'test_yaml_policies.py' with new policies * Optimised terraform checks for GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#4529) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Deleted GCP SQL network based policy * Modified main.tf of GCPMySQLdbInstanceBinaryLogsConfigIsEnabled * Optimised policy: AzurePostgreSQLFlexServerNotOverlyPermissive and modified name of other policy (GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled) * Optimised and modified policy: GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled * Optimised GCPdisableAlphaClusterFeatureInKubernetesEngineClusters policy * Updated 'test_yaml_policies.py' with new policies * Updated 'test_yaml_policies.py' with new policies * Optimised terraform checks for GCPMySQLdbInstancePoint_In_TimeRecoveryBackupIsEnabled --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#4529) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/check…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
In terraform,
foreachresource key looks like["{key}"]andcountresource key looks like[{key}].Checklist: