fix(terraform): Unable to download Terraform modules from JFrog Artifactory #5155
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apgrucza
changed the title
apgrucza
commented
May 31, 2023
| @@ -42,7 +43,7 @@ def discover(self, module_params: ModuleParams) -> None: | |||
|
|
|||
| def _is_matching_loader(self, module_params: ModuleParams) -> bool: | |||
| # https://developer.hashicorp.com/terraform/language/modules/sources#github | |||
| if module_params.module_source.startswith(("github.com", "bitbucket.org", "git::", "git@github.com")): | |||
| if module_params.module_source.startswith(("/", "github.com", "bitbucket.org", "git::", "git@github.com")): | |||
There was a problem hiding this comment.
This change is just to prevent the below warning appearing unnecessarily for local modules when --download-external-modules is true.
Module {module_address} failed to load via <class 'checkov.terraform.module_loading.loaders.registry_loader.RegistryLoader'>
gruebel
approved these changes
Jun 1, 2023
|
Good work 🍻 |
kartikp10
approved these changes
Jun 1, 2023
gruebel
pushed a commit
to gruebel/checkov
that referenced
this pull request
Jun 4, 2023
…actory (bridgecrewio#5155) * Handle absolute Terraform module discovery URLs * Fix double slash when joining Terraform module URL * Ignore URL param in module archive extension check * Support ZIP file format for registry modules * Ignore local modules in Terraform registry loader * Allow _get_archive_extension to return None
rotemavni
added a commit
to rotem-avni/checkov3
that referenced
this pull request
Jun 12, 2023
* fix(terraform): Update CKV_AWS_338 message and retention check for 0 (#5018) * fix(terraform): Update CKV_AWS_338 message and retention check for 0 (#5018) * fix(terraform): Update CKV_AWS_338 message and retention check for 0 (#5018) * feat(terraform): Set TF Modules for_each env var to true (#5021) * Set env var to true * Some small improvements * increase performance tests by 1 sec * Small CR fix * revert change * feat(terraform): Set TF Modules for_each env var to true (#5021) * Set env var to true * Some small improvements * increase performance tests by 1 sec * Small CR fix * revert change * fix(secrets): add filter for suppressed custom secret checks (#5016) * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * fix(secrets): add filter for suppressed custom secret checks (#5016) * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * chore: update release notes * feat(terraform): Elastic beanstalk uses managed updates and fixes the EB check while i… 340 (#4816) * Elastic beanstalk uses managed updates and fixes the EB check while im there * update branch --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): fix foreach render value for lookup (#5037) * fix foreach render value for lookup * pr comments * add upper test * Merge 81e831b560bd81df73288f0fe0d52ca6038755d6 into 624365dc822fe6cdbb5b7b04ddaaa1807025c8b9 * fix(terraform): fix foreach render value for lookup (#5037) * fix foreach render value for lookup * pr comments * add upper test * fix(terraform): Handle entity context for for_each resources (#5036) Handle entity context for for_each resources * fix(terraform): Handle entity context for for_each resources (#5036) Handle entity context for for_each resources * fix(secrets): don't scan images in git history (#5040) * don't scan images * remove the flaky test * fix(secrets): don't scan images in git history (#5040) * don't scan images * remove the flaky test * chore: update release notes * platform(general): Catch None responses from BE (#5033) * Catch `None` responses from BE gracefully * Add retry with limited times * mypy * Remove flaky test * Leverage _get_s3_role and fix text * platform(general): Catch None responses from BE (#5033) * Catch `None` responses from BE gracefully * Add retry with limited times * mypy * Remove flaky test * Leverage _get_s3_role and fix text * chore: update release notes * fix(secrets): add handling of unicode error (#5055) * fix(secrets): add handling of unicode error (#5055) * feat(terraform): Update CKV_AZURE_43 StorageAccountName.py VARIABLE_REFS (#5045) Update StorageAccountName.py Update VARIABLE_REFS list within StorageAccountName.py to also include `each.` value . This is useful when using for_each with a certain resource/module and can reference variables from within the map instead of directly a global `var.` variable . * fix(arm): enabled is not true (#5051) * fix(cloudformation): Enable ALB to support tls1.3 policies #4962 (#5035) * fix to support tls1.3 policies * Update ALBListenerTLS12.py * feat(terraform): launch config/template Ensure metadata hop =1 341 (#4817) * Ensure metadatahop =1 * minor change --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(cloudformation): Enable ALB to support tls1.3 policies #4962 (#5035) * fix to support tls1.3 policies * Update ALBListenerTLS12.py * feat(terraform): launch config/template Ensure metadata hop =1 341 (#4817) * Ensure metadatahop =1 * minor change --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(general): include missing files in save repository (#5056) * include missing files * fix mypy * feat(general): include missing files in save repository (#5056) * include missing files * fix mypy * chore: update release notes * chore: scan repo with own secrets runner (#5046) * scan repo with own secrets runner * add checkov config file * add skip comments * add quiet flag * use new token * override enforcement rules * change to pull_request_target * leverage environment * checkout pull request branch * chore: scan repo with own secrets runner (#5046) * scan repo with own secrets runner * add checkov config file * add skip comments * add quiet flag * use new token * override enforcement rules * change to pull_request_target * leverage environment * checkout pull request branch * chore: bump github/codeql-action from 2.3.2 to 2.3.3 (#5057) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.2 to 2.3.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f3feb00acb00f31a6f60280e6ace9ca31d91c76a...29b1f65c5e92e24fe6b6647da1eaabe529cec70f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump mikepenz/release-changelog-builder-action from 3.7.1 to 3.7.2 (#5058) chore: bump mikepenz/release-changelog-builder-action Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 3.7.1 to 3.7.2. - [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases) - [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/f7dd0f5932037ca4fff56395ffb04837fd97851a...342972d8fda7082778588387394cf150b9f7226f) --- updated-dependencies: - dependency-name: mikepenz/release-changelog-builder-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump crazy-max/ghaction-import-gpg from 5.2.0 to 5.3.0 (#5059) Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](https://github.com/crazy-max/ghaction-import-gpg/compare/111c56156bcc6918c056dbef52164cfa583dc549...72b6676b71ab476b77e676928516f6982eef7a41) --- updated-dependencies: - dependency-name: crazy-max/ghaction-import-gpg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump pypa/gh-action-pypi-publish from 1.8.5 to 1.8.6 (#5060) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.8.5 to 1.8.6. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/0bf742be3ebe032c25dd15117957dc15d0cfc38d...a56da0b891b3dc519c7ee3284aff1fad93cc8598) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(terraform): check that WAF rules have an action 342 (#4806) * Check that a waf rule has an assoicated acgtion * fix id * Update WAFRuleHasAnyActions.py * update check logic --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): redshift should be set to automatically take snapshots 343 (#4727) * redshift should be set to automatically take snapshots * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * feat(terraform): check that WAF rules have an action 342 (#4806) * Check that a waf rule has an assoicated acgtion * fix id * Update WAFRuleHasAnyActions.py * update check logic --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): redshift should be set to automatically take snapshots 343 (#4727) * redshift should be set to automatically take snapshots * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * feat(terraform): aws ensure delete protection for firewalls 344 (#4870) ensure delete protection for firewalls Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure encryption for firewall uses a CMK CKV_AWS_345 (#4871) * Ensure encryption fvor forewall uses a CMK * add aws_networkfirewall_rule_group --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 (#4877) * Ensure Network firewall policy defines a encryption confihguration that specifies a CMK * Ensure Network firewall policy defines a encryption configuration that specifies a CMK --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 (#4877) * Ensure Network firewall policy defines a encryption confihguration that specifies a CMK * Ensure Network firewall policy defines a encryption configuration that specifies a CMK --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 (#4877) * Ensure Network firewall policy defines a encryption confihguration that specifies a CMK * Ensure Network firewall policy defines a encryption configuration that specifies a CMK --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(kubernetes): Update ckv_k8s_31 (#4991) * Updated ckv_k8s_31 Catch when all containers have the type RuntImeDefault * Update ckv_k8s_31 * Update test_PodSecurityContext.py * Delete pod-one-containerFAIL-onePASS.yaml * Undo update test_PodSecurityContext.py * Undo update PodSecurityContext.py * Undo update PodSecurityContext.py * Update to pass tests * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * fix dogfood tests * Revert "fix dogfood tests" This reverts commit e92309d2676e6b47772d91e0d8d4558e2a930db7. * Update Seccomp.py * update check logic * fix dogfood test --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(kubernetes): Update ckv_k8s_31 (#4991) * Updated ckv_k8s_31 Catch when all containers have the type RuntImeDefault * Update ckv_k8s_31 * Update test_PodSecurityContext.py * Delete pod-one-containerFAIL-onePASS.yaml * Undo update test_PodSecurityContext.py * Undo update PodSecurityContext.py * Undo update PodSecurityContext.py * Update to pass tests * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * fix dogfood tests * Revert "fix dogfood tests" This reverts commit e92309d2676e6b47772d91e0d8d4558e2a930db7. * Update Seccomp.py * update check logic * fix dogfood test --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * docs(general): Fix some links (#5064) * Fix some links * Update SECURITY.md Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * feat(terraform): Added caller_file_path and caller_file_line_range to reduced report (#5062) Added caller_file_path and caller_file_line_range to reduced report * feat(terraform): Added caller_file_path and caller_file_line_range to reduced report (#5062) Added caller_file_path and caller_file_line_range to reduced report * feat(terraform): Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 (#4965) Ensure Neptune cluster is encrypted with a CMK * docs(general): update Python custom checks docs (#5054) * update Python custom checks docs * add PR suggestion Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * feat(terraform): AWS IAM don't generate root credentials 348 (#4966) dont generate root credentials * feat(terraform): Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 (#4965) Ensure Neptune cluster is encrypted with a CMK * feat(terraform): AWS IAM don't generate root credentials 348 (#4966) dont generate root credentials * fix(terraform): fix SQS encryption check CKV_AWS_27 (#5065) fix SQS encryption check CKV_AWS_27 * feat(terraform): AWS IAM don't generate root credentials 348 (#4966) dont generate root credentials * chore: update release notes * fix(secrets): add filter for suppressed custom secret checks (#5068) . * fix(secrets): add filter for suppressed custom secret checks (#5068) . * fix(secrets): exclude Kubernetes secretName from secret scanning (#5071) exclude Kubernetes secretName from secret scanning Co-authored-by: Omry Mendelovich <16597193+omryMen@users.noreply.github.com> * Merge 1cfd16963a04119c8ad598eaf5851ecdba2ed13e into 4b2344ac1275704a06389708a1d2e922929c84f5 * chore: update bc-detect-secrets version to 1.4.27 (#5072) * update bc-detect-secrets version * remove ignore * fix if for check id --------- Co-authored-by: omryMen <omryMen@users.noreply.github.com> Co-authored-by: Omry Mendelovich <omry155@gmail.com> * fix(secrets): omit the code line (#5075) omit the code line * fix(secrets): omit the code line (#5075) omit the code line * chore: update release notes * feat(kustomize): Support inline skips for Kubernetes graph checks (#5070) add graph check to kustomize * feat(kustomize): Support inline skips for Kubernetes graph checks (#5070) add graph check to kustomize * chore: add skip comments to test secrets (#5077) * add skip comments to test secrets * enable checkov secrets scan and remove trufflehog * add trufflehog back * Create jekyll-gh-pages.yml * Update jekyll-gh-pages.yml * chore: update release notes * fix(sca): only run image referencer with sca_image framework (#5081) only run image referencer with sca_image framework * fix(sca): only run image referencer with sca_image framework (#5081) only run image referencer with sca_image framework * chore: update release notes * fix(terraform): skip invalid multiple modules names (#5079) * skip invalid multiple modeuls names * fix * fix(terraform): skip invalid multiple modules names (#5079) * skip invalid multiple modeuls names * fix * platform(graph): upload graphs to the platform (#5073) * implement upload graphs to the platform * fix lint * fix UTs * fix UTs * fix dogfood tests * fix * remove redundant import * platform(general): Add lines to SBOM (#5078) * add lines to sbom * tests * tests * lint * / * / * chore: update release notes * feat(kubernetes): Improve k8s perf (#5083) * remove deepcopy usage in k8s utils * cache repo file path calculation * fix linting * Merge 6a93b867c22569011d8d54e4ece7e70832cbd67a into 2124ce17efa29eadf59789929d1cc37397a0f1d6 * chore: bump peter-evans/create-pull-request from 5.0.0 to 5.0.1 (#5087) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5...284f54f989303d2699d373481a0cfa13ad5a6666) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump azure/setup-helm from 3.4 to 3.5 (#5086) Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3.4 to 3.5. - [Release notes](https://github.com/azure/setup-helm/releases) - [Commits](https://github.com/azure/setup-helm/compare/v3.4...5119fcb9089d432beecbf79bb2c7915207344b78) --- updated-dependencies: - dependency-name: azure/setup-helm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(terraform): handle false-positives for Route53ZoneEnableDNSSECSigning (#5084) handle false-positives for Route53ZoneEnableDNSSECSigning Route53ZoneEnableDNSSECSigning is applicable only for public hosted zones. However, the check currently incorrectly applies to private hosted zones as well. Private hosted zones can be differentiated if the hosted zone is associated with a VPC. VPC configuration can be added inline via a vpc block or via a aws_route53_zone_association resource. * feat(terraform): EMR - At rest local disk, EBS and in transit encryption checks (#4968) * At rest lcoal disk, EBS and in transit encryption checks * fix test cases * update check logic * skip secret finding --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: make networkx import truly optional (#5080) make networkx import truly optional * fix(terraform): handle false-positives for Route53ZoneEnableDNSSECSigning (#5084) handle false-positives for Route53ZoneEnableDNSSECSigning Route53ZoneEnableDNSSECSigning is applicable only for public hosted zones. However, the check currently incorrectly applies to private hosted zones as well. Private hosted zones can be differentiated if the hosted zone is associated with a VPC. VPC configuration can be added inline via a vpc block or via a aws_route53_zone_association resource. * chore: make networkx import truly optional (#5080) make networkx import truly optional * fix(kubernetes): add mini k8s parser for invalid templates (#5088) * add k8s parser * add test * mypy * fix mypy, lint * fix mypy, lint * mypy * try to fix tests * add log * fix(kubernetes): add mini k8s parser for invalid templates (#5088) * add k8s parser * add test * mypy * fix mypy, lint * fix mypy, lint * mypy * try to fix tests * add log * chore: update release notes * feat(sca): using the lines in the directly in the record, rather than in the "vulnerability_details" + having it in ExtraResources (#5092) * fsd * adjust tests * fix --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * Merge 0af202104cfba9e21f282b60d43e0103f079236f into 227e87339ca4c8301a75e1aedb16eef56178f894 * chore: update pre-commit and Python deps (#5091) update pre-commit and Python deps * feat(dockerfile): Support docker graph check skips (#5085) * add context creation and support graph check suppression * add docs * fix test * safely access context * chore: update pre-commit and Python deps (#5091) update pre-commit and Python deps * feat(kubernetes): seperate service acoount builder to improve performance (#5093) * Separated ServiceAccount handling from KeywordEdgeBuidler to improve performance in this case * prettify * CR and flake fixes * mypy * mypy * added check that service accounts even exist before updating cache * chore: update release notes * feat(sca): showing line numbers in the cli output for csv (#5096) * fsd * adjust tests * fix * enabling displaying line number also for root packages without cves * adding "(lines)" only in case there are lines-details * adding "(lines)" only in case there are lines-details - fix * naming * fix for tests * fix for tests * Lines in the tests --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * chore: update bc-detect-secrets version to 1.4.28 (#5105) update bc-detect-secrets version Co-authored-by: marynaKK <marynaKK@users.noreply.github.com> * feat(sca): showing line numbers in the cli output for licenses (#5098) * fsd * adjust tests * fix * enabling displaying line number also for root packages without cves * adding "(lines)" only in case there are lines-details * adding "(lines)" only in case there are lines-details - fix * naming * add lines for license violation + printing itr in the cli-outputop * fix for tests * fix for tests * fix tests * fix * fix * fix * fix * fix * Lines in the tests * add test * add test * add tests * add tests * fix the bug in v1 * change the output format + having tests --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * linters * feat(general): add SPDX output (#5104) * add SPDX output * resolve merge conflict * create spdx output * except * licenses * Added licenses-expression to setup.py * Fix mypy for spdx.py * Fix setup.py * fixed setup.py and pipfile * Fixed mypy errors * Fixed mypy errors * Fix pipfile --------- Co-authored-by: nazoulay <noazoulay1@gmail.com> Co-authored-by: Saar Ettinger <saarettinger@gmail.com> * feat(general): add SPDX output (#5104) * add SPDX output * resolve merge conflict * create spdx output * except * licenses * Added licenses-expression to setup.py * Fix mypy for spdx.py * Fix setup.py * fixed setup.py and pipfile * Fixed mypy errors * Fixed mypy errors * Fix pipfile --------- Co-authored-by: nazoulay <noazoulay1@gmail.com> Co-authored-by: Saar Ettinger <saarettinger@gmail.com> * chore: update release notes * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#5089) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Partial YAML policy: AzureEnableDefenderForDNS * Partial completion of AzureEnableDefenderForDNS * Deleted AzurEnableForDefender * Added a YAML policy AzureSQLserverNotOverlyPermissive * Added policy: AzureRecoveryServicesvaultConfigManagedIdentity * Added policy: AzureAutomationAccConfigManagedIdentity * Added new YAML policy AzureMariaDBserverUsingTLS_1_2 * Added new YAML policy: AzureStorageAccountEnableSoftDelete and modified AzureMariaDBserverUsingTLS_1_2 * Updated test_yaml_policies.yaml * Modifications made based on PR inputs * adjust skip comment --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): NACL should restrict port ingress (#4976) * NACL should restrict ingress * NACL should restrict ingress * fix brain fog * adjust check name --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): NACL should restrict port ingress (#4976) * NACL should restrict ingress * NACL should restrict ingress * fix brain fog * adjust check name --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): NACL should restrict port ingress (#4976) * NACL should restrict ingress * NACL should restrict ingress * fix brain fog * adjust check name --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): add jwt detector to the secret runner (#5116) add jwt detector to the secret runner * feat(secrets): add jwt detector to the secret runner (#5116) add jwt detector to the secret runner * docs(general): Update CLI Command Reference.md (#5114) Update CLI Command Reference.md * fix(dockerfile): improve update searching in CKV_DOCKER_5 (#5115) improve update searching in CKV_DOCKER_5 * feat(terraform): RDS Enable Performance insights (#4983) * feat(terraform): RDS Enable Performance insights * adjust category * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS Ensure RDS performance insights uses a CMK (#4985) * feat(terraform): AWS Ensure RDS performance insights uses a CMK * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): RDS Enable Performance insights (#4983) * feat(terraform): RDS Enable Performance insights * adjust category * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS Ensure RDS performance insights uses a CMK (#4985) * feat(terraform): AWS Ensure RDS performance insights uses a CMK * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: enable mypy on part of terraform codebase (#5106) * enable mypy on part of terraform codebase * fix linting * chore: enable mypy on part of terraform codebase (#5106) * enable mypy on part of terraform codebase * fix linting * chore: update release notes * feat(sca): dockerfile image-referencer fixes (#5120) * dockerfile ir fixes * uts fixes * fix(gitlab): Skipping image blocks without name attribute (#5126) skipping image blocks without name attribute Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * fix(gitlab): Skipping image blocks without name attribute (#5126) skipping image blocks without name attribute Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * feat(sca): adding the risk factor v2 to the vulnerability details (#5108) * add the risk factor v2 o the vulnerability details * afjust tests --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(terraform): AWS Ensure RDS performance insights uses a CMK (#4985) * feat(terraform): AWS Ensure RDS performance insights uses a CMK * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: bump requests from 2.30.0 to 2.31.0 (#5125) Bumps [requests](https://github.com/psf/requests) from 2.30.0 to 2.31.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.30.0...v2.31.0) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add type hints to tf modules and module_loading (#5119) * add type hints to tf modules and module_loading * add missing future annotation * chore: add type hints to tf modules and module_loading (#5119) * add type hints to tf modules and module_loading * add missing future annotation * platform(general): Enhancing Sarif output with Security Severity Level (#5074) * add severity level the name for sarif output * add severity level the name for sarif output * add comments to the code * switch to SEVERITY_TO_SCORE * Add a condition to add the properties dictionary * Check the existence of CVSS score * fix flake8 blank line missing * use get function on vulnerability_details * fix tests and update docs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): Add new pre-commit hook for secrets (#5103) * Add secrets hook * Update .pre-commit-hooks.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): Add new pre-commit hook for secrets (#5103) * Add secrets hook * Update .pre-commit-hooks.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(terraform): fix terraform variable rendering for provider alias (#5124) * fix terraform variable rendering for provider alias * fix test * fix(terraform): fix terraform variable rendering for provider alias (#5124) * fix terraform variable rendering for provider alias * fix test * feat(terraform): add check to look at star resources (#4996) * add check to look at star resources * add missing cases * slightly adjust code --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(terraform): add check to look at star resources (#4996) * add check to look at star resources * add missing cases * slightly adjust code --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(terraform): add check to look at star resources (#4996) * add check to look at star resources * add missing cases * slightly adjust code --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * platform(general): SBOM lines numbers adjusting (#5127) * output add lines * output add lines * mypy * lines * tests * get_package_lines * fix(kustomize): fix empty kustomize file crash (#5131) fix empty kustomize file crash * feat(terraform): IAM limit resource access (#5015) Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): extend CKV2_AWS_5 with new resources (#5129) extend CKV2_AWS_5 with new resources * feat(terraform): extend CKV2_AWS_5 with new resources (#5129) extend CKV2_AWS_5 with new resources * feat(terraform): extend CKV2_AWS_5 with new resources (#5129) extend CKV2_AWS_5 with new resources * chore: replace deepcopy with pickle (#4885) * replace deepcopy with pickle * fix test * enable for_each handling by default * replace all other deepcopy usage * lower perf test thresholds and increase rounds * rename function name * chore: replace deepcopy with pickle (#4885) * replace deepcopy with pickle * fix test * enable for_each handling by default * replace all other deepcopy usage * lower perf test thresholds and increase rounds * rename function name * chore: update release notes * chore: disable checkov-secrets GHA job (#5138) disable checkov-secrets GHA job * fix(terraform): Should use UNKNOWN rather than skipped (#5136) * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * fix(terraform): Should use UNKNOWN rather than skipped (#5136) * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * feat(general): Added computation of git_root_path to igraph serialization (#5107) * Added computation of git_root_path to igraph serialization based on nodes * linters * Changed git usage to find root path with os.path.abspath * Matched graph json name to parameter Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> * Made absolute_root_folder optional as it is only for cli runs * Used '' instead of None as default value to make sure it is serializeable --------- Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> * feat(terraform): foreach remove error from info log. (#5139) Remove error from info log. * feat(sca): adding validation for the file_line_number (#5132) * add some validation for the file_line_range * Update checkov/common/sca/commons.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * log instead of error --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(sca): adding validation for the file_line_number (#5132) * add some validation for the file_line_range * Update checkov/common/sca/commons.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * log instead of error --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: update release notes * chore: bump github/codeql-action from 2.3.3 to 2.3.5 (#5142) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump actions/setup-python from 4.6.0 to 4.6.1 (#5141) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/57ded4d7d5e986d7296eab16560982c6dd7c923b...bd6b4b6205c4dbad673328db7b31b7fab9e241c0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(terraform): Foreach support resources edges (#5145) * support create edge for foreach resources * Trying * Adding UT * nicer * CR Fix * Update checkov/terraform/graph_builder/foreach/abstract_handler.py Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> --------- Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> * feat(terraform): Foreach support resources edges (#5145) * support create edge for foreach resources * Trying * Adding UT * nicer * CR Fix * Update checkov/terraform/graph_builder/foreach/abstract_handler.py Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> --------- Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> * chore: remove existing venv (#5144) * remove existing venv * remove existing venv * fix(terraform): exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 (#5135) * exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 * fix tests * fix action namespace Co-authored-by: lborloz <luke.borloz@gmail.com> --------- Co-authored-by: lborloz <luke.borloz@gmail.com> * feat(terraform): don't fail CKV_AWS_2 on un-rendered value (#5147) * chore: fix IAM star test (#5149) fix IAM star test * chore: fix IAM star test for real (#5150) fix IAM star test for real * chore: fix IAM star test for real (#5150) fix IAM star test for real * chore: fix IAM star test for real (#5150) fix IAM star test for real * docs(general): Update operators with examples (#5137) Update operators with examples * chore: update bc-detect-secrets version to 1.4.29 (#5140) update bc-detect-secrets version Co-authored-by: maxamel <maxamel@users.noreply.github.com> * chore: update bc-detect-secrets version to 1.4.29 (#5140) update bc-detect-secrets version Co-authored-by: maxamel <maxamel@users.noreply.github.com> * chore: update release notes * fix(kubernetes): fix extracting k8s nested resources (#5146) * add kind and apiVersion to k8s nested resources in order to scan them * update UT * fix(kubernetes): fix extracting k8s nested resources (#5146) * add kind and apiVersion to k8s nested resources in order to scan them * update UT * chore: remove redundant log (#5151) * remove redundant log * remove whitespace --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * chore: remove redundant log (#5151) * remove redundant log * remove whitespace --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * fix(sca): suppression is not working on SCA packages (#5156) * suppression is not working * lint * change to snake case --------- Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> * fix(sca): suppression - fix unit testing (#5158) fix_unit_testing Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> * fix(sca): suppression - fix unit testing (#5158) fix_unit_testing Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> * feat(terraform): Use just AWS regex to check EC2Credentials (#5159) Use just AWS regex to check EC2Credentials * chore: update release notes * fix(general): fix SARIF output related to security-severity field (#5160) fix SARIF output realted to security-severity field * fix(general): fix SARIF output related to security-severity field (#5160) fix SARIF output realted to security-severity field * fix(cloudformation): fix evaluate_default_refs func in cfn (#5164) fix evaluate_default_refs func in cfn * fix(cloudformation): fix evaluate_default_refs func in cfn (#5164) fix evaluate_default_refs func in cfn * fix(terraform): update latest major version of Postgres to v15 (#5163) * update latest major version of Postgres to v15 * update to latest stable major version of Postgres, v15 * feat(ansible): add support of inline suppression for Ansible graph checks (#5143) * add support of inline suppression for Ansible graph checks * fix linting * fix line numbers * fix(terraform): update latest major version of Postgres to v15 (#5163) * update latest major version of Postgres to v15 * update to latest stable major version of Postgres, v15 * chore: enable secret scanning via checkov (#5152) * enable secret scanning via checkov * split security run to separate triggers * fix test * chore: enable secret scanning via checkov (#5152) * enable secret scanning via checkov * split security run to separate triggers * fix test * fix(terraform): adjust CKV_AWS_85 to only look for one log type to pass (#5162) * adjust CKV_AWS_85 to only look for one log type to pass * exclude test secrets * fix(terraform): adjust CKV_AWS_85 to only look for one log type to pass (#5162) * adjust CKV_AWS_85 to only look for one log type to pass * exclude test secrets * platform(general): Add no upload flag and report contributors for all API key runs (#5052) * add skip results upload flag * skip results upload with flag * add integration tests for skip upload * fix intg test * update CLI command docs * add default for .get(url) * add positive use of report_has_url for validation * remove source-based contributor metrics and use API key instead * move integration test to proper place * expect report path to not exist * move integration test to proper place * --amend * remove unused test function * upload contributors after saving results * remove commented test code * platform(general): Add no upload flag and report contributors for all API key runs (#5052) * add skip results upload flag * skip results upload with flag * add integration tests for skip upload * fix intg test * update CLI command docs * add default for .get(url) * add positive use of report_has_url for validation * remove source-based contributor metrics and use API key instead * move integration test to proper place * expect report path to not exist * move integration test to proper place * --amend * remove unused test function * upload contributors after saving results * remove commented test code * chore: update release notes * feat(terraform): Ensure Azure firewall sets threatintelMode to Deny (#5013) * Ensire Azure firewall sets threatintelMode to Deny * Ensire Azure firewall sets threatintelMode to Deny * annotations * remove unneeded bicep check --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(arm): ARM and bicep checks for CKV_AZURE_121 (#5029) * ARM and bicep checks for CKV_AZURE_121 * Add annotations * Add annotations * remove unneeded bicep check --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): Unable to download Terraform modules from JFrog Artifactory (#5155) * Handle absolute Terraform module discovery URLs * Fix double slash when joining Terraform module URL * Ignore URL param in module archive extension check * Support ZIP file format for registry modules * Ignore local modules in Terraform registry loader * Allow _get_archive_extension to return None * feat(terraform): Ensure Azure firewall sets threatintelMode to Deny (#5013) * Ensire Azure firewall sets threatintelMode to Deny * Ensire Azure firewall sets threatintelMode to Deny * annotations * remove unneeded bicep check --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): Unable to download Terraform modules from JFrog Artifactory (#5155) * Handle absolute Terraform module discovery URLs * Fix double slash when joining Terraform module URL * Ignore URL param in module archive extension check * Support ZIP file format for registry modules * Ignore local modules in Terraform registry loader * Allow _get_archive_extension to return None * feat(terraform): Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 (#5027) * feat(terraform): Ensure Application Gateway defines secure SSL protocols and ciphers * improve check logic --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(terraform): Ensure firewall defines a policy (#5038) * fix(dockerfile): support platform flag in CKV_DOCKER_11 (#5170) support platform flag in CKV_DOCKER_11 * feat(terraform): Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 (#5027) * feat(terraform): Ensure Application Gateway defines secure SSL protocols and ciphers * improve check logic --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(dockerfile): support platform flag in CKV_DOCKER_11 (#5170) support platform flag in CKV_DOCKER_11 * feat(terraform): Ensure Firewall policy has IDPS mode as deny (#5039) * fix(terraform): support condition in IAM policy data blocks (#5171) support condition in IAM policy data blocks * feat(terraform): Ensure Firewall policy has IDPS mode as deny (#5039) * fix(terraform): support condition in IAM policy data blocks (#5171) support condition in IAM policy data blocks * chore: update release notes * fix(kubernetes): dont' fail if spec is missing and default value is set to the fix value. (#5167) * dont' fail if spec is missing * test * fix tests --------- Co-authored-by: Tal <Talz@talz.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(kubernetes): dont' fail if spec is missing and default value is set to the fix value. (#5167) * dont' fail if spec is missing * test * fix tests --------- Co-authored-by: Tal <Talz@talz.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: move GitHub pages flow to hosted runners (#5172) move GitHub pages flow to hosted runners * chore: bump github/codeql-action from 2.3.5 to 2.3.6 (#5176) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump thehanimo/pr-title-checker from 1.3.7 to 1.4.0 (#5174) Bumps [thehanimo/pr-title-checker](https://github.com/thehanimo/pr-title-checker) from 1.3.7 to 1.4.0. - [Release notes](https://github.com/thehanimo/pr-title-checker/releases) - [Commits](https://github.com/thehanimo/pr-title-checker/compare/cdafc664bf9b25678d4e6df76ff67b2fe21bb5d2...0cf5902181e78341bb97bb06646396e5bd354b3f) --- updated-dependencies: - dependency-name: thehanimo/pr-title-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump stefanzweifel/changelog-updater-action from 1.7.0 to 1.8.0 (#5175) Bumps [stefanzweifel/changelog-updater-action](https://github.com/stefanzweifel/changelog-updater-action) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/stefanzweifel/changelog-updater-action/releases) - [Changelog](https://github.com/stefanzweifel/changelog-updater-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/stefanzweifel/changelog-updater-action/compare/3ad74a04f312e09210fdb3b0d8bf7ee66865288e...3b54ec66922355614bf0b80b290d6634a315acf5) --- updated-dependencies: - dependency-name: stefanzweifel/changelog-updater-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable mypy for part of terraform.graph_builder (#5173) enable mypy for part of terraform.graph_builder * chore: bump github/codeql-action from 2.3.5 to 2.3.6 (#5176) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update release notes * fix(general): Correctly handle cli graphs in case we run with multiprocessing (#5177) * Also pass back the graph when running a cli run in multiprocesses * CR * fix(general): Correctly handle cli graphs in case we run with multiprocessing (#5177) * Also pass back the graph when running a cli run in multiprocesses * CR * feat(terraform_plan): Expose field changes to python checks (#5112) * first pass at adding functionality to detect changed fields in a terraform resource * no cool one-liners with relevant_attributes, apparently that is not what I thought it was. back to basic diffing * debug * ofc they make dicts None instead of empty when they are empty * remove whitespace * pr feedback, hopefully a test * docs * import hopefully properly * lint * mypy does not seem to understand how i made lines 256-259 safe * i still have failed to figure out my imports :upside_down: * files not classes? * fix tests and mypy * s/each/resource/g --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge branch 'main' into feat/frontdooruserwaf * fix(general): Check that the result is not None before extracting vars in cli multiprocess runs (#5183) Check that the result is not None before extracting vars * fix(general): Check that the result is not None before extracting vars in cli multiprocess runs (#5183) Check that the result is not None before extracting vars * chore: update release notes * feat(terraform): Mark unresolved tf function calls as unresolved * Revert "feat(terraform): Mark unresolved tf function calls as unresolved" This reverts commit f0170a37752840221afff4315c49d2bac54e8c3e. * feat(terraform): Mark unresolved tf function calls as unresolved (#5186) * Revert "Revert "feat(terraform): Mark unresolved tf function calls as unresolved"" This reverts commit 224f38e7a1d79cb153057930e79ff0dc164fa319. * Remove imports to avoid circular deps * feat(terraform): Mark unresolved tf function calls as unresolved (#5186) * Revert "Revert "feat(terraform): Mark unresolved tf function calls as unresolved"" This reverts commit 224f38e7a1d79cb153057930e79ff0dc164fa319. * Remove imports to avoid circular deps * docs(general): Add Enforcement CLI Command (#5185) docs: Add Enforcement CLI Command * feat(arm): Handle arm db servers 2021 05 01 (#5187) * feat(arm): Handle DB servers version 2021-05-01 format correctly * Fix UTs * Fix lint * Revert "Fix lint" This reverts commit 059921e4e789b8cb04a2ee71cb8204af5a48d540. * Revert "Fix UTs" This reverts commit d33c960cec23486b935c5d9875287231ffb476d4. * Revert "feat(arm): Handle DB servers version 2021-05-01 format correctly" This reverts commit 1f348352c49913409989ca5eab4f8bc315c76090. * Really tackle the new syntax correctly * feat(arm): Handle arm db servers 2021 05 01 (#5187) * feat(arm): Handle DB servers version 2021-05-01 format correctly * Fix UTs * Fix lint * Revert "Fix lint" This reverts commit 059921e4e789b8cb04a2ee71cb8204af5a48d540. * Revert "Fix UTs" This reverts commit d33c960cec23486b935c5d9875287231ffb476d4. * Revert "feat(arm): Handle DB servers version 2021-05-01 format correctly" This reverts commit 1f348352c49913409989ca5eab4f8bc315c76090. * Really tackle the new syntax correctly * chore: update release notes * fix(terraform): adjust CKV_AZURE_6 to comply with new provider version (#5189) adjust CKV_AZURE_6 to comply with new provider version * feat(arm): and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 (#5049) * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * remove bicep check variant --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): adjust CKV_AZURE_6 to comply with new provider version (#5189) adjust CKV_AZURE_6 to comply with new provider version * feat(arm): and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 (#5049) * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * remove bicep check variant --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(general): handle cloned checks filtered via labels (#5188) * add ckvid for cloned filtered checks * fix mypy * move logic to metadata integration * tweak example * add tests * Update checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> --------- Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> * fix(general): handle cloned checks filtered via labels (#5188) * add ckvid for cloned filtered checks * fix mypy * move logic to metadata integration * tweak example * add tests * Update checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> --------- Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> * chore: update release notes * chore: change base permission of GHA workflows to contents read (#5191) change base permission of GHA workflows to contents read * fix(cloudformation): fix CKV_AWS_33 to consider deny statements (#5193) * fix CKV_AWS_33 to consider deny statements * fix linting * fix(cloudformation): fix CKV_AWS_33 to consider deny statements (#5193) * fix CKV_AWS_33 to consider deny statements * fix linting * docs(general): Update pre-commit.md (#5190) * docs(general): Update pre-commit.md * add checkov_diff to docs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(general): add checkov_diff pre-commit hook for scanning all changed files (#5192) add checkov_diff pre-commit hook for a scanning all changed files * docs(general): Update pre-commit.md (#5190) * docs(general): Update pre-commit.md * add checkov_diff to docs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * upgrade dependencies --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Manu Chandrasekhar <manuchandrasekhar@gmail.com> Co-authored-by: ChanochShayner <57212002+ChanochShayner@users.noreply.github.com> Co-authored-by: LirShindalman <49649760+lirshindalman@users.noreply.github.com> Co-authored-by: gruebel <gruebel@users.noreply.github.com> Co-authored-by: James Woolfenden <james.woolfenden@gmail.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> Co-authored-by: achiar99 <34912231+achiar99@users.noreply.github.com> Co-authored-by: Omry Mendelovich <16597193+omryMen@users.noreply.github.com> Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> Co-authored-by: Horia Gunica <43091730+horiagunica@users.noreply.github.com> Co-authored-by: marynaKK <99361777+marynaKK@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> Co-authored-by: james-otten-pan <69821911+james-otten-pan@users.noreply.github.com> Co-authored-by: Barak Fatal <35402131+bo156@users.noreply.github.com> Co-authored-by: omryMen <omryMen@users.noreply.github.com> Co-authored-by: Omry Mendelovich <omry155@gmail.com> Co-authored-by: wadhah mahrouk <33103894+wadhah101@users.noreply.github.com> Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Noa Azoulay <noazoulay1@gmail.com> Co-authored-by: shine <4771718+shinenelson@users.noreply.github.com> Co-authored-by: itai1357 <44339653+itai1357@users.noreply.github.com> Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> Co-authored-by: matansha <matanshati@gmail.com> Co-authored-by: marynaKK <marynaKK@users.noreply.github.com> Co-authored-by: Barak Fatal <barakf156@gmail.com> Co-authored-by: Saar Ettinger <saarettinger@gmail.com> Co-authored-by: Praveen <122512284+praveen-panw@users.noreply.github.com> Co-authored-by: Eliran Turgeman <50831652+Eliran-Turgeman@users.noreply.github.com> Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> Co-authored-by: Simon Melotte <91271604+SimOnPanw@users.noreply.github.com> Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> Co-authored-by: lborloz <luke.borloz@gmail.com> Co-authored-by: maxamel <maxamel@users.noreply.github.com> Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> Co-authored-by: AdamDev <AdamVarsan@gmail.com> Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> Co-authored-by: Michael Burns <michael@mirwin.net> Co-authored-by: Mike Urbanski <mikeurbanski1@users.noreply.github.com> Co-authored-by: Adrian Grucza <46910040+apgrucza@users.noreply.github.com> Co-authored-by: Tal Ziv <tal.ziv.w@gmail.com> Co-authored-by: Tal <Talz@talz.com> Co-authored-by: Tareef D <17664517+tarfeef101@users.noreply.github.com> Co-authored-by: Kartikeya Pande <kpande479@gmail.com>
rotemavni
added a commit
to rotem-avni/checkov3
that referenced
this pull request
Oct 5, 2023
* fix(terraform): Update CKV_AWS_338 message and retention check for 0 (#5018) * fix(terraform): Update CKV_AWS_338 message and retention check for 0 (#5018) * fix(terraform): Update CKV_AWS_338 message and retention check for 0 (#5018) * feat(terraform): Set TF Modules for_each env var to true (#5021) * Set env var to true * Some small improvements * increase performance tests by 1 sec * Small CR fix * revert change * feat(terraform): Set TF Modules for_each env var to true (#5021) * Set env var to true * Some small improvements * increase performance tests by 1 sec * Small CR fix * revert change * fix(secrets): add filter for suppressed custom secret checks (#5016) * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * fix(secrets): add filter for suppressed custom secret checks (#5016) * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * add filter out for suppressed custom secret checks * chore: update release notes * feat(terraform): Elastic beanstalk uses managed updates and fixes the EB check while i… 340 (#4816) * Elastic beanstalk uses managed updates and fixes the EB check while im there * update branch --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): fix foreach render value for lookup (#5037) * fix foreach render value for lookup * pr comments * add upper test * Merge 81e831b560bd81df73288f0fe0d52ca6038755d6 into 624365dc822fe6cdbb5b7b04ddaaa1807025c8b9 * fix(terraform): fix foreach render value for lookup (#5037) * fix foreach render value for lookup * pr comments * add upper test * fix(terraform): Handle entity context for for_each resources (#5036) Handle entity context for for_each resources * fix(terraform): Handle entity context for for_each resources (#5036) Handle entity context for for_each resources * fix(secrets): don't scan images in git history (#5040) * don't scan images * remove the flaky test * fix(secrets): don't scan images in git history (#5040) * don't scan images * remove the flaky test * chore: update release notes * platform(general): Catch None responses from BE (#5033) * Catch `None` responses from BE gracefully * Add retry with limited times * mypy * Remove flaky test * Leverage _get_s3_role and fix text * platform(general): Catch None responses from BE (#5033) * Catch `None` responses from BE gracefully * Add retry with limited times * mypy * Remove flaky test * Leverage _get_s3_role and fix text * chore: update release notes * fix(secrets): add handling of unicode error (#5055) * fix(secrets): add handling of unicode error (#5055) * feat(terraform): Update CKV_AZURE_43 StorageAccountName.py VARIABLE_REFS (#5045) Update StorageAccountName.py Update VARIABLE_REFS list within StorageAccountName.py to also include `each.` value . This is useful when using for_each with a certain resource/module and can reference variables from within the map instead of directly a global `var.` variable . * fix(arm): enabled is not true (#5051) * fix(cloudformation): Enable ALB to support tls1.3 policies #4962 (#5035) * fix to support tls1.3 policies * Update ALBListenerTLS12.py * feat(terraform): launch config/template Ensure metadata hop =1 341 (#4817) * Ensure metadatahop =1 * minor change --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(cloudformation): Enable ALB to support tls1.3 policies #4962 (#5035) * fix to support tls1.3 policies * Update ALBListenerTLS12.py * feat(terraform): launch config/template Ensure metadata hop =1 341 (#4817) * Ensure metadatahop =1 * minor change --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(general): include missing files in save repository (#5056) * include missing files * fix mypy * feat(general): include missing files in save repository (#5056) * include missing files * fix mypy * chore: update release notes * chore: scan repo with own secrets runner (#5046) * scan repo with own secrets runner * add checkov config file * add skip comments * add quiet flag * use new token * override enforcement rules * change to pull_request_target * leverage environment * checkout pull request branch * chore: scan repo with own secrets runner (#5046) * scan repo with own secrets runner * add checkov config file * add skip comments * add quiet flag * use new token * override enforcement rules * change to pull_request_target * leverage environment * checkout pull request branch * chore: bump github/codeql-action from 2.3.2 to 2.3.3 (#5057) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.2 to 2.3.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f3feb00acb00f31a6f60280e6ace9ca31d91c76a...29b1f65c5e92e24fe6b6647da1eaabe529cec70f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump mikepenz/release-changelog-builder-action from 3.7.1 to 3.7.2 (#5058) chore: bump mikepenz/release-changelog-builder-action Bumps [mikepenz/release-changelog-builder-action](https://github.com/mikepenz/release-changelog-builder-action) from 3.7.1 to 3.7.2. - [Release notes](https://github.com/mikepenz/release-changelog-builder-action/releases) - [Commits](https://github.com/mikepenz/release-changelog-builder-action/compare/f7dd0f5932037ca4fff56395ffb04837fd97851a...342972d8fda7082778588387394cf150b9f7226f) --- updated-dependencies: - dependency-name: mikepenz/release-changelog-builder-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump crazy-max/ghaction-import-gpg from 5.2.0 to 5.3.0 (#5059) Bumps [crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/crazy-max/ghaction-import-gpg/releases) - [Commits](https://github.com/crazy-max/ghaction-import-gpg/compare/111c56156bcc6918c056dbef52164cfa583dc549...72b6676b71ab476b77e676928516f6982eef7a41) --- updated-dependencies: - dependency-name: crazy-max/ghaction-import-gpg dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump pypa/gh-action-pypi-publish from 1.8.5 to 1.8.6 (#5060) Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.8.5 to 1.8.6. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](https://github.com/pypa/gh-action-pypi-publish/compare/0bf742be3ebe032c25dd15117957dc15d0cfc38d...a56da0b891b3dc519c7ee3284aff1fad93cc8598) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(terraform): check that WAF rules have an action 342 (#4806) * Check that a waf rule has an assoicated acgtion * fix id * Update WAFRuleHasAnyActions.py * update check logic --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): redshift should be set to automatically take snapshots 343 (#4727) * redshift should be set to automatically take snapshots * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * feat(terraform): check that WAF rules have an action 342 (#4806) * Check that a waf rule has an assoicated acgtion * fix id * Update WAFRuleHasAnyActions.py * update check logic --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): redshift should be set to automatically take snapshots 343 (#4727) * redshift should be set to automatically take snapshots * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * Update RedshiftClusterAutoSnap.py * feat(terraform): aws ensure delete protection for firewalls 344 (#4870) ensure delete protection for firewalls Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure encryption for firewall uses a CMK CKV_AWS_345 (#4871) * Ensure encryption fvor forewall uses a CMK * add aws_networkfirewall_rule_group --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 (#4877) * Ensure Network firewall policy defines a encryption confihguration that specifies a CMK * Ensure Network firewall policy defines a encryption configuration that specifies a CMK --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 (#4877) * Ensure Network firewall policy defines a encryption confihguration that specifies a CMK * Ensure Network firewall policy defines a encryption configuration that specifies a CMK --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 (#4877) * Ensure Network firewall policy defines a encryption confihguration that specifies a CMK * Ensure Network firewall policy defines a encryption configuration that specifies a CMK --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(kubernetes): Update ckv_k8s_31 (#4991) * Updated ckv_k8s_31 Catch when all containers have the type RuntImeDefault * Update ckv_k8s_31 * Update test_PodSecurityContext.py * Delete pod-one-containerFAIL-onePASS.yaml * Undo update test_PodSecurityContext.py * Undo update PodSecurityContext.py * Undo update PodSecurityContext.py * Update to pass tests * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * fix dogfood tests * Revert "fix dogfood tests" This reverts commit e92309d2676e6b47772d91e0d8d4558e2a930db7. * Update Seccomp.py * update check logic * fix dogfood test --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(kubernetes): Update ckv_k8s_31 (#4991) * Updated ckv_k8s_31 Catch when all containers have the type RuntImeDefault * Update ckv_k8s_31 * Update test_PodSecurityContext.py * Delete pod-one-containerFAIL-onePASS.yaml * Undo update test_PodSecurityContext.py * Undo update PodSecurityContext.py * Undo update PodSecurityContext.py * Update to pass tests * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * Update Seccomp.py * fix dogfood tests * Revert "fix dogfood tests" This reverts commit e92309d2676e6b47772d91e0d8d4558e2a930db7. * Update Seccomp.py * update check logic * fix dogfood test --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * docs(general): Fix some links (#5064) * Fix some links * Update SECURITY.md Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * feat(terraform): Added caller_file_path and caller_file_line_range to reduced report (#5062) Added caller_file_path and caller_file_line_range to reduced report * feat(terraform): Added caller_file_path and caller_file_line_range to reduced report (#5062) Added caller_file_path and caller_file_line_range to reduced report * feat(terraform): Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 (#4965) Ensure Neptune cluster is encrypted with a CMK * docs(general): update Python custom checks docs (#5054) * update Python custom checks docs * add PR suggestion Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> --------- Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> * feat(terraform): AWS IAM don't generate root credentials 348 (#4966) dont generate root credentials * feat(terraform): Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 (#4965) Ensure Neptune cluster is encrypted with a CMK * feat(terraform): AWS IAM don't generate root credentials 348 (#4966) dont generate root credentials * fix(terraform): fix SQS encryption check CKV_AWS_27 (#5065) fix SQS encryption check CKV_AWS_27 * feat(terraform): AWS IAM don't generate root credentials 348 (#4966) dont generate root credentials * chore: update release notes * fix(secrets): add filter for suppressed custom secret checks (#5068) . * fix(secrets): add filter for suppressed custom secret checks (#5068) . * fix(secrets): exclude Kubernetes secretName from secret scanning (#5071) exclude Kubernetes secretName from secret scanning Co-authored-by: Omry Mendelovich <16597193+omryMen@users.noreply.github.com> * Merge 1cfd16963a04119c8ad598eaf5851ecdba2ed13e into 4b2344ac1275704a06389708a1d2e922929c84f5 * chore: update bc-detect-secrets version to 1.4.27 (#5072) * update bc-detect-secrets version * remove ignore * fix if for check id --------- Co-authored-by: omryMen <omryMen@users.noreply.github.com> Co-authored-by: Omry Mendelovich <omry155@gmail.com> * fix(secrets): omit the code line (#5075) omit the code line * fix(secrets): omit the code line (#5075) omit the code line * chore: update release notes * feat(kustomize): Support inline skips for Kubernetes graph checks (#5070) add graph check to kustomize * feat(kustomize): Support inline skips for Kubernetes graph checks (#5070) add graph check to kustomize * chore: add skip comments to test secrets (#5077) * add skip comments to test secrets * enable checkov secrets scan and remove trufflehog * add trufflehog back * Create jekyll-gh-pages.yml * Update jekyll-gh-pages.yml * chore: update release notes * fix(sca): only run image referencer with sca_image framework (#5081) only run image referencer with sca_image framework * fix(sca): only run image referencer with sca_image framework (#5081) only run image referencer with sca_image framework * chore: update release notes * fix(terraform): skip invalid multiple modules names (#5079) * skip invalid multiple modeuls names * fix * fix(terraform): skip invalid multiple modules names (#5079) * skip invalid multiple modeuls names * fix * platform(graph): upload graphs to the platform (#5073) * implement upload graphs to the platform * fix lint * fix UTs * fix UTs * fix dogfood tests * fix * remove redundant import * platform(general): Add lines to SBOM (#5078) * add lines to sbom * tests * tests * lint * / * / * chore: update release notes * feat(kubernetes): Improve k8s perf (#5083) * remove deepcopy usage in k8s utils * cache repo file path calculation * fix linting * Merge 6a93b867c22569011d8d54e4ece7e70832cbd67a into 2124ce17efa29eadf59789929d1cc37397a0f1d6 * chore: bump peter-evans/create-pull-request from 5.0.0 to 5.0.1 (#5087) Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) from 5.0.0 to 5.0.1. - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](https://github.com/peter-evans/create-pull-request/compare/5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5...284f54f989303d2699d373481a0cfa13ad5a6666) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump azure/setup-helm from 3.4 to 3.5 (#5086) Bumps [azure/setup-helm](https://github.com/azure/setup-helm) from 3.4 to 3.5. - [Release notes](https://github.com/azure/setup-helm/releases) - [Commits](https://github.com/azure/setup-helm/compare/v3.4...5119fcb9089d432beecbf79bb2c7915207344b78) --- updated-dependencies: - dependency-name: azure/setup-helm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(terraform): handle false-positives for Route53ZoneEnableDNSSECSigning (#5084) handle false-positives for Route53ZoneEnableDNSSECSigning Route53ZoneEnableDNSSECSigning is applicable only for public hosted zones. However, the check currently incorrectly applies to private hosted zones as well. Private hosted zones can be differentiated if the hosted zone is associated with a VPC. VPC configuration can be added inline via a vpc block or via a aws_route53_zone_association resource. * feat(terraform): EMR - At rest local disk, EBS and in transit encryption checks (#4968) * At rest lcoal disk, EBS and in transit encryption checks * fix test cases * update check logic * skip secret finding --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: make networkx import truly optional (#5080) make networkx import truly optional * fix(terraform): handle false-positives for Route53ZoneEnableDNSSECSigning (#5084) handle false-positives for Route53ZoneEnableDNSSECSigning Route53ZoneEnableDNSSECSigning is applicable only for public hosted zones. However, the check currently incorrectly applies to private hosted zones as well. Private hosted zones can be differentiated if the hosted zone is associated with a VPC. VPC configuration can be added inline via a vpc block or via a aws_route53_zone_association resource. * chore: make networkx import truly optional (#5080) make networkx import truly optional * fix(kubernetes): add mini k8s parser for invalid templates (#5088) * add k8s parser * add test * mypy * fix mypy, lint * fix mypy, lint * mypy * try to fix tests * add log * fix(kubernetes): add mini k8s parser for invalid templates (#5088) * add k8s parser * add test * mypy * fix mypy, lint * fix mypy, lint * mypy * try to fix tests * add log * chore: update release notes * feat(sca): using the lines in the directly in the record, rather than in the "vulnerability_details" + having it in ExtraResources (#5092) * fsd * adjust tests * fix --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * Merge 0af202104cfba9e21f282b60d43e0103f079236f into 227e87339ca4c8301a75e1aedb16eef56178f894 * chore: update pre-commit and Python deps (#5091) update pre-commit and Python deps * feat(dockerfile): Support docker graph check skips (#5085) * add context creation and support graph check suppression * add docs * fix test * safely access context * chore: update pre-commit and Python deps (#5091) update pre-commit and Python deps * feat(kubernetes): seperate service acoount builder to improve performance (#5093) * Separated ServiceAccount handling from KeywordEdgeBuidler to improve performance in this case * prettify * CR and flake fixes * mypy * mypy * added check that service accounts even exist before updating cache * chore: update release notes * feat(sca): showing line numbers in the cli output for csv (#5096) * fsd * adjust tests * fix * enabling displaying line number also for root packages without cves * adding "(lines)" only in case there are lines-details * adding "(lines)" only in case there are lines-details - fix * naming * fix for tests * fix for tests * Lines in the tests --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * chore: update bc-detect-secrets version to 1.4.28 (#5105) update bc-detect-secrets version Co-authored-by: marynaKK <marynaKK@users.noreply.github.com> * feat(sca): showing line numbers in the cli output for licenses (#5098) * fsd * adjust tests * fix * enabling displaying line number also for root packages without cves * adding "(lines)" only in case there are lines-details * adding "(lines)" only in case there are lines-details - fix * naming * add lines for license violation + printing itr in the cli-outputop * fix for tests * fix for tests * fix tests * fix * fix * fix * fix * fix * Lines in the tests * add test * add test * add tests * add tests * fix the bug in v1 * change the output format + having tests --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * linters * feat(general): add SPDX output (#5104) * add SPDX output * resolve merge conflict * create spdx output * except * licenses * Added licenses-expression to setup.py * Fix mypy for spdx.py * Fix setup.py * fixed setup.py and pipfile * Fixed mypy errors * Fixed mypy errors * Fix pipfile --------- Co-authored-by: nazoulay <noazoulay1@gmail.com> Co-authored-by: Saar Ettinger <saarettinger@gmail.com> * feat(general): add SPDX output (#5104) * add SPDX output * resolve merge conflict * create spdx output * except * licenses * Added licenses-expression to setup.py * Fix mypy for spdx.py * Fix setup.py * fixed setup.py and pipfile * Fixed mypy errors * Fixed mypy errors * Fix pipfile --------- Co-authored-by: nazoulay <noazoulay1@gmail.com> Co-authored-by: Saar Ettinger <saarettinger@gmail.com> * chore: update release notes * feat(terraform): Adding yaml based build time policies for corresponding PC runtime policies (#5089) * adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Partial YAML policy: AzureEnableDefenderForDNS * Partial completion of AzureEnableDefenderForDNS * Deleted AzurEnableForDefender * Added a YAML policy AzureSQLserverNotOverlyPermissive * Added policy: AzureRecoveryServicesvaultConfigManagedIdentity * Added policy: AzureAutomationAccConfigManagedIdentity * Added new YAML policy AzureMariaDBserverUsingTLS_1_2 * Added new YAML policy: AzureStorageAccountEnableSoftDelete and modified AzureMariaDBserverUsingTLS_1_2 * Updated test_yaml_policies.yaml * Modifications made based on PR inputs * adjust skip comment --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): NACL should restrict port ingress (#4976) * NACL should restrict ingress * NACL should restrict ingress * fix brain fog * adjust check name --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): NACL should restrict port ingress (#4976) * NACL should restrict ingress * NACL should restrict ingress * fix brain fog * adjust check name --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): NACL should restrict port ingress (#4976) * NACL should restrict ingress * NACL should restrict ingress * fix brain fog * adjust check name --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): add jwt detector to the secret runner (#5116) add jwt detector to the secret runner * feat(secrets): add jwt detector to the secret runner (#5116) add jwt detector to the secret runner * docs(general): Update CLI Command Reference.md (#5114) Update CLI Command Reference.md * fix(dockerfile): improve update searching in CKV_DOCKER_5 (#5115) improve update searching in CKV_DOCKER_5 * feat(terraform): RDS Enable Performance insights (#4983) * feat(terraform): RDS Enable Performance insights * adjust category * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS Ensure RDS performance insights uses a CMK (#4985) * feat(terraform): AWS Ensure RDS performance insights uses a CMK * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): RDS Enable Performance insights (#4983) * feat(terraform): RDS Enable Performance insights * adjust category * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): AWS Ensure RDS performance insights uses a CMK (#4985) * feat(terraform): AWS Ensure RDS performance insights uses a CMK * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: enable mypy on part of terraform codebase (#5106) * enable mypy on part of terraform codebase * fix linting * chore: enable mypy on part of terraform codebase (#5106) * enable mypy on part of terraform codebase * fix linting * chore: update release notes * feat(sca): dockerfile image-referencer fixes (#5120) * dockerfile ir fixes * uts fixes * fix(gitlab): Skipping image blocks without name attribute (#5126) skipping image blocks without name attribute Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * fix(gitlab): Skipping image blocks without name attribute (#5126) skipping image blocks without name attribute Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> * feat(sca): adding the risk factor v2 to the vulnerability details (#5108) * add the risk factor v2 o the vulnerability details * afjust tests --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> * feat(terraform): AWS Ensure RDS performance insights uses a CMK (#4985) * feat(terraform): AWS Ensure RDS performance insights uses a CMK * fix test --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: bump requests from 2.30.0 to 2.31.0 (#5125) Bumps [requests](https://github.com/psf/requests) from 2.30.0 to 2.31.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](https://github.com/psf/requests/compare/v2.30.0...v2.31.0) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: add type hints to tf modules and module_loading (#5119) * add type hints to tf modules and module_loading * add missing future annotation * chore: add type hints to tf modules and module_loading (#5119) * add type hints to tf modules and module_loading * add missing future annotation * platform(general): Enhancing Sarif output with Security Severity Level (#5074) * add severity level the name for sarif output * add severity level the name for sarif output * add comments to the code * switch to SEVERITY_TO_SCORE * Add a condition to add the properties dictionary * Check the existence of CVSS score * fix flake8 blank line missing * use get function on vulnerability_details * fix tests and update docs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(secrets): Add new pre-commit hook for secrets (#5103) * Add secrets hook * Update .pre-commit-hooks.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(secrets): Add new pre-commit hook for secrets (#5103) * Add secrets hook * Update .pre-commit-hooks.yaml Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * fix(terraform): fix terraform variable rendering for provider alias (#5124) * fix terraform variable rendering for provider alias * fix test * fix(terraform): fix terraform variable rendering for provider alias (#5124) * fix terraform variable rendering for provider alias * fix test * feat(terraform): add check to look at star resources (#4996) * add check to look at star resources * add missing cases * slightly adjust code --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(terraform): add check to look at star resources (#4996) * add check to look at star resources * add missing cases * slightly adjust code --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(terraform): add check to look at star resources (#4996) * add check to look at star resources * add missing cases * slightly adjust code --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * platform(general): SBOM lines numbers adjusting (#5127) * output add lines * output add lines * mypy * lines * tests * get_package_lines * fix(kustomize): fix empty kustomize file crash (#5131) fix empty kustomize file crash * feat(terraform): IAM limit resource access (#5015) Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(terraform): extend CKV2_AWS_5 with new resources (#5129) extend CKV2_AWS_5 with new resources * feat(terraform): extend CKV2_AWS_5 with new resources (#5129) extend CKV2_AWS_5 with new resources * feat(terraform): extend CKV2_AWS_5 with new resources (#5129) extend CKV2_AWS_5 with new resources * chore: replace deepcopy with pickle (#4885) * replace deepcopy with pickle * fix test * enable for_each handling by default * replace all other deepcopy usage * lower perf test thresholds and increase rounds * rename function name * chore: replace deepcopy with pickle (#4885) * replace deepcopy with pickle * fix test * enable for_each handling by default * replace all other deepcopy usage * lower perf test thresholds and increase rounds * rename function name * chore: update release notes * chore: disable checkov-secrets GHA job (#5138) disable checkov-secrets GHA job * fix(terraform): Should use UNKNOWN rather than skipped (#5136) * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * fix(terraform): Should use UNKNOWN rather than skipped (#5136) * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * Should use UNKNOWN rather than skipped * feat(general): Added computation of git_root_path to igraph serialization (#5107) * Added computation of git_root_path to igraph serialization based on nodes * linters * Changed git usage to find root path with os.path.abspath * Matched graph json name to parameter Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> * Made absolute_root_folder optional as it is only for cli runs * Used '' instead of None as default value to make sure it is serializeable --------- Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> * feat(terraform): foreach remove error from info log. (#5139) Remove error from info log. * feat(sca): adding validation for the file_line_number (#5132) * add some validation for the file_line_range * Update checkov/common/sca/commons.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * log instead of error --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * feat(sca): adding validation for the file_line_number (#5132) * add some validation for the file_line_range * Update checkov/common/sca/commons.py Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * log instead of error --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * chore: update release notes * chore: bump github/codeql-action from 2.3.3 to 2.3.5 (#5142) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...0225834cc549ee0ca93cb085b92954821a145866) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump actions/setup-python from 4.6.0 to 4.6.1 (#5141) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.6.0 to 4.6.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/57ded4d7d5e986d7296eab16560982c6dd7c923b...bd6b4b6205c4dbad673328db7b31b7fab9e241c0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat(terraform): Foreach support resources edges (#5145) * support create edge for foreach resources * Trying * Adding UT * nicer * CR Fix * Update checkov/terraform/graph_builder/foreach/abstract_handler.py Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> --------- Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> * feat(terraform): Foreach support resources edges (#5145) * support create edge for foreach resources * Trying * Adding UT * nicer * CR Fix * Update checkov/terraform/graph_builder/foreach/abstract_handler.py Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> --------- Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> * chore: remove existing venv (#5144) * remove existing venv * remove existing venv * fix(terraform): exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 (#5135) * exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 * fix tests * fix action namespace Co-authored-by: lborloz <luke.borloz@gmail.com> --------- Co-authored-by: lborloz <luke.borloz@gmail.com> * feat(terraform): don't fail CKV_AWS_2 on un-rendered value (#5147) * chore: fix IAM star test (#5149) fix IAM star test * chore: fix IAM star test for real (#5150) fix IAM star test for real * chore: fix IAM star test for real (#5150) fix IAM star test for real * chore: fix IAM star test for real (#5150) fix IAM star test for real * docs(general): Update operators with examples (#5137) Update operators with examples * chore: update bc-detect-secrets version to 1.4.29 (#5140) update bc-detect-secrets version Co-authored-by: maxamel <maxamel@users.noreply.github.com> * chore: update bc-detect-secrets version to 1.4.29 (#5140) update bc-detect-secrets version Co-authored-by: maxamel <maxamel@users.noreply.github.com> * chore: update release notes * fix(kubernetes): fix extracting k8s nested resources (#5146) * add kind and apiVersion to k8s nested resources in order to scan them * update UT * fix(kubernetes): fix extracting k8s nested resources (#5146) * add kind and apiVersion to k8s nested resources in order to scan them * update UT * chore: remove redundant log (#5151) * remove redundant log * remove whitespace --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * chore: remove redundant log (#5151) * remove redundant log * remove whitespace --------- Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> * fix(sca): suppression is not working on SCA packages (#5156) * suppression is not working * lint * change to snake case --------- Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> * fix(sca): suppression - fix unit testing (#5158) fix_unit_testing Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> * fix(sca): suppression - fix unit testing (#5158) fix_unit_testing Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> * feat(terraform): Use just AWS regex to check EC2Credentials (#5159) Use just AWS regex to check EC2Credentials * chore: update release notes * fix(general): fix SARIF output related to security-severity field (#5160) fix SARIF output realted to security-severity field * fix(general): fix SARIF output related to security-severity field (#5160) fix SARIF output realted to security-severity field * fix(cloudformation): fix evaluate_default_refs func in cfn (#5164) fix evaluate_default_refs func in cfn * fix(cloudformation): fix evaluate_default_refs func in cfn (#5164) fix evaluate_default_refs func in cfn * fix(terraform): update latest major version of Postgres to v15 (#5163) * update latest major version of Postgres to v15 * update to latest stable major version of Postgres, v15 * feat(ansible): add support of inline suppression for Ansible graph checks (#5143) * add support of inline suppression for Ansible graph checks * fix linting * fix line numbers * fix(terraform): update latest major version of Postgres to v15 (#5163) * update latest major version of Postgres to v15 * update to latest stable major version of Postgres, v15 * chore: enable secret scanning via checkov (#5152) * enable secret scanning via checkov * split security run to separate triggers * fix test * chore: enable secret scanning via checkov (#5152) * enable secret scanning via checkov * split security run to separate triggers * fix test * fix(terraform): adjust CKV_AWS_85 to only look for one log type to pass (#5162) * adjust CKV_AWS_85 to only look for one log type to pass * exclude test secrets * fix(terraform): adjust CKV_AWS_85 to only look for one log type to pass (#5162) * adjust CKV_AWS_85 to only look for one log type to pass * exclude test secrets * platform(general): Add no upload flag and report contributors for all API key runs (#5052) * add skip results upload flag * skip results upload with flag * add integration tests for skip upload * fix intg test * update CLI command docs * add default for .get(url) * add positive use of report_has_url for validation * remove source-based contributor metrics and use API key instead * move integration test to proper place * expect report path to not exist * move integration test to proper place * --amend * remove unused test function * upload contributors after saving results * remove commented test code * platform(general): Add no upload flag and report contributors for all API key runs (#5052) * add skip results upload flag * skip results upload with flag * add integration tests for skip upload * fix intg test * update CLI command docs * add default for .get(url) * add positive use of report_has_url for validation * remove source-based contributor metrics and use API key instead * move integration test to proper place * expect report path to not exist * move integration test to proper place * --amend * remove unused test function * upload contributors after saving results * remove commented test code * chore: update release notes * feat(terraform): Ensure Azure firewall sets threatintelMode to Deny (#5013) * Ensire Azure firewall sets threatintelMode to Deny * Ensire Azure firewall sets threatintelMode to Deny * annotations * remove unneeded bicep check --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(arm): ARM and bicep checks for CKV_AZURE_121 (#5029) * ARM and bicep checks for CKV_AZURE_121 * Add annotations * Add annotations * remove unneeded bicep check --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): Unable to download Terraform modules from JFrog Artifactory (#5155) * Handle absolute Terraform module discovery URLs * Fix double slash when joining Terraform module URL * Ignore URL param in module archive extension check * Support ZIP file format for registry modules * Ignore local modules in Terraform registry loader * Allow _get_archive_extension to return None * feat(terraform): Ensure Azure firewall sets threatintelMode to Deny (#5013) * Ensire Azure firewall sets threatintelMode to Deny * Ensire Azure firewall sets threatintelMode to Deny * annotations * remove unneeded bicep check --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): Unable to download Terraform modules from JFrog Artifactory (#5155) * Handle absolute Terraform module discovery URLs * Fix double slash when joining Terraform module URL * Ignore URL param in module archive extension check * Support ZIP file format for registry modules * Ignore local modules in Terraform registry loader * Allow _get_archive_extension to return None * feat(terraform): Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 (#5027) * feat(terraform): Ensure Application Gateway defines secure SSL protocols and ciphers * improve check logic --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(terraform): Ensure firewall defines a policy (#5038) * fix(dockerfile): support platform flag in CKV_DOCKER_11 (#5170) support platform flag in CKV_DOCKER_11 * feat(terraform): Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 (#5027) * feat(terraform): Ensure Application Gateway defines secure SSL protocols and ciphers * improve check logic --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(dockerfile): support platform flag in CKV_DOCKER_11 (#5170) support platform flag in CKV_DOCKER_11 * feat(terraform): Ensure Firewall policy has IDPS mode as deny (#5039) * fix(terraform): support condition in IAM policy data blocks (#5171) support condition in IAM policy data blocks * feat(terraform): Ensure Firewall policy has IDPS mode as deny (#5039) * fix(terraform): support condition in IAM policy data blocks (#5171) support condition in IAM policy data blocks * chore: update release notes * fix(kubernetes): dont' fail if spec is missing and default value is set to the fix value. (#5167) * dont' fail if spec is missing * test * fix tests --------- Co-authored-by: Tal <Talz@talz.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(kubernetes): dont' fail if spec is missing and default value is set to the fix value. (#5167) * dont' fail if spec is missing * test * fix tests --------- Co-authored-by: Tal <Talz@talz.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: move GitHub pages flow to hosted runners (#5172) move GitHub pages flow to hosted runners * chore: bump github/codeql-action from 2.3.5 to 2.3.6 (#5176) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump thehanimo/pr-title-checker from 1.3.7 to 1.4.0 (#5174) Bumps [thehanimo/pr-title-checker](https://github.com/thehanimo/pr-title-checker) from 1.3.7 to 1.4.0. - [Release notes](https://github.com/thehanimo/pr-title-checker/releases) - [Commits](https://github.com/thehanimo/pr-title-checker/compare/cdafc664bf9b25678d4e6df76ff67b2fe21bb5d2...0cf5902181e78341bb97bb06646396e5bd354b3f) --- updated-dependencies: - dependency-name: thehanimo/pr-title-checker dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: bump stefanzweifel/changelog-updater-action from 1.7.0 to 1.8.0 (#5175) Bumps [stefanzweifel/changelog-updater-action](https://github.com/stefanzweifel/changelog-updater-action) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/stefanzweifel/changelog-updater-action/releases) - [Changelog](https://github.com/stefanzweifel/changelog-updater-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/stefanzweifel/changelog-updater-action/compare/3ad74a04f312e09210fdb3b0d8bf7ee66865288e...3b54ec66922355614bf0b80b290d6634a315acf5) --- updated-dependencies: - dependency-name: stefanzweifel/changelog-updater-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: enable mypy for part of terraform.graph_builder (#5173) enable mypy for part of terraform.graph_builder * chore: bump github/codeql-action from 2.3.5 to 2.3.6 (#5176) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update release notes * fix(general): Correctly handle cli graphs in case we run with multiprocessing (#5177) * Also pass back the graph when running a cli run in multiprocesses * CR * fix(general): Correctly handle cli graphs in case we run with multiprocessing (#5177) * Also pass back the graph when running a cli run in multiprocesses * CR * feat(terraform_plan): Expose field changes to python checks (#5112) * first pass at adding functionality to detect changed fields in a terraform resource * no cool one-liners with relevant_attributes, apparently that is not what I thought it was. back to basic diffing * debug * ofc they make dicts None instead of empty when they are empty * remove whitespace * pr feedback, hopefully a test * docs * import hopefully properly * lint * mypy does not seem to understand how i made lines 256-259 safe * i still have failed to figure out my imports :upside_down: * files not classes? * fix tests and mypy * s/each/resource/g --------- Co-authored-by: Anton Grübel <anton.gruebel@gmail.com> * Merge branch 'main' into feat/frontdooruserwaf * fix(general): Check that the result is not None before extracting vars in cli multiprocess runs (#5183) Check that the result is not None before extracting vars * fix(general): Check that the result is not None before extracting vars in cli multiprocess runs (#5183) Check that the result is not None before extracting vars * chore: update release notes * feat(terraform): Mark unresolved tf function calls as unresolved * Revert "feat(terraform): Mark unresolved tf function calls as unresolved" This reverts commit f0170a37752840221afff4315c49d2bac54e8c3e. * feat(terraform): Mark unresolved tf function calls as unresolved (#5186) * Revert "Revert "feat(terraform): Mark unresolved tf function calls as unresolved"" This reverts commit 224f38e7a1d79cb153057930e79ff0dc164fa319. * Remove imports to avoid circular deps * feat(terraform): Mark unresolved tf function calls as unresolved (#5186) * Revert "Revert "feat(terraform): Mark unresolved tf function calls as unresolved"" This reverts commit 224f38e7a1d79cb153057930e79ff0dc164fa319. * Remove imports to avoid circular deps * docs(general): Add Enforcement CLI Command (#5185) docs: Add Enforcement CLI Command * feat(arm): Handle arm db servers 2021 05 01 (#5187) * feat(arm): Handle DB servers version 2021-05-01 format correctly * Fix UTs * Fix lint * Revert "Fix lint" This reverts commit 059921e4e789b8cb04a2ee71cb8204af5a48d540. * Revert "Fix UTs" This reverts commit d33c960cec23486b935c5d9875287231ffb476d4. * Revert "feat(arm): Handle DB servers version 2021-05-01 format correctly" This reverts commit 1f348352c49913409989ca5eab4f8bc315c76090. * Really tackle the new syntax correctly * feat(arm): Handle arm db servers 2021 05 01 (#5187) * feat(arm): Handle DB servers version 2021-05-01 format correctly * Fix UTs * Fix lint * Revert "Fix lint" This reverts commit 059921e4e789b8cb04a2ee71cb8204af5a48d540. * Revert "Fix UTs" This reverts commit d33c960cec23486b935c5d9875287231ffb476d4. * Revert "feat(arm): Handle DB servers version 2021-05-01 format correctly" This reverts commit 1f348352c49913409989ca5eab4f8bc315c76090. * Really tackle the new syntax correctly * chore: update release notes * fix(terraform): adjust CKV_AZURE_6 to comply with new provider version (#5189) adjust CKV_AZURE_6 to comply with new provider version * feat(arm): and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 (#5049) * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * remove bicep check variant --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(terraform): adjust CKV_AZURE_6 to comply with new provider version (#5189) adjust CKV_AZURE_6 to comply with new provider version * feat(arm): and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 (#5049) * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * feat(arm): Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 * remove bicep check variant --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * fix(general): handle cloned checks filtered via labels (#5188) * add ckvid for cloned filtered checks * fix mypy * move logic to metadata integration * tweak example * add tests * Update checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> --------- Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> * fix(general): handle cloned checks filtered via labels (#5188) * add ckvid for cloned filtered checks * fix mypy * move logic to metadata integration * tweak example * add tests * Update checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> --------- Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> * chore: update release notes * chore: change base permission of GHA workflows to contents read (#5191) change base permission of GHA workflows to contents read * fix(cloudformation): fix CKV_AWS_33 to consider deny statements (#5193) * fix CKV_AWS_33 to consider deny statements * fix linting * fix(cloudformation): fix CKV_AWS_33 to consider deny statements (#5193) * fix CKV_AWS_33 to consider deny statements * fix linting * docs(general): Update pre-commit.md (#5190) * docs(general): Update pre-commit.md * add checkov_diff to docs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * feat(general): add checkov_diff pre-commit hook for scanning all changed files (#5192) add checkov_diff pre-commit hook for a scanning all changed files * docs(general): Update pre-commit.md (#5190) * docs(general): Update pre-commit.md * add checkov_diff to docs --------- Co-authored-by: gruebel <anton.gruebel@gmail.com> * chore: update release notes * upgrade dependencies --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Manu Chandrasekhar <manuchandrasekhar@gmail.com> Co-authored-by: ChanochShayner <57212002+ChanochShayner@users.noreply.github.com> Co-authored-by: LirShindalman <49649760+lirshindalman@users.noreply.github.com> Co-authored-by: gruebel <gruebel@users.noreply.github.com> Co-authored-by: James Woolfenden <james.woolfenden@gmail.com> Co-authored-by: gruebel <anton.gruebel@gmail.com> Co-authored-by: achiar99 <34912231+achiar99@users.noreply.github.com> Co-authored-by: Omry Mendelovich <16597193+omryMen@users.noreply.github.com> Co-authored-by: Nimrod Kor <nimrodkor@gmail.com> Co-authored-by: Horia Gunica <43091730+horiagunica@users.noreply.github.com> Co-authored-by: marynaKK <99361777+marynaKK@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Taylor <28880387+tsmithv11@users.noreply.github.com> Co-authored-by: james-otten-pan <69821911+james-otten-pan@users.noreply.github.com> Co-authored-by: Barak Fatal <35402131+bo156@users.noreply.github.com> Co-authored-by: omryMen <omryMen@users.noreply.github.com> Co-authored-by: Omry Mendelovich <omry155@gmail.com> Co-authored-by: wadhah mahrouk <33103894+wadhah101@users.noreply.github.com> Co-authored-by: YaaraVerner <86768411+YaaraVerner@users.noreply.github.com> Co-authored-by: Noa Azoulay <noazoulay1@gmail.com> Co-authored-by: shine <4771718+shinenelson@users.noreply.github.com> Co-authored-by: itai1357 <44339653+itai1357@users.noreply.github.com> Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com> Co-authored-by: matansha <matanshati@gmail.com> Co-authored-by: marynaKK <marynaKK@users.noreply.github.com> Co-authored-by: Barak Fatal <barakf156@gmail.com> Co-authored-by: Saar Ettinger <saarettinger@gmail.com> Co-authored-by: Praveen <122512284+praveen-panw@users.noreply.github.com> Co-authored-by: Eliran Turgeman <50831652+Eliran-Turgeman@users.noreply.github.com> Co-authored-by: Eliran Turgeman <elturgeman@paloaltonetworks.com> Co-authored-by: Simon Melotte <91271604+SimOnPanw@users.noreply.github.com> Co-authored-by: Max Amelchenko <maxamel2002@gmail.com> Co-authored-by: lborloz <luke.borloz@gmail.com> Co-authored-by: maxamel <maxamel@users.noreply.github.com> Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com> Co-authored-by: AdamDev <AdamVarsan@gmail.com> Co-authored-by: Adam Varsano <avarsano@paloaltonetworks.com> Co-authored-by: Michael Burns <michael@mirwin.net> Co-authored-by: Mike Urbanski <mikeurbanski1@users.noreply.github.com> Co-authored-by: Adrian Grucza <46910040+apgrucza@users.noreply.github.com> Co-authored-by: Tal Ziv <tal.ziv.w@gmail.com> Co-authored-by: Tal <Talz@talz.com> Co-authored-by: Tareef D <17664517+tarfeef101@users.noreply.github.com> Co-authored-by: Kartikeya Pande <kpande479@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Description
This change fixes a number of problems that prevent Checkov successfully downloading Terraform modules from JFrog Artifactory. Each problem fixed is described in the commit history.
Fixes #5154
Checklist: