3.2.382 - 2025-03-06
- secrets: Bump detect-secrets to remove more lock files - #7039
3.2.381 - 2025-03-05
- general: prevent connected_node attribute from being overriden - #7032
- secrets: ckv_secret_80 filtering fix - #7037
3.2.379 - 2025-03-03
- terraform: Add azure DB checks for flexible server private endpoints - #7030
3.2.378 - 2025-02-27
- secrets: Remove CKV_SECRET_80 instead of CKV_SECRET_6 - #7029
3.2.377 - 2025-02-25
- terraform: adding 3 policies & tests - #7011
- cloudformation: Handle subs in CKV_AWS_384 - #7022
- secrets: Fix Duplicated Violation in line bug - #7027
- terraform: Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement - #7008
- terraform: Handle new resource type for CKV_GCP_73 - #7023
3.2.373 - 2025-02-24
- terraform: CKV_GCP_74, CKV_GCP_76 incorrectly enforced for REGIONAL and GLOBAL managed proxy networks - #7002
3.2.372 - 2025-02-18
- terraform: Add multiple checks - #7016
- terraform: Postgres latest stable version - #7015
3.2.370 - 2025-02-13
- general: Handle ECS enhanced container insights - #7001
3.2.369 - 2025-02-10
- terraform: Multiple check fixes - #6999
3.2.368 - 2025-02-06
- general: fix proxy access from git and registry loader - #6992
3.2.366 - 2025-02-05
- bicep: Add bicep specific for CKV_AZURE_25 since ARM implementation fails - #6996
- terraform: CKV_AZURE_249 & CKV_AWS_358 - better support for OIDC 'repo' detection regex and conditions order - #6994
3.2.364 - 2025-02-04
- terraform: CKV_AWS_339 - Add EKS platform version 1.32 to allowed lists of versions - #6988
3.2.362 - 2025-02-03
- secrets: Multiple matching groups are being caught as regex separated by | sign - #6967
- secrets: Remove both random and base64 entropy secrets finding - #6969
- general: Backfill more eval keys - #6970
3.2.358 - 2025-01-28
- general: Add env var for policy metadata - #6979
3.2.357 - 2025-01-23
- general: initial support for python 3.13 - #6962
- terraform: OIDC checks fixes - #6964
3.2.355 - 2025-01-22
- terraform: Update CKV_AWS_358, add CKV_GCP_125 and CKV_AZURE_249 for OIDC claims analysis for GitHub - #6960
- terraform: Accept TLS 1.3 for Azure web apps and web app slots - #6956
- terraform: Add eval keys - #6929
3.2.353 - 2025-01-15
- general: Support CVE suppressions with the root file in repo - #6948
3.2.352 - 2025-01-09
- terraform: add option to add external_modules_content_cache to terraform build_graph - #6942
3.2.351 - 2025-01-08
- terraform: Skip tsconfig in terraform plan - #6941
3.2.350 - 2025-01-07
- terraform: add CKV_AZURE_248 - Azure batch account network access restriction - #6928
- terraform: Revert feat(terraform): Add a terraform block check (#6904) - #6937
3.2.347 - 2025-01-06
- general: Change behavior where if a config file is missing, run the scan as if there was no config file - #6926
- terraform: Fix for multiple checks - #6933
3.2.346 - 2025-01-01
- terraform: add option to add proxy to request - #6923
3.2.345 - 2024-12-31
- cloudformation: Add sensitive param check - #6921
- terraform: add option to add proxy to request - #6916
- terraform: check cognitive services restrict outbound network - #6919
- terraform_json: support CDKTF output in CKV_TF_3 - #6918
3.2.344 - 2024-12-21
- kubernetes: Add to nested resources on k8s graph inherit namespace - #6912
3.2.342 - 2024-12-18
- serverless: serverless definitions context - #6910
- serverless: Serverless graph integration - #6911
- terraform: Add a terraform block check - #6904
3.2.339 - 2024-12-17
- general: Fix jsonpath-key handling for special characters like "/" and reduce log size - #6907
- serverless: Fix serverless check crash - #6909
3.2.336 - 2024-12-16
- general: add cortex:skip for suppressions - #6908
3.2.334 - 2024-12-08
- serverless: Serverless graph vertices - #6894
- secrets: fix indentation to remove duplications - #6626
3.2.332 - 2024-12-05
3.2.328 - 2024-12-04
- serverless: Serverless refactor for graph implementation - #6885
- general: docs flags update - #6888
3.2.327 - 2024-12-03
- terraform: Convert to graph check - #6875
3.2.326 - 2024-12-02
- general: add new CIDR operator - #6877
- arm: Fix resource ID generation to use variables - #6884
3.2.324 - 2024-12-01
- terraform_plan: run post_runner after get_enriched_resources for terraform_plan - #6883
3.2.322 - 2024-11-28
- general: Update range includes to handle range values - #6867
3.2.320 - 2024-11-27
- terraform: Add new checks to match run checks - #6868
- arm: Fix arm root folder - #6880
- terraform: Update CKV_AZURE_164 to correct check on trust policy - #6757
3.2.317 - 2024-11-26
- terraform: support resource_type attribute - #6872
3.2.314 - 2024-11-25
- general: add logs for suppression - #6873
- arm: Fix arm resource naming on integration with Prisma - #6870
3.2.312 - 2024-11-24
- arm: Fix arm graph breadcrumbs - #6869
3.2.311 - 2024-11-21
- cloudformation: Fixed issue where Ref was not rendered correctly if the parameter name was identical to the default value - #6856
- secrets: fix find line - #6864
- secrets: masking test format - #6859
- secrets: multiline matches show the secret and not the first line - #6854
3.2.307 - 2024-11-20
- arm: Change ARM graph creation log lvl to debug - #6857
3.2.305 - 2024-11-19
- sca: support java full dependency tree scan - #6834
- terraform: Add check - ensure AWS CodeGuru resource contains CMK - #6851
- general: Used jsonpath to update vertex attributes - #6852
- terraform: Update EKS supported versions - #6826
- terraform: Update CKV_AZURE_171 to check automatic_upgrade_channel - #6756
3.2.301 - 2024-11-18
- secrets: skip empty match - #6849
3.2.300 - 2024-11-17
- azure: add new policies for Azure Synapse arm - #6553
- helm: Made helm + kustomize use the Kubernetes graph registry - #6847
- secrets: Adding check_id to EnrichedSecret class - #6842
- secrets: Masking secrets files - #6848
- secrets: add prerun support for singleline - #6846
- terraform: Update CKV_AZURE_167 to correct check on retention policy - #6758
3.2.296 - 2024-11-14
- cloudformation: Support Fn::Sub in cases of using a pseudo parameter - #6835
- terraform: support resource_type attribute - revert - #6843
- terraform: CKV_GCP_32 (GoogleComputeBlockProjectSSH) Add other common enabling values - #6663
3.2.293 - 2024-11-13
- terraform: support resource_type attribute - #6830
- general: fixed mypy issue - #6838
3.2.291 - 2024-11-12
- general: remove specific botocore version - #6796
- arm: fix ARM graph block types - #6824
- dockerfile: Handle heredoc - #6828
- sast: filter unsupported policies - #6833
3.2.287 - 2024-11-11
- graph: fix internal checks loading when adding custom policies in cli - #6819
3.2.286 - 2024-11-10
- secrets: Add npm detector - #6821
- secrets: fix empty diff scan - #6822
3.2.282 - 2024-11-07
- arm: finish variable rendering and use definitions context - #6814
3.2.281 - 2024-11-06
- general: Update Python versions and add env vars to the docs - #6812
3.2.280 - 2024-11-05
- arm: add middleware function for platform integration for Arm definitions - #6811
- secrets: Update CKV_SECRET_4 to duplication list GENERIC_PRIVATE_KEY - #6810
- terraform: Add opensearch to CKV2_AWS_5 - #6807
3.2.278 - 2024-11-04
- arm: Align arm definitions function arguments - #6808
3.2.277 - 2024-11-03
- secrets: add detector for IbmCosHmac - #6790
3.2.276 - 2024-10-31
- terraform: Fix possible exception when for_each data has boolean values - #6733
3.2.275 - 2024-10-30
- arm: Add arm definition context - #6801
- cloudformation: change parse log level - #6794
- general: pipenv==2024.0.3 - #6803
- secrets: omit all secrets value in line - #6802
- terraform: Security group attached to aws_mskconnect_connector is not recognized - #6780
3.2.271 - 2024-10-29
- sca: add enableDotnetCpm env var to sca scan request - #6786
3.2.270 - 2024-10-28
3.2.269 - 2024-10-23
- terraform: Fix crash when version isn't a float - #6783
3.2.268 - 2024-10-20
- terraform_plan: Support after_unknown evaluation of complex attributes - #6784
3.2.267 - 2024-10-16
- no noteworthy changes
3.2.266 - 2024-10-15
- arm: unsupported module soft fail - #6775
3.2.262 - 2024-10-14
- helm: Remove helm target dir after scanning - #6767
- kubernetes: Handle non-sting params in command - #6768
3.2.258 - 2024-10-13
- terraform: Set timeout for parsing Terraform files with hcl2. - #6759
3.2.257 - 2024-10-06
- ansible: handle empty tasks - #6751
3.2.256 - 2024-10-01
- terraform: New checks - #6720
- general: Fix operator docs - #6735
- sca: add Pipfile and Pipfile.lock to supported package files list - #6746
- terraform: extend CKV2_AWS_5 to include DMS Serverless (#6628) - #6630
- terraform: Remove dataproc.admin from multiple checks - #6725
- terraform: Security group attached to an Elastic DocumentDB cluster is not recognized by check CKV2_AWS_5 - #6687
- general: update README.md - #6719
3.2.254 - 2024-09-15
- terraform: Added ssl_mode attribute support to CKV_GCP_6 - #6703
3.2.253 - 2024-09-12
- general: allow tool name field to be customised using cli arguments - #6692
- secrets: Change log level - #6716
- terraform: Add check for local user in storage - #6715
- terraform: Update CKV_AZURE_228 for automatic calculation - #6714
3.2.251 - 2024-09-11
- general: add severity metadata to custom policy - #6579
3.2.250 - 2024-09-10
- secrets: fix suppressions and duplications - #6710
3.2.249 - 2024-09-08
- secrets: fix suppression and duplication - #6701
- secrets: Revert suppression and duplication - #6708
- terraform: Fix foreach multi attributes in field - #6707
3.2.246 - 2024-09-05
- sast: add log level when running sast in windows - #6704
3.2.245 - 2024-09-04
- kubernetes: Add policy for git-sync code injection - #6694
- terraform_plan: add support for provider in tf_plan framework - #6690
3.2.242 - 2024-09-02
- general: add support for windows 10 for aiohttp - #6696
3.2.241 - 2024-09-01
- sast: remove the env var for Go - #6697
- secrets: add edge case for policy that looks like uuid - #6698
3.2.239 - 2024-08-29
- general: Add multiple checks to match runtime checks - #6680
3.2.238 - 2024-08-27
- terraform: add support for TF cloudsplaining evaluated_keys - #6677
- secrets: change logs form info to debug - #6685
3.2.236 - 2024-08-26
- no noteworthy changes
3.2.235 - 2024-08-21
- cloudformation: SAM Globals support with CloudFormation - #6657
3.2.234 - 2024-08-20
- sast: Adding support for sast in windows - #6638
- secrets: revert duplications suppressions for secrets - #6674
3.2.232 - 2024-08-19
- general: add try except to loads file - #6668
- secrets: duplications suppressions for secrets - #6665
3.2.230 - 2024-08-18
- general: Support multiple frameworks in custom policy - #6666
- general: revert support multiple frameworks in one custom policy - #6664
3.2.228 - 2024-08-15
- terraform: Add build policy to match run policy for API Method without Auth or API - #6637
- secrets: remove dups logic - #6655
- secrets: Revert remove dups - #6656
- terraform: Don't pass existed resources in non_exists resource checks - #6653
3.2.223 - 2024-08-13
3.2.221 - 2024-08-12
- terraform: evaluate resource with double underscore - #6642
3.2.219 - 2024-08-05
- general: support multiple frameworks in one custom policy - #6587
- terraform: Add run policy for RDS encryption in transit - #6631
- general: Add OpenTofu - #6627
3.2.217 - 2024-07-31
- no noteworthy changes
3.2.216 - 2024-07-30
- sast: Verify that all sast policies are parsed correctly - #6621
3.2.213 - 2024-07-29
- arm: ARM AppServiceInstanceMinimum - CKV_AZURE_212 - #6502
- terraform: - TF and CFN - Add a policy for ensuring AWS Bedrock Agent is encrypted with a CMK - #6603
- ansible: Fix CKV2_ANSIBLE_2 - #6610
- arm: Support upper and lower disabled for CKV_AZURE_189 - #6609
- dockerfile: Fix edge case with apt in domain - #6611
- terraform_plan: Fix parsing other types of provisioners - #6606
- terraform: add condition for CKV_AWS_353 - #6607
- terraform: catch unknowns with WAF configs - #6612
- terraform: Handle default for CKV_GCP_76 - #6608
3.2.209 - 2024-07-28
- cloudformation: Enrich cloudsplaining eval keys - #6602
- general: add --repo-id to relevant examples with API key - #6605
3.2.208 - 2024-07-25
- general: filter resource by provider for all resources types - #6598
- secrets: add CKV_SECRET_192 to GENERIC_PRIVATE_KEY_CHECK_IDS - #6600
- terraform: Update ckv-aws-8 policy - support unknown statement - #6596
- terraform: Fix resource type for CKV_AZURE_242 - #6599
- general: handle multiple values for the same metadata filter - #6604
3.2.204 - 2024-07-24
- arm: add CKV_AZURE_191 to ensure that Managed identity provider is enabled for Azure Event Grid Topic - #6496
- sast: BCE-36172 fix cdk policies - #6588
3.2.201 - 2024-07-23
- terraform: add 14 rules for tencentcloud provider - #6448
3.2.199 - 2024-07-22
- arm: add CKV_AZURE_87 to ensure that Azure Defender is set to On for Key Vault - #6418
- arm: ARM VnetSingleDNSServer - #6379
- secrets: Adding the option to prerun before multiline pattern executing - #6586
- secrets: If the prrun regex found but we already scanned file we already scann… - #6591
3.2.196 - 2024-07-21
- general: Add metadata exception filter to GHA - #6583
- general: Refactor all resource type handling in Checkov - #6572
3.2.194 - 2024-07-18
- arm: AKSEncryptionAtHostEnable - #6575
- arm: AKSEphemeralOSDisks - #6578
- arm: CKV_AZURE_92 to Ensure that Virtual Machines use managed disks - #6455
- arm: FrontDoorWAFACLCVE202144228 - Mitigates the Log4j2 vulnerability CVE-2021-44228. - #6419
- general: fix the right numbers in TestSkipJsonRegexPattern - #6580
- terraform: Fix title of CKV_AZURE_238 - #6570
3.2.193 - 2024-07-17
- terraform: fix failures of no caller on definition context - #6573
- terraform: TFPlan + TF fixes for google_project_iam_policy + google_iam_policy - #6577
3.2.191 - 2024-07-16
- general: fix sca unit tests for python 3.12 - #6574
3.2.190 - 2024-07-15
- no noteworthy changes
3.2.189 - 2024-07-14
- arm: add CKV_AZURE_169 to ensure that AKS use the Paid Sku for its SLA - #6545
- arm: add CKV_AZURE_177 to ensure that Windows VM enables automatic updates - #6484
- cloudformation: Update audit_logs valid values - #6566
3.2.186 - 2024-07-11
- azure: add new policies for Azure Synapse (tf and arm) - #6554
- bicep: support bicep custom policy - #6561
- arm: CKV_AZURE_56 just for authsettingsV2 name - #6557
- secrets: filter secrets that have vault: in them - #6565
3.2.183 - 2024-07-10
- terraform_plan: support tf_plan after_unknown enrichment - #6517
- secrets: small fix for filtering - #6562
- general: pass repo ID to runconfig - #6560
3.2.179 - 2024-07-09
- arm: add CKV_AZURE_206 to ensure that Storage Accounts use replication - #6524
- arm: BCE-33785 Support Azure Synapse Analytics policies - #6513
3.2.177 - 2024-07-08
- sast: fix cdk policies - #6552
3.2.175 - 2024-07-07
- arm: AzureSearchSQLQueryUpdates - #6543
3.2.174 - 2024-07-04
- arm: add CKV_AZURE_172 to ensure autorotation of Secrets Store CSI Driver secrets for AKS clusters - #6533
- arm: add CKV_AZURE_173 to ensure that API management uses at least TLS 1.2 - #6478
- arm: AppServicePlanZoneRedundant - #6472
- arm: AzureSearchSLAIndex - #6530
- arm: SQLDatabaseZoneRedundant - #6515
- azure: add new policies for Azure Synapse - #6520
- general: update detect secrets package - #6535
3.2.171 - 2024-07-03
- arm: add CKV_AZURE_171 to ensure that AKS cluster upgrade channel is chosen - #6532
- arm: add CKV_AZURE_175 to ensure that Web PubSub uses a SKU with an SLA - #6523
- arm: add CKV_AZURE_178 to ensure that linux VM enables SSH with keys for secure communication - #6486
- arm: add CKV_AZURE_85 to ensure that Azure Defender is set to On for Kubernetes - #6279
- arm: CKV_AZURE_99 to Ensure Cosmos DB accounts have restricted access - #6498
- arm: DataFactoryNoPublicNetworkAccess - #6479
- arm: DataLakeStoreEncryption - #6516
- arm: EventHubNamespaceMinTLS12 - #6485
- openapi: [CKV_OPENAPI_3] Prevent false-positive when checking for http+!basic - #6406
- terraform_json: support locals block in CDKTF output - #6452
- terraform: Deprecate CKV2_AWS_67 - #6529
3.2.164 - 2024-07-02
- general: Add Python note - #6521
3.2.163 - 2024-07-01
- arm: add CKV_AZURE_174 to ensure that API management public access is disabled - #6480
- arm: AppServicePHPVersion - #6436
- arm: AppServicePublicAccessDisabled - #6467
- arm: KeyVaultEnablesPurgeProtection - #6465
- arm: PubsubSpecifyIdentity - #6483
3.2.159 - 2024-06-30
- arm: fix CKV_AZURE_78:
siteConfigobject should be underproperties- #6477 - general: Mypy issues - #6510
- terraform: ignore comment out modules - #6507
3.2.156 - 2024-06-27
- arm: add CKV_AZURE_129 Ensure that MariaDB server enables geo-redundant backups - #6427
- arm: add CKV_AZURE_137 Ensure ACR admin account is disabled - #6430
- arm: add CKV_AZURE_139 Ensure ACR set to disable public networking - #6428
- arm: add CKV_AZURE_166 Ensure container image quarantine, scan, and mark images verified - #6431
- arm: add CKV_AZURE_168 to ensure that Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods - #6385
- arm: add CKV_AZURE_45 to ensure that no sensitive credentials are exposed in VM custom_data - #6422
- arm: add CKV_AZURE_70 to ensure that Function apps is only accessible over HTTPS - #6457
- arm: ARM AppServiceSlotDebugDisabled - CKV_AZURE_155 - #6453
- arm: ARM AppServiceSlotHTTPSOnly - #6454
- arm: ARM VnetLocalDNS - #6424
- arm: PostgressSQLGeoBackupEnabled - #6456
- arm: StorageAccountName - #6426
- secrets: dont filter secrets - #6508
- azure: fix description of CKV_AZURE_236 - #6503
- kubernetes: Fix CKV_K8S_31 for CronJobs - #6506
- sca: fix parsing json with comments - #6509
- terraform: CKV_AWS_339 add Kubernetes 1.30 to AWS EKS version checks - #6353
- terraform: remove print from CKV_AWS_364 - #6504
3.2.145 - 2024-06-25
- general: Note for feature requests - #6497
3.2.144 - 2024-06-23
- kubernetes: ensure seccompProfile is set to RuntimeDefault for all containers in deployments and similar resources - #6459
- terraform: Add more conditions for CKV_AWS_70 - #6464
3.2.141 - 2024-06-19
- secrets: dedup secrets history values - #6462
3.2.140 - 2024-06-18
- azure: fix ckv_azure_189 according to docs - #6413
- sca: Support parsing json with comments - #6466
- general: fix pre-commit link - #6433
3.2.138 - 2024-06-17
- graph: support creation of resource type allow/deny lists - #6451
- terraform: Fix name of CKV2_AWS_67 to be more clear - #6434
- terraform: Fix when apt is in rm statement - #6437
- terraform: Update CKV_AWS_224 title - #6435
3.2.136 - 2024-06-13
- arm: Correct AzureMLWorkspacePrivateEndpoint rule check logic - #6432
- general: removed references Putin references - #6445
3.2.133 - 2024-06-10
- general: add AI_AND_ML to CheckCategories - #6423
- sast: Update CKV IDs for CDK policies - #6415
3.2.130 - 2024-06-09
- arm: add CKV_AZURE_135 to ensure Application Gateway WAF prevents message lookup in Log4j2. - #6364
- arm: add CKV_AZURE_140 to ensure that Local Authentication is disabled on CosmosDB - #6329
- arm: add CKV_AZURE_163 Enable vulnerability scanning for container images - #6339
- arm: add MariaDbPublicAccessDisabled convert policy to arm - #6246
- arm: AKSLocalAdminDisabled - #6334
- arm: AppServiceFTPSState - #6363
- arm: AzureServiceFabricClusterProtectionLevel - #6366
- arm: ensure ACR disables anonymous pulling of images (CKV_AZURE_138) - #6373
- arm: KeyVaultDisablesPublicNetworkAccess - #6342
- arm: PostgreSQLServerPublicAccessDisabled - #6330
- terraform: extract image referencers for AWS SageMaker - #6408
- ansible: add dict check in create_tasks_vertices - #6417
3.2.128 - 2024-06-06
- azure: drop support for dotnet v7.0 - #6383
- general: Image Referencer should not run for CI workflow files - #6386
- secrets: Add _prioritise_secrets by 3 levels of severity - #6390
- terraform: add 5 policies - #6401
- terraform: add 6 policies - #6396
- terraform: add fix for ckv_aws_300 - #6404
- terraform: add fix for not contains solver - #6389
- ansible: filter conf if its int or float - #6409
- general: add try except gihub_action read file - #6411
- general: bitbucket integration test failure - #6407
- general: CKV2_AZURE_50 generates false positive azurerm_storage_account violations - #6391
- sast: add log for sast on windows - #6397
3.2.125 - 2024-06-03
- arm: Add check for AzureML workspace not configured with private endpoint - #6387
3.2.124 - 2024-06-02
- azure: Add policy to ensure proper AzureML Workspace network access - #6362
- azure: Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible - #6368
3.2.122 - 2024-06-01
- arm: AppServicePythonVersion - 82 check the 'python version' is the latest, if used to run the web app - #6282
3.2.121 - 2024-05-31
- terraform: AWS SageMaker notebook instance KMS Key - #6374
- terraform: CognitiveServicesConfigureIdentity - new check - #6378
- terraform: Ensure that Cognitive Services accounts enable local authentication - new check - #6377
3.2.119 - 2024-05-30
- arm: add FunctionAppsEnableAuthentication - Checking if a certain field exists - #6250
- terraform: Add more conditions to CKV_AWS_70 - #6371
- terraform: Added the CKV2_AWS_68 Check for TF and CFN - #6369
- ansible: set task as ansible vertices config - #6376
- terraform: for_each/count attribute wasn't rendering if referencing a dynamic variable of a higher level module - #6372
3.2.112 - 2024-05-29
- terraform: Add provider address to resources - #6266
- terraform: Support for count & for_each in data blocks - #6359
- terraform: Fix an issue for loading tfvars + issue in the dynamic rendering - #6360
3.2.108 - 2024-05-26
- sast: don't scan hidden files - #6349
3.2.107 - 2024-05-24
- terraform: Handle registry modules with a version in CKF_TF_2 - #6354
3.2.106 - 2024-05-23
- arm: Ensure Databricks Workspace data plane to control plane co… - #6319
- general: TF and ARM - Ensure that Databricks Workspaces enable… - #6313
- secrets: Bump detect-secrets - #6346
3.2.105 - 2024-05-22
- arm: add AppServiceJavaVersion - #6258
- arm: add CKV_AZURE_145 to check that the function app uses the latest version of TLS encryption - #6323
- arm: add CKV_AZURE_218 to ensure that Application Gateway defines secure protocols for in transit communicationApp gw defines secure protocols - #6320
- arm: add CKV_AZURE_54 to ensure Enforce a minimal Tls version for the server - #6270
- arm: add CKV_AZURE_71 to Ensure that Managed identity provider is enabled for web apps - #6272
- arm: add CKV_AZURE_72 to ensure that remote debugging is not enabled for app services - #6281
- arm: AzureDefenderOStorage - #6269
- arm: MySQLPublicAccessDisabled-Azure MySQL: Restrict Public Access - #6263
- arm: StorageSyncPublicAccessDisabled - #6331
- secrets: eliminate false positives in entropy keyword combinator detector - #6327
3.2.100 - 2024-05-21
3.2.98 - 2024-05-20
- terraform: Remove invalid CIDRs in CKV2_AWS_44 - #6301
3.2.97 - 2024-05-19
- arm: add CKV_AZURE_73 to ensure that Automation account variables are encrypted - #6271
- arm: add CKV_AZURE_76 to ensure that Azure Batch account uses key vault to encrypt data - #6280
- arm: add FunctionAppDisallowCORS - password correctness check - #6248
- arm: ARM FunctionAppHttpVersionLatest policy - #6244
- arm: CKV_AZURE_74 to Ensure that Azure Data Explorer (Kusto) uses disk encryption - #6273
- arm: MSSQLServerMinTLSVersion - #6245
3.2.95 - 2024-05-17
- terraform: handle module source tag ref when it is not the first parameter - #6314
3.2.94 - 2024-05-16
- sast: fix random test sast js - #6315
- general: Double-Encode URI for RelayState Parameter - #6302
3.2.92 - 2024-05-15
- secrets: secret_filter_block_list filter by file name and suffixes - #6285
- secrets: secret_filter_block_list filter by file name and suffixes 2 - #6306
- general: Fix policy.name to use the spaces as specified on CLI. - #6296
3.2.91 - 2024-05-12
- secrets: bump bc-detect-secrets to 1.5.10 - #6297
3.2.90 - 2024-05-09
- ansible: fix ansible definitions raw type - #6292
- ansible: add set definitions raw to ansible runner - #6286
- general: Handle SAST suppressions (suppressions V2) - #6109
- general: add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - #6291
- general: Update README links for PyPi - #6231
3.2.85 - 2024-05-08
- ansible: add missing arg to ansible runner - #6276
3.2.84 - 2024-05-07
- sast: Enable cdk ts integraion test - #6158
3.2.82 - 2024-05-06
- github: add summary message in github_failed_only output - #6131
- sast: add ts checks to python pack - #6261
- sast: run all cdk integration test - #6256
- general: fix changed serif path - #6251
3.2.79 - 2024-05-02
- sast: Add 10 TS CDK - #6194
- sast: add typescript - DONT MERGE - #6193
- sast: Filter js files generate by ts - #6220
- secrets: bump bc-detect-secrets 1.5.9 - #6205
- terraform: Add GCP policy - #6177
- terraform: Add resource attributes to jsonify - #6203
- terraform: Ensure dedicated data endpoints are enabled - #6188
- terraform: support provider in tf_plan graph - #6195
- terraform: Update CloudArmorWAFACLCVE202144228.py - #6217
- general: add print to random test - #6229
- general: fix integration test in build - #6227
- general: fix integration tests - #6207
- kubernetes: Update checkov-job.yaml - #5985
- sca: remove old test for the depracated workflow github-action - #6232
- terraform_plan: Edges not created because of indexing in resource["address"] when resources in modules use count - #6145
- terraform: CKV_AWS_23 rule description fixed for clarity - #5993
- terraform: Fix CKV_AWS_358 to handle plan files - #6202
- ansible: add create_definitions function for ansible framework - #6225
3.2.74 - 2024-04-22
- general: Update range includes to handle lists of ranges and lists of values - #6192
3.2.73 - 2024-04-21
- sast: TypeScript cdk policies p7 - #6186
3.2.72 - 2024-04-19
- bicep: Add bicep version of policy - #6191
3.2.71 - 2024-04-18
- sca: support licenses custom policies enforcement rules - #6173
3.2.70 - 2024-04-17
- sast: Add 5 cdk for TS - #6179
- sast: fix skipped_checks paths before upload to the platform - #6183
3.2.68 - 2024-04-16
- sast: adding extended code block - #6178
- sca: using the new api license/get-licenses-violations instead of packages/get-licenses-violations (which is deprecated) - #6174
- sca: Revert "feat(sca): using the new api license/get-licenses-violations … - #6176
3.2.65 - 2024-04-15
- sast: save suppress_comment for sast inline suppressions - #6171
- secrets: Azure Storage Key detector updates in bc-detect-secrets 1.5.7 - #6168
3.2.63 - 2024-04-14
- sast: CDK TS policies p2 - #6165
3.2.60 - 2024-04-10
- terraform: Fix conditional expression evaluation logic with compare - #6160
- terraform: Fixed flaky test for CKV_AWS_356 - #6162
3.2.55 - 2024-04-08
- sast: Adding typescript cdk part 6 paz - #6149
- sca: enabling suppression in the cli-output for IR-files and dockerfiles - #6148
3.2.53 - 2024-04-03
- terraform: support s3 bucket name for references in graph - #6134
3.2.52 - 2024-04-03
- general: Update the releases' zip file names to be generic - #6141
3.2.51 - 2024-04-02
- general: add policy metadata filter exception flag - #6132
3.2.50 - 2024-03-31
- general: remove limitation of resource and provider in tf.json file - #6133
3.2.49 - 2024-03-28
- general: pin the version of schema to <=0.7.5 - #6125
3.2.47 - 2024-03-26
- secrets: bump manually bc-detect-secrets - #6120
- terraform: add fix for when tf_def is a string - #6121
3.2.45 - 2024-03-25
- terraform: fix for_each resource handling - #6119
3.2.44 - 2024-03-24
- sca: Fix suppression integration crashing if licenseTypes is missing - #6117
3.2.43 - 2024-03-21
- terraform: Fixed bug in evaluate_conditional_expression and added zipmap support - #6106
3.2.42 - 2024-03-20
- sast: support sast skipped checks - #6095
- secrets: ignore secret check in test file - #6105
- general: handle API errors with more detail - #6107
3.2.39 - 2024-03-17
- secrets: fix entropy detector FP - #6090
3.2.38 - 2024-03-14
- terraform: prevent side effects when updating variable rendering - #6087
3.2.37 - 2024-03-13
- terraform: connect module resource to provider - #6083
3.2.36 - 2024-03-12
- gha: make sure to have prisma url - #6084
3.2.35 - 2024-03-11
- general: add policy name and guidelines to CSV output - #6082
- sast: add attribute verification - #6078
3.2.34 - 2024-03-10
- terraform: Dont duplicate more vertices than needed for nested modules with large count/for each values + used cache to avoid extensive usage of os.path.realpath to drastically improve performance - #6072
3.2.33 - 2024-03-08
- general: improve upload failure logging and log size of failed files - #6076
3.2.32 - 2024-03-06
- sast: do not log warning when using skip framework - #6066
3.2.31 - 2024-03-04
- terraform: better handling of interpolation rendering in conditional expressions - #6062
- terraform: Changed a couple of checks from negative to positive check, behavior is the same - #6063
3.2.28 - 2024-02-28
- sca: handling unknown severity - #6055
- terraform: Add Condition exceptions CKV_AWS_70 - #6044
- terraform: Add k8s 1.29 to CKV_AWS_339 - #6056
3.2.26 - 2024-02-26
- sast: fetch sast custom policieis - #6040
3.2.25 - 2024-02-25
- terraform: Added support for
tryfunction in evaluate_terraform - #6043
3.2.24 - 2024-02-22
- cloudformation: add CFN policies for MSK - #6021
3.2.23 - 2024-02-21
- terraform: support vertex reference based on foreach key - #6039
3.2.22 - 2024-02-18
- terraform: CKV_AWS_308 - checked if caching was enabled and only then check for encryption of cache - #6034
3.2.21 - 2024-02-14
- sast: fix cdk checks path - #6029
3.2.20 - 2024-02-11
- graph: remove SCA runner v1 - re-enable - #6024
3.2.19 - 2024-02-08
3.2.17 - 2024-02-07
- general: downgrade botocore dependency - #6016
- graph: remove SCA runner v1 - #6005
- terraform: Deleted deprecated check CKV_GCP_19 - #6010
3.2.12 - 2024-02-06
3.2.8 - 2024-02-05
- secrets: bump bc-detect-secrets to version 1.5.4 - #5998
3.2.7 - 2024-02-04
- azure: create arm check StorageAccountMinimumTlsVersion CKV_AZURE_236 - #5986
- sast: add dataflow to output - #5987
- terraform: Correctly relace foreach_value inside _update_attributes for complex cases - #5994
3.2.3 - 2024-01-31
- terraform: find explicit lockout fail actions for s3 - #5943
3.2.2 - 2024-01-30
- sca: persist support logs for sub processes - #5988
3.2.1 - 2024-01-29
- sast: summarize errors - #5977
3.2.0 - 2024-01-28
- terraform: and cdk/cloudformation: inconsistent naming of AWS resources in checks - #5966
- general: remove igraph - #5781
3.1.70 - 2024-01-24
- terraform: Manually fixed test for loading terraform registry to be with commit hash instead of version tag - #5971
3.1.69 - 2024-01-22
- sast: replaced TBD with owasp and removed "sast engine" - #5959
- terraform: External module test - #5963
3.1.67 - 2024-01-18
- sast: Add policies to executable - #5955
3.1.66 - 2024-01-17
- general: Change SAST enforcement rule to weaknesses - #5950
- general: handle weaknesses rename - #5954
3.1.63 - 2024-01-16
- sast: Fix serialize for sast report with taint mode - #5949
3.1.61 - 2024-01-15
- general: allow colorama version >=0.4.3,<0.5.0 in setup - #5944
3.1.60 - 2024-01-14
- sast: fix relative paths in sast cdk reports - #5932
- sast: fix sast cdk code location paths - #5938
- terraform: CKV_GCP_79 Upgrade CloudSQL SQLSERVER major version to 2022 - #5936
- terraform: Improved bad performance pathlib check - #5939
3.1.57 - 2024-01-10
- general: fix multiprocess abilities - #5887
- general: fixing hidden dependencies & state breaking tests - #5911
- general: Reenabling cdk-integration-tests - #5922
3.1.55 - 2024-01-08
- terraform: Support "pass_prefix_list" for SG ingress rules correctly - #5918
3.1.54 - 2024-01-05
- general: temporary disable runtime config - #5921
3.1.53 - 2024-01-04
- terraform: node pools should be configured separately from a cl… - #5916
- terraform: handle no action in aws_dlm_lifecycle_policy - #5905
3.1.51 - 2024-01-03
- no noteworthy changes
3.1.50 - 2023-12-31
- sast: Add sast metadata to sast report - #5910
- terraform: Add various vertex related policies - #5898
3.1.46 - 2023-12-28
- terraform: CLI output - add indication if repository was discovered In a running environment - #5908
- sast: add missing field in MatchMetadata - #5907
3.1.44 - 2023-12-26
- sast: add dataflow to checkov report from sast - #5892
3.1.43 - 2023-12-24
- terraform: add CKV2_AZURE_47, ensure storage account is configured without blob anonymous access - #5888
- terraform: Ensure SES Configuration Set enforces TLS usage - #5891
- terraform: pod security policy removed in GKE 1.25 - #5675
3.1.42 - 2023-12-22
- sast: Split sast and cdk reports - #5889
- terraform: Fix CKV_Azure_234 - #5886
3.1.40 - 2023-12-19
- terraform_plan: Add PY graph checks for tf plan - #5875
- terraform: Remove CKV_AWS_188 as dupe - #5884
3.1.38 - 2023-12-13
- sast: add integration test platform report - #5856
- sast: python Cdk policies batch 3 - #5820
- sast: python Cdk policies batch 4 - #5857
- sast: add save local sast report to run integration script - #5863
3.1.34 - 2023-12-12
- terraform: Used parallel run to run all split_graph iterations - #5840
3.1.33 - 2023-12-11
- general: anchor cyclonedx to last non breaking version - #5846
- general: Revert pipfile lock changes - #5848
- sast: add back commented checks - #5851
- sast: fix reachability with no regular matches - #5847
- sca: not printing reachability data for lines without cves - #5849
3.1.29 - 2023-12-10
- terraform: fix for check VPCPeeringRouteTableOverlyPermissive and add tests - #5837
- sast: fix sast report format - #5811
3.1.27 - 2023-12-07
- secrets: used 10 characters in secret violation - #5835
3.1.26 - 2023-12-06
- general: check both path types for suppression - #5834
- terraform: Fix range issue in OCI RDP check - #5832
3.1.24 - 2023-12-05
- sca: Update the log level of specific logs - #5828
- terraform: CKV_GCP_26 Added additional google_compute_subnetwork purposes that do not support flow logs - #5812
- terraform: Fix CKV_GCP_30 for unknown service account - #5818
- terraform: Fixed to_dict of terraform block regarding source_module_object - #5822
3.1.21 - 2023-12-04
- ansible: add CKV_PAN_17 - Check for src and dst zone any - #5803
- sast: sast enabled from integration - #5780
- terraform: Adding Python based build time policies for corresponding PC runtime policies - #5762
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5810
3.1.20 - 2023-11-30
- general: handle the updated on prem response from the platform - #5809
3.1.19 - 2023-11-29
- sca: Using alias data from assets.json for giving Package Used indication for aliased packages - #5808
3.1.18 - 2023-11-28
- terraform: Add source_module_object to blocks from_dict func - #5806
3.1.17 - 2023-11-27
- ansible: PAN-OS IPsec checks - #5802
3.1.15 - 2023-11-26
- ansible: add CKV_PAN_16 PAN-OS BPA Check for session log at start - #5794
- sast: Add alias data to imports assets - #5788
- bicep: Update AppServiceHttps20Enabled to consider newer ApiVersion - #5795
3.1.11 - 2023-11-23
- general: Policy metadata API fixes - #5761
3.1.9 - 2023-11-21
- gha: Update GitHub Actions Workflow Schema #5742 - #5759
- terraform_plan: load terraform registry checks when using terraform plan - #5778
- terraform: Ensure HTTPS in Azure Function App and App Slots - #5766
- general: do not display an auth error when the runconfig endpoint returns a 500 - #5779
3.1.4 - 2023-11-20
- general: set default parallelization type to spawn and leverage Terraform downloaded module by default - #5760
- terraform: Ensure ACR is zone-redundant - #5748
- general: Revert parallelization commit - #5777
- sast: remove SAST frameworks for OSS users - #5773
- secrets: don't reinitialize the upload client without API key usage - #5771
- general: properly escape CLI flags in the CLI command docs - #5768
3.0.40 - 2023-11-19
- terraform_plan: TF plan resources connection fix - #5767
3.0.38 - 2023-11-16
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5714
3.0.37 - 2023-11-15
- terraform: fix valid value for aws keyspaces_table encryption_specification type - #5756
3.0.36 - 2023-11-14
- terraform: check min TLS version also on azure app slots - #5753
3.0.34 - 2023-11-12
- general: add possibility to change parallelization type - #5737
- cloudformation: ignore unresolved references in CKV_AWS_45 - #5747
3.0.32 - 2023-11-09
- sast: Python cdk policies batch 2 - #5725
- general: add option to pass
--skip-downloadwith github-action - #5734
- general: print the log upload location if the --support flag is used - #5738
3.0.28 - 2023-11-08
- terraform: Adding both azurerm_linux_web_app_slot & azurerm_windows_web_app_slot in scope of the test CKV_AZURE_153 - #5687
- general: Switch references to Bridgecrew with Prisma Cloud - #5704
3.0.25 - 2023-11-07
- general: do not require a repo ID when using an API key and --list - #5726
3.0.24 - 2023-11-06
- sast: add new python CDK policies - #5706
- terraform: Ensure that only critical system pods run on system nodes - #5665
3.0.21 - 2023-11-05
- terraform: Ensure App Service Environment is zone redundant - #5662
- terraform: Ensure that Standard Replication is enabled - #5649
- sca: Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - #5715
- terraform: CKV_AWS_208 valid Amazon MQ versions - #5653
3.0.19 - 2023-11-02
- sca: adjusting the cli-output to support indicating of reachable functions - #5713
- terraform: Adding YAML based build time policies for corresponding PC runtime policies - #5637
- terraform: bigtable deletion protection [depends on #5625] - #5626
- terraform: drop and deletion checks for spanner - #5625
- sast: add cveid to reachability report - #5708
3.0.16 - 2023-11-01
- sca: Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - #5707
3.0.15 - 2023-10-31
- general: fix duplicate components in CycloneDX report - #5705
3.0.14 - 2023-10-30
- general: address python 3.12 SyntaxWarning - #5699
- terraform: fix variable rendering for foreach resources with dot included names - #5701
3.0.13 - 2023-10-29
- sast: comment out SAST JS integration test - #5697
3.0.12 - 2023-10-26
- general: Fix sast & cdk integration tests - #5688
- sast: Adding exit code in sast integration test - #5690
- sast: adjust SAST file pattern search - #5694
- sast: fix sast reachability report format - #5686
- terraform: Fixing the typo within the name of the Terraform check CKV_AZURE_158 - #5696
- general: Do not crash the run if S3 integration fails during setup, upload, or finalize - #5691
3.0.7 - 2023-10-25
- secrets: fix secret FP of client_secret_setting_name - #5679
- general: Add SAST enforcement rules and check severity thresholds - #5684
- general: do not get fixes for on prem integrations - #5668
3.0.4 - 2023-10-24
- general: remove level up flow - #5677
- general: remove multi_signature and adjust base check classes - #5645
- general: v3 release - #5681
- sast: fix error logs coming from SAST - #5685
- general: add BC token deprecation notice and v3 migration guide - #5644
2.5.18 - 2023-10-22
- general: Adds GHA support for skip-frameworks, skip-cve-package & output-bc-ids flags - #5619
- terraform: Ensure that the SQL database is zone-redundant - #5540
- terraform: Ensure the Azure Event Hub Namespace is zone redundant - #5538
- bicep: enforce encryption flag to be string for CKV_AZURE_97 - #5669
- terraform_plan: Add provisioners to TF Plan parser - #5622
2.5.15 - 2023-10-19
- terraform: Support for merge func inside jsondecode - #5656
- sca: make the abs path to be correcnt - #5660
2.5.13 - 2023-10-18
- arm: implement CKV_AZURE_103 for ARM - #5527
- arm: implement CKV_AZURE_96 for ARM - #5506
- arm: implement CKV_AZURE_97 for ARM - #5515
- terraform: Added a check to make sure dynamic "blocks" are of the expected type - #5642
- terraform: update CKV_AWS_339 valid EKS versions - #5652
2.5.11 - 2023-10-17
- sca: giving file path on relative the the current dir for cases there is no either specified root_folder and the is no repo scan dir - #5654
2.5.10 - 2023-10-16
- terraform: support scanning of Terraform managed modules instead of downloading them - #5635
- terraform: Fixing issues with checks CKV_AZURE_226 & CKV_AZURE_227 - #5638
2.5.9 - 2023-10-15
- sca: support case where there are no cves suppressions - #5636
2.5.8 - 2023-10-12
- general: Remove code upload for on-prem integrations - #5624
2.5.6 - 2023-10-05
- terraform_plan: add azurerm_portal_dashboard to jsonify list - #5618
- terraform: check if the dynamic name is one of the resources block - #5607
2.5.3 - 2023-10-04
- general: remove Python 3.7 - #5605
- graph: remove CHECKOV_CREATE_GRAPH env var to control graph creation - #5606
- dockerfile: fix Docker image scan - #5617
- openapi: Take into account that security is at the root level of your OpenAPI specification. - #5603
- terraform: stop CKV_GCP_43 crashing when not a string - #5561
2.4.61 - 2023-10-03
- terraform: fix upload resource_subgraph_maps - #5615
- terraform: Upload resource subgraph map - #5612
2.4.59 - 2023-10-02
- terraform: fix in subgraphs uploads - #5610
2.4.58 - 2023-10-01
- terraform: upload tf sub graphs - #5596
2.4.57 - 2023-09-29
- terraform: Ensure ephemeral disks are used for OS disks - #5584
- terraform: Ensure that App Service plan is zone redundant - #5577
- terraform: Ensure that the AKS cluster encrypt temp disks, caches, and data flows between Compute and Storage resources - #5588
2.4.55 - 2023-09-28
- general: Add image referencer rustworkx support - #5564
- general: Add rustworkx support - #5595
- terraform: Adding 2 new AWS policies - #5599
- terraform: simply IMDSv2 checks - #5601
2.4.51 - 2023-09-27
- terraform: Adding missing null checks - #5589
2.4.50 - 2023-09-26
2.4.48 - 2023-09-21
- general: expose retry and timeout configuration for interaction with the platform - #5585
2.4.47 - 2023-09-20
- sca: creating alias mapping for javascript - #5567
- sca: creating alias mapping for javascript - #5582
- sca: revert creating alias mapping for javascript - #5581
- general: fix print to encode in windows - #5572
- terraform: Nested source_module_objects with missing foreach key - #5580
2.4.39 - 2023-09-14
- arm: implement CKV2_AZURE_27 for arm - #5534
- terraform: Add new policy for deprecated runtimes - #5555
- terraform: Ensure Event Hub Namespace uses at least TLS 1.2 - #5535
- terraform: Ensure that the Ledger feature is enabled on database that requires cryptographic proof and nonrepudiation of data integrity - #5541
2.4.36 - 2023-09-13
- general: add rustworkx - #5511
- terraform: Module from_dict func to static func - #5562
2.4.33 - 2023-09-12
- general: attempt to fix overload in loaders and add tests - #5549
- general: remove 3.7 integ. test - #5556
- general: remove line to force code change - #5558
- terraform: add check Neptune DB clusters should be configured to copy tags to snapshots - #5552
- terraform: add CKV_AWS_361 to ensure Neptune DB cluster has adequate backup retention - #5548
- terraform: Fix external_modules_source_map serialization - #5546
2.4.32 - 2023-09-10
- terraform: add check for Neptune DB clusters IAM database auth enabled - #5545
- terraform: add CKV_AWS_360 to ensure backup retention period on AWS Document DB - #5547
2.4.30 - 2023-09-07
- terraform: add public network checks for Azure Function and Web Apps - #5533
2.4.29 - 2023-09-06
- arm: Implement CKV_AZURE_111 in ARM - #5528
- arm: implement CKV_AZURE_134 for ARM - #5518
- arm: implement CKV_AZURE_160 for arm - #5526
- arm: implement CKV_AZURE_89 for ARM - #5529
- terraform: CKV_AWS_208 bug fix - #5512
2.4.27 - 2023-09-05
2.4.25 - 2023-09-03
- arm: Implement CKV_AZURE_101 for ARM - #5516
- arm: implement CKV_AZURE_107 for arm - #5514
- arm: implement CKV_AZURE_113 for ARM - #5510
2.4.22 - 2023-08-31
- arm: implement CKV_AZURE_112 for arm - #5507
- arm: implement CKV_AZURE_40 for ARM - #5499
- arm: implement CKV_AZURE_58 for ARM - #5497
- arm: implement CKV_AZURE_94 for arm - #5508
- helm: Changed error message to failure to better differentiate problems - #5517
- terraform_json: correctly parse data blocks in Terraform JSON - #5509
- terraform: continue processing of TF modules in the same file - #5503
- terraform: fix error type - #5513
2.4.18 - 2023-08-30
- arm: implement CKV_AZURE_100 for arm - #5490
- arm: implement CKV_AZURE_114 for arm - #5489
- arm: implement CKV_AZURE_130 for arm - #5485
- arm: implement CKV_AZURE_151 for arm - #5484
- arm: correctly handle json files with comments and output parsing errors - #5495
2.4.14 - 2023-08-27
- arm: CKV_AZURE_66 implement config logging check for arm - #5464
- arm: convert CKV_AZURE_65 to arm - #5467
- arm: Implement CKV_AZURE_109 in arm - #5483
- arm: implement CKV_AZURE_63 for arm - #5475
- arm: implement CKV_AZURE_80 in arm - #5476
- secrets: fix resource in git history scan - #5482
- terraform: extend CKV2_AWS_5 to include aws_appstream_fleet (#5487) - #5491
2.4.10 - 2023-08-24
- arm: migrate check CKV_AZURE_50 to arm - #5453
- arm: translate tf CKV_AZURE_93 check to arm - #5450
- kubernetes: Added new endpoint for both helm and kustomize - #5481
2.4.7 - 2023-08-23
- secrets: handle non iac secrets FP - #5478
2.4.6 - 2023-08-22
- terraform: Replaced / with os.pathsep to support windows better in terraform runner - #5473
- terraform: make jq default - #5462
2.4.5 - 2023-08-21
- terraform: Fix for-each/count updating inner for each index for every child resource - #5463
2.4.4 - 2023-08-20
- sca: Filter IR FW upload results by supportedIrFw list - #5448
2.4.2 - 2023-08-17
- dockerfile: Add CKV2_DOCKER_17 for chpasswd - #5441
- kustomize: Fix kustomize ignoring external policy dir command line options - #5436
2.4.1 - 2023-08-16
- terraform: Remove old tf parser - #5420
- terraform: ensure TFModule is created properly in definition context - #5446
2.3.365 - 2023-08-14
- terraform: Removed most usages of enable_nested_modules - #5415
2.3.364 - 2023-08-13
- sca: update spdx-tools dep to version 0.8.0 and lower bound it - #5431
- terraform: Add address field on vertices even if render_variables is set to False - #5434
- terraform: add new attached resource possibility to CKV2_AWS_23 #5424 - #5429
- terraform: fix ordering issue in CKV_AWS_358 - #5425
2.3.361 - 2023-08-10
- arm: improve CKV_AZURE_24 check - #5427
2.3.360 - 2023-08-08
- general: Fix empty credentials file issue - #5421
2.3.358 - 2023-08-06
- secrets: Make non-entropy signatures take precedence over entropy signatures - #5412
- terraform: Remove DMS S3 check CKV_AWS_299 - #5413
2.3.356 - 2023-08-03
- terraform: Github Actions OIDC trust policy check - #5402
2.3.354 - 2023-08-02
- general: allow
--var-fileto be passed as environment variable - #5406 - terraform: Add new policy to ensure AWS Transfer server only allows secure protocols - #5409
- general: remove obsolete run config fallback API call - #5404
- gha: Update setup-python version in GitHub Actions.md - #5393
2.3.351 - 2023-08-01
- terraform: new serialization methods for module and block - #5391
- terraform: pr for upgrade-checkov - #5400
2.3.349 - 2023-07-31
- terraform: add TFDefinitionKey to get_entity_context_and_evaluations - #5392
- terraform: consider new domain attribute in CKV2_AWS_19 - #5383
2.3.347 - 2023-07-27
- sca: support composer.json - #5382
- terraform: Use new function to create multi graph instead of single graph - #5375
- general: Implement SSO Relay State Parameter in Checkov Output Links - #5217
2.3.343 - 2023-07-26
- sca: fix package line numbers - #5376
- terraform: Fix CKV_AWS_104 to support new values - #5377
2.3.338 - 2023-07-23
- terraform: add new function to create module and definitions with tests - #5362
- terraform: GCP Ensure IAM Workload identity is restricted - #5369
- general: fix inline suppression collection inside lists - #5370
2.3.335 - 2023-07-20
- terraform: leverage read_file_with_any_encoding to safely look for modules - #5360
2.3.334 - 2023-07-19
- general: Add resource code filter to all checkov loggers - #5356
- general: Infrastructure for custom code logger filter - #5346
- kustomize: Avoid index error when calculating file path - #5357
2.3.331 - 2023-07-18
- openapi: Add CKV_OPENAPI_21 - #5268
- secrets: handle regex error in custom secrets gracefully - #5355
- general: update docs about installation guidelines - #5352
2.3.329 - 2023-07-17
- github: Add ability for External checks with git branch - #5337
- sca: add fix command and code for indirect deps - #5347
- kubernetes: No dups when extracting images - #5339
2.3.326 - 2023-07-16
- general: properly encode non supported chars in SARIF uri field - #5336
- sca: Add SCA skip comments to docs - #5330
2.3.324 - 2023-07-13
- kustomize: Added support for case where no parents are found for the relative fie path - #5332
- terraform: Update CKV2_AWS_12 for the new defaults - #5203
2.3.321 - 2023-07-13
- kustomize: Support child k8s resources inside kustomize origin annotations - #5328
2.3.320 - 2023-07-12
- kustomize: Checked for existence of caller_file_path in definitions_raw - #5324
- openapi: Fix ws for CKV_OPENAPI_20 - #5317
- terraform: CKV_AWS_342 - managed rules have predefined actions - #5322
2.3.318 - 2023-07-10
- general: support UTF-16 and other encodings in multiple frameworks - #5308
- kustomize: add back reverted kustomize annotations and update build github action to use github runners - #5316
- kustomize: Add origin annotations to calculate bases of kustomize checks - #5298
2.3.316 - 2023-07-09
- secrets: Improve the entropy keyword combinator secret scanner - #5307
- openapi: Fix CKV_OpenAPI_20 - #5302
- terraform: fix invalid value in CKV_AWS_304 - #5301
- terraform: support new field in CKV2_AWS_3 - #5304
2.3.314 - 2023-07-06
- dockerfile: add ARM build for K8s container image - #5293
- general: Add checkov.spec to enable PyInstaller - #5281
- terraform: remove CKV2_AZURE_18 check and improve CKV2_AZURE_1 - #5294
2.3.312 - 2023-07-05
- general: use sca inline suppressions - #5285
2.3.311 - 2023-07-04
- openapi: New OpenAPI check CKV_OPENAPI_20 - #5253
2.3.310 - 2023-07-02
- terraform: remove deprecated check CKV_GCP_67 - #5275
- general: Add csv to output - #5273
2.3.309 - 2023-06-29
- graph: add experimental debug output for graph check evaluation - #5257
- general: revert add composer files to supported package files - #5269
- general: add composer files to supported package files - #5263
2.3.306 - 2023-06-27
- terraform: add module check for commit hash revision usage - #5261
- openapi: add security definition type validation into CKV_OPENAPI_9 - #5262
- secrets: fix secrets omit crash when value is not string - #5260
- terraform: ignore local modules in CKV_TF_1 - #5264
2.3.303 - 2023-06-26
- arm: consider encryption property in CKV_AZURE_2 - #5254
2.3.302 - 2023-06-25
- terraform: add missing AWS RDS CA certificate identifiers for aws_db_instance resource - #5247
2.3.301 - 2023-06-22
- general: remove log from parallel common - #5244
- general: Fix local repo generated name if ends with / - #5243
2.3.299 - 2023-06-21
- terraform: ensure kms key policy is defined - #5235
- sca: fix wrongly invoked Image Referencer scanning when scanning a single file - #5237
- terraform_plan: add terraform plan vertices to terraform graph if not exist - #5230
2.3.296 - 2023-06-19
- dockerfile: negative
is_dockerfile()lookup on.dockerignoresuffix - #5219 - terraform: fix empty value issue for CKV_GIT_4 - #5222
- graph: add jsonpath custom policy example - #5221
2.3.294 - 2023-06-15
- gha: add skip_path flag to GHA and allow multiple values in var_file - #5213
- sca: add root package name and version to csv sbom - #5211
2.3.292 - 2023-06-14
- arm: Handle another structure for SQL retention policy - #5210
- secrets: limit line length for custom secrets - #5208
- terraform: Update GCP checks for plan files - #5197
2.3.289 - 2023-06-13
- sca: removing the using of the constant CHECKOV_DISPLAY_REGISTRY_URL - #5204
2.3.287 - 2023-06-11
- general: add checkov_diff pre-commit hook for scanning all changed files - #5192
- cloudformation: fix CKV_AWS_33 to consider deny statements - #5193
- general: Update pre-commit.md - #5190
2.3.285 - 2023-06-08
- arm: and bicep: Ensure that Azure Front Door uses WAF in "Detection" or "Prevention" modes CKV_AZURE_123 - #5049
- general: handle cloned checks filtered via labels - #5188
- terraform: adjust CKV_AZURE_6 to comply with new provider version - #5189
2.3.283 - 2023-06-07
- arm: Handle arm db servers 2021 05 01 - #5187
- terraform: Mark unresolved tf function calls as unresolved - #5186
- general: Add Enforcement CLI Command - #5185
2.3.281 - 2023-06-06
- terraform_plan: Expose field changes to python checks - #5112
- general: Check that the result is not None before extracting vars in cli multiprocess runs - #5183
- general: Correctly handle cli graphs in case we run with multiprocessing - #5177
2.3.278 - 2023-06-05
- kubernetes: dont' fail if spec is missing and default value is set to the fix value. - #5167
2.3.276 - 2023-06-04
- arm: ARM and bicep checks for CKV_AZURE_121 - #5029
- terraform: Ensure Application Gateway defines secure SSL protocols CKV_AZURE_217, 218 - #5027
- terraform: Ensure Azure firewall sets threatintelMode to Deny - #5013
- terraform: Ensure firewall defines a policy - #5038
- terraform: Ensure Firewall policy has IDPS mode as deny - #5039
- dockerfile: support platform flag in CKV_DOCKER_11 - #5170
- terraform: support condition in IAM policy data blocks - #5171
- terraform: Unable to download Terraform modules from JFrog Artifactory - #5155
2.3.273 - 2023-06-01
- ansible: add support of inline suppression for Ansible graph checks - #5143
- terraform: Use just AWS regex to check EC2Credentials - #5159
- cloudformation: fix evaluate_default_refs func in cfn - #5164
- general: fix SARIF output related to security-severity field - #5160
- terraform: adjust CKV_AWS_85 to only look for one log type to pass - #5162
- terraform: update latest major version of Postgres to v15 - #5163
- general: Add no upload flag and report contributors for all API key runs - #5052
2.3.267 - 2023-05-31
- kubernetes: fix extracting k8s nested resources - #5146
- sca: suppression - fix unit testing - #5158
- sca: suppression is not working on SCA packages - #5156
2.3.264 - 2023-05-30
- terraform: don't fail CKV_AWS_2 on un-rendered value - #5147
- terraform: Foreach support resources edges - #5145
- terraform: exclude unrestrictable actions in CKV_AWS_355 and CKV_AWS_356 - #5135
- general: Update operators with examples - #5137
2.3.261 - 2023-05-28
- general: Added computation of git_root_path to igraph serialization - #5107
- sca: adding validation for the file_line_number - #5132
- terraform: foreach remove error from info log. - #5139
- terraform: Should use UNKNOWN rather than skipped - #5136
2.3.259 - 2023-05-24
- terraform: extend CKV2_AWS_5 with new resources - #5129
- terraform: IAM limit resource access - #5015
- kustomize: fix empty kustomize file crash - #5131
- general: SBOM lines numbers adjusting - #5127
2.3.257 - 2023-05-23
- sca: adding the risk factor v2 to the vulnerability details - #5108
- sca: dockerfile image-referencer fixes - #5120
- secrets: Add new pre-commit hook for secrets - #5103
- terraform: add check to look at star resources - #4996
- gitlab: Skipping image blocks without name attribute - #5126
- terraform: fix terraform variable rendering for provider alias - #5124
- general: Enhancing Sarif output with Security Severity Level - #5074
2.3.251 - 2023-05-21
- secrets: add jwt detector to the secret runner - #5116
- terraform: Adding yaml based build time policies for corresponding PC runtime policies - #5089
- terraform: AWS Ensure RDS performance insights uses a CMK - #4985
- terraform: NACL should restrict port ingress - #4976
- terraform: RDS Enable Performance insights - #4983
- dockerfile: improve update searching in CKV_DOCKER_5 - #5115
- general: Update CLI Command Reference.md - #5114
2.3.247 - 2023-05-18
- general: add SPDX output - #5104
- kubernetes: seperate service acoount builder to improve performance - #5093
- sca: showing line numbers in the cli output for csv - #5096
- sca: showing line numbers in the cli output for licenses - #5098
2.3.245 - 2023-05-16
- dockerfile: Support docker graph check skips - #5085
- sca: using the lines in the directly in the record, rather than in the "vulnerability_details" + having it in ExtraResources - #5092
2.3.243 - 2023-05-15
- kubernetes: Improve k8s perf - #5083
- terraform: EMR - At rest local disk, EBS and in transit encryption checks - #4968
- kubernetes: add mini k8s parser for invalid templates - #5088
- terraform: handle false-positives for Route53ZoneEnableDNSSECSigning - #5084
2.3.240 - 2023-05-14
- terraform: skip invalid multiple modules names - #5079
2.3.239 - 2023-05-12
- sca: only run image referencer with sca_image framework - #5081
2.3.238 - 2023-05-11
- kustomize: Support inline skips for Kubernetes graph checks - #5070
2.3.237 - 2023-05-10
- secrets: add filter for suppressed custom secret checks - #5068
- secrets: exclude Kubernetes secretName from secret scanning - #5071
- secrets: omit the code line - #5075
2.3.234 - 2023-05-09
- terraform: Added caller_file_path and caller_file_line_range to reduced report - #5062
- terraform: AWS IAM don't generate root credentials 348 - #4966
- terraform: Ensure Neptune cluster is encrypted with a CMK CKV_AWS_347 - #4965
- terraform: fix SQS encryption check CKV_AWS_27 - #5065
2.3.231 - 2023-05-08
- terraform: aws ensure delete protection for firewalls 344 - #4870
- terraform: check that WAF rules have an action 342 - #4806
- terraform: Ensure encryption for firewall uses a CMK CKV_AWS_345 - #4871
- terraform: Ensure Network firewall policy defines a encryption configuration that uses a CMK - CKV_AWS_346 - #4877
- kubernetes: Update ckv_k8s_31 - #4991
2.3.227 - 2023-05-07
- general: include missing files in save repository - #5056
- terraform: launch config/template Ensure metadata hop =1 341 - #4817
- terraform: Update CKV_AZURE_43 StorageAccountName.py VARIABLE_REFS - #5045
- arm: enabled is not true - #5051
- cloudformation: Enable ALB to support tls1.3 policies #4962 - #5035
- secrets: add handling of unicode error - #5055
2.3.224 - 2023-05-05
- general: Catch None responses from BE - #5033
2.3.223 - 2023-05-04
- terraform: Elastic beanstalk uses managed updates and fixes the EB check while i… 340 - #4816
- secrets: don't scan images in git history - #5040
- terraform: fix foreach render value for lookup - #5037
- terraform: Handle entity context for for_each resources - #5036
2.3.220 - 2023-05-03
- secrets: open the feature - scan git history - #5022
- terraform: Set TF Modules for_each env var to true - #5021
- terraform: Set TF modules for_each env vars as True - #4794
- secrets: add filter for suppressed custom secret checks - #5016
- terraform: improve attribute performance - #5014
- terraform: Update CKV_AWS_338 message and retention check for 0 - #5018
- terraform: Update CKV2_AZURE_33 to remove checks on unrelated conditions - #5020
2.3.214 - 2023-05-02
- secrets: Adding quote to required secret in case needed - #5008
- secrets: change color of invalid secret message - #5007
- general: upload checks code_block to report - #5001
2.3.212 - 2023-04-30
- kubernetes: support suppressing custom K8s policies - #4990
- terraform: AWS EKS Use only platform supported versions 339 - #4810
- terraform: Azure APIm backend uses only HTTPS - #4811
- terraform: Ensure Cloudwatch retention is a year or more 338 - #4799
- terraform: remove redundant foreach deepcopy - #4982
- secrets: fix missing history results when history store is used - #4992
- terraform: secret- also check user data in launch config and template - #4969
2.3.205 - 2023-04-28
- gitlab: fix resource id parsing recursive - #4987
- terraform: fix docs formatting - #4988
2.3.204 - 2023-04-27
- terraform: add support for private terraform registries - #4964
- terraform: remove cross varaibles bad list comprehension - #4948
- general: log all returned enforcement rules for debugging - #4989
- general: remove invalid URLs in GitLab SAST output - #4960
- secrets: change default value of secret values to empty strings - #4973
- terraform: Added a condition to not override source module object for old parser - #4975
2.3.199 - 2023-04-24
- terraform: Ensure container defines a readonly root drive 336 - #4788
- terraform: ensure pidmode is not set to host 335 - #4786
- terraform: Ensure SSM params are encrypted using a CMK 337 - #4789
- terraform: Network firewall must define a logging configuration CKV2_AWS_63 - #4872
- terraform: Reduce module loading in TF Parser - #4959
- kustomize: fix image_referencer paths - #4898
- terraform: support TF provider v3 for lifecycle existence check - #4952
- terraform_plan: Add Deep Analysis to docs - #4950
2.3.194 - 2023-04-23
- general: deserialize report & record from json - #4947
- sca: fix extract fix version in sbom report - #4936
- terraform: cross variable performance improvement - #4946
- github: make GH Actions delimiter unique in multiline env vars - #4938
2.3.192 - 2023-04-20
- general: add policy-metadata-filter to gh action - #4941
- secrets: support first commit results - #4927
- terraform: Used generator instead of list comprehension to improve performance for large graphs - #4939
- terraform: make the ECS cluster logging check more resilient - #4942
- terraform: remove invalid Terraform module reference support - #4931
- terraform: support null values in list of dicts - #4937
- bitbucket: Update Bitbucket documentation to match the code. - #4934
- sca: Add more ways to skip CVEs - #4928
2.3.187 - 2023-04-19
- general: 3D policies syntax refactor - #4865
- secrets: support scanning of secrets in hidden paths - #4925
- secrets: Revert timeout in unix to work with signals - #4932
- secrets: timeout in unix to work with signals - #4933
- secrets: Add readme file for Git History - #4913
2.3.183 - 2023-04-18
- sca: add is public fix version to sbom report - #4915
- secrets: add more files to ignore list in git history - #4912
- terraform: Ensure that container definition is not privileged 334 - #4779
- terraform: TF provider check support - #4911
- general: Dedup results contain multiple identical images if using template syntax - #4924
- general: fix wrong abs path in IR record - #4919
- secrets: Save fetched policy destination from current work dir to temp - #4914
- secrets: timeout in unix to work with signals - #4920
- terraform: Fix for_each flow conditions - #4918
- terraform: make sure K8s volume is a dict - #4917
2.3.176 - 2023-04-17
- arm: add Storage accounts disallow public access check for ARM - #4906
- dockerfile: Add CKV2_DOCKER_16 for PIP_TRUSTED_HOST - #4893
- sca: add is private fix version to sca output - #4891
- secrets: fix absolute file path cases - #4901
- terraform: fix foreach count is none bug - #4907
- terraform: limit RDS cluster audit logging to MySQL engine - #4897
- terraform: remove duplicate call to convert graph vertices - #4909
- terraform: remove local blocks with just line number - #4902
2.3.171 - 2023-04-16
- secrets: improve timing git history - #4890
- terraform: add support for list of dicts in for loop - #4895
- cloudformation: fix invalid fn sub param in cfn - #4900
- secrets: fix error if writing to file when don't have access - #4896
- secrets: fix None in file name - #4899
- secrets: reduce false positives in yaml files - case of serverless and secretmanager - #4892
2.3.165 - 2023-04-13
- terraform: ECS Service should not auto assign public IPs 333 - #4777
- terraform: EFS access points should define a user and a path 329-330 - #4768
- terraform: Ensure ECS Fargate uses latest version 332 - #4775
- terraform: Transit gateway should not be set up to autoaccept any VPC 331 - #4770
- general: fix duplicate sarif output - #4886
- secrets: fix slicing in githistory - #4889
- terraform: exclude GCP asymmetric keys from key rotation - #4879
- terraform: Paid is now standard - #4880
- terraform: support empty filter in S3 lifecycle config - #4875
2.3.160 - 2023-04-11
- general: catch unexpected errors when querying OpenAI - #4883
2.3.158 - 2023-04-10
- secrets: Add fields to record of secrets in git history - #4838
- terraform_plan: Handled TFDefinitionKey in plan runner as well - #4864
2.3.155 - 2023-04-09
- cloudformation: support inline suppression of CFN graph checks - #4843
- terraform: Aurora DB should enable backtrack - #4739
- terraform: Desync must be set to defensive or strictest - #4766
- terraform: Ensure that RDS clusters are encrypted using a CMK - #4742
- terraform: RDS Cluster - make sure rds cluster defined defaults for logging and audit logging - #4736
- general: be more forgiving of skipped checks without comment - #4844
- terraform: default case should pass for auto updates - #4847
- terraform: False negative for CKV_AZURE_179 - #4846
- terraform: Only update config if len is bigger than 0 - #4855
2.3.152 - 2023-04-04
- dockerfile: Add CKV2_DOCKER_15 for yum-config-manager sslverify - #4622
- cloudformation: Security Group check now work for ranges and strings - #4797
- terraform: Ensure APPService default action is to ignore not fail - #4790
- terraform: Subnetworks with internal purpose can have private_ipv6_google_access… - #4804
2.3.150 - 2023-04-03
- terraform: Adding yaml based build time policies for corresponding PC runtime policies - #4800
- terraform: Fix for edge cases in for_each modules - #4831
2.3.148 - 2023-04-02
- kubernetes: support non-utf-8 encoded Kubernetes manifest files - #4820
- terraform: ElasticCache for Redis cluster should automatically take minor updates - #4726
- terraform: Ensure opensearch is configured for HA - #4717
- terraform: Ensure Redshift specifies a DB name - #4723
- terraform: Ensure Redshift uses enhanced vpc routing - #4724
- terraform: Fix up ES logging check - #4720
- general: don't add an invalid URL to helpUri field in SARIF output - #4814
- graph: support string values for resource_types in graph checks properly - #4819
- kubernetes: Don't require ImagePullPolicy when digest (#4776) - #4781
- secrets: catch errors in middle of process of getting commit diffs - #4823
- terraform: Fix add_to_block condition to support more edge cases - #4822
- terraform: fix false positive CKV2_GCP_20 (fails for any non-MySQL instance) - #4813
- terraform: Length resolvers evaluate length of
dictas 1. - #4808
- general: Save error lines in IR records - #4821
2.3.140 - 2023-03-30
- general: fix scan all files entrypoint - #4801
- terraform: Set back CHECKOV_ENABLE_FOREACH_HANDLING to False to check perfomence - #4798
- terraform: TF new parser - Check for tfvars block - #4796
2.3.134 - 2023-03-29
- ansible: PAN-OS policy and zone checks - #4737
- terraform_plan: support data blocks in Terraform plan files - #4758
- terraform: Set CHECKOV_ENABLE_FOREACH_HANDLING as True - #4774
- terraform: Correctly serialize/deserialize TFModule object - #4780
- terraform: Fix nested
each.valuereplacement in for_each handler - #4787
2.3.128 - 2023-03-28
- secrets: make git history scan run in parallel - #4769
- terraform: Add source_module_object_ to block attributes - #4773
- terraform: codebuild dont enable privilege mode - #4714
- terraform: Fix nested statements in _is_static_foreach_statement - #4772
2.3.124 - 2023-03-27
- terraform: AWS Use Launch templates in ASG - #4698
- terraform: Codebuild defines and uses logs - #4696
- terraform: Foreach - Fix regex on an empty list - #4765
2.3.121 - 2023-03-26
- general: Add scan all files to entrypoint - #4746
- terraform: check routes are authorised - #4682
- terraform: CloudDistribution set Failover origin - #4686
- terraform: code build s3 logs are encrypted - #4687
- terraform: Elasticbeanstalk should use enhanced health reporting - #4692
- terraform: RDS cluster copy tags to snapshot - #4693
- terraform: Support for_each/count statements in TF Modules - #4708
- secrets: Don't show stack trace in failures when uploading secrets to verify - #4734
- secrets: Compare abs paths in SecretsOmitter - #4756
- terraform: refine IAM assume role check CKV_AWS_61 - #4749
- terraform: refine S3 lifecycle check CKV_AWS_300 - #4750
- terraform: external module from git fail - log warning - #4755
- terraform: Document no private registry - #4745
2.3.115 - 2023-03-24
- general: fix default log levels for support stream - #4741
2.3.114 - 2023-03-23
- ansible: Ansible panos int mgmt checks - #4683
- terraform: api gateway ensure api cache is encrypted - #4681
- terraform: AWS ensure Sagemaker Notebook users are not Root - #4676
- terraform: Sagemaker Notebook In Custom VPC - #4675
- terraform: Terraform runner with the new TF parser - #4728
- gitlab: fixing include scope that predominant all others - #4735
- general: fix small typo - #4725
2.3.110 - 2023-03-22
- graph: Fix an issue in and connection solver - #4719
2.3.108 - 2023-03-21
- secrets: add option to get and set the secret store - #4707
- graph: Ignore SyntaxWarning in variable rendering - #4718
2.3.105 - 2023-03-20
- general: add flag to skip cert verification - #4641
- secrets: Override secrets validation flag with tenant config - #4701
2.3.102 - 2023-03-19
- terraform: AWS Ensure cloudfront has a default root - #4673
- terraform: AWS ensure secret rotation is less than 90 days - #4672
- terraform: AWS Secrets are rotated - #4671
- terraform: ensure DB snapshots arent public - #4667
- terraform: ensure SSM docs are private - #4668
- terraform: lambda permission is not public - #4666
- general: Custom policies integration correct check IDs filtering - #4700
- sca: return empty result when using BC API key in IDE - #4694
- terraform: add extra handling around private GitHub Terraform modules - #4699
2.3.96 - 2023-03-16
- ansible: Ansible panos security policy checks - #4639
- terraform: s3 bucket has event notifications - #4660
- terraform: s3 ensure failed uploads are deleted id=300!!!! - #4662
- gitlab: index_out_of_range - #4677
- terraform: Revert "feat(terraform): support provider blocks yaml policy checks (… - #4680
2.3.95 - 2023-03-15
- sca: filter twistcli results with empty package name and version - #4670
- terraform: Support new TFParser in the local graph (under env var) - #4664
- terraform: support provider blocks yaml policy checks - #4656
2.3.92 - 2023-03-14
- sca: fix unexpected maven packageName - cycloneDX - #4663
- sca: skipping finding IsPrivateFixVersion by default - #4648
- sca: support inline CVE suppression in requirements.txt - #4630
- secrets: allow scanning just partial history of commits - #4659
- terraform: Refactor Module mapping objects - #4661
- terraform: s3 to have lifecycle policy - #4658
- secrets: fix git history partial scan - #4665
2.3.85 - 2023-03-13
- secrets: support git history scan in multiline parsers - #4637
- terraform: Definitions serialization with new definitions key/module objects - #4655
- terraform: support variable rendering for default objects in vars - #4650
- arm: Fix resource type check in SQLServerAuditingRetention90Days - #4657
- general: check suppression id instead of policy id - #4646
- gitlab: Modify GitLab CI resource ids - #4647
2.3.79 - 2023-03-12
- terraform: Fix for foreach subgraph rendering - #4649
- terraform: new checks on new resources - #4491
- general: skip uploading repo for VSCode source - #4643
2.3.75 - 2023-03-09
- general: add Terraform JSON support - #4626
- terraform: Adding yaml based build time policies for corresponding PC runtime policies - #4605
- arm: ignore incomplete resource in ARM templates - #4636
- terraform: stop handle resource
for_eachas dynamic attribute - #4632
2.3.71 - 2023-03-08
- terraform: v2 settings valid for windows and linux web apps - #4628
2.3.70 - 2023-03-07
- ansible: add Ansible check for CKV_PAN_4 for PAN-OS DSRI - #4608
- dockerfile: Add tdnf support for CKV2_DOCKER_9 - #4620
- terraform: Check added for AWS Database instance deletion protection - #4616
- terraform: CloudtrailEventDataStoreUsesCMK - #4621
- bicep: handle malformed files in bicep parser - #4629
- cloudformation: KMSKeyWildCardPrincipal modification - Check for wildcards inside of lists - #4590
- terraform: in sg rules ignore self referencing - #4603
2.3.66 - 2023-03-06
- gitlab: fix wrong resource in gitlab-ci - #4610
- terraform: Support the -1 protocol on SG checks - #4611
- terraform: TF Parser support of new modules keys - #4601
- bicep: extend CKV_AZURE_4 to consider omsAgent to be written in camelCase - #4614
- general: refactor SARIF output - #4606
- general: skip scanning invalid resources - #4617
- sca: Added an error log for Twistcli failures - #4613
- terraform: stop evaluating a string ... to the Ellipsis object - #4623
2.3.59 - 2023-03-05
- general: do not stop getting fixes if one attempt results in a 403 - #4607
- gha: skip schema validity check if parsing returned None - #4609
- secrets: Adjust output to include the additional Git History info - #4566
2.3.57 - 2023-03-02
- ansible: Add checks for the ansible builtin dnf module - #4570
- dockerfile: Add new dockerfile checks - #4569
- terraform: Create a new TF parser - #4584
- secrets: only check secrets framework when scanning history - #4592
- terraform: AWS - there's a new sg vpc ingress rule - #4575
- terraform: Azurerm NSG UDP check should work for old style but still valid tf - #4454
2.3.53 - 2023-03-01
- terraform: Add foreach_attrs in saved graph - #4587
- terraform: Set foreach_attrs directly under the block - #4586
- terraform: TF foreach - Support updating each.value in nested dict - #4588
- sca: Set prisma token and scan packages by v2 for IDE scans - #4580
- terraform: fix CKV_AWS_70 test and add graph for coverage of data source - #4542
- terraform: TF foreach - Avoid rendering in static statements - #4583
- ansible: add Ansible policy docs generation - #4582
2.3.50 - 2023-02-28
- terraform: add not exists conditional to CKV2_AWS_16 to account for defaults - #4578
2.3.48 - 2023-02-27
- secrets: track complete file deletion and renaming - #4551
- terraform: Adding yaml based build time policies for corresponding PC runtime policies - #4529
- ansible: support skip check for Ansible Python-based checks - #4556
- terraform: Handle unescaped lookup values - #4565
2.3.44 - 2023-02-26
- dockerfile: Add check for the environment variable NPM_CONFIG_STRICT_SSL - #4553
- terraform: TF Parser - Move funcs and consts to utils file - #4550
- terraform_plan: Fix tf plan nested modules - #4562
- terraform: fix for #4518 - #4528
- terraform: Move get_module back to parser - #4560
- terraform: remove dynamic warning exc_info - #4563
2.3.39 - 2023-02-23
- dockerfile: Add checks for disabling signature checks for apk, apt-get, rpm, yum, dnf - #4404
- terraform: New classes for the TF module model - #4546
- gha: Align GHA resource ids (Graph vs Python checks) - #4549
2.3.36 - 2023-02-22
- arm: add graph capabilities to ARM framework - #4526
- secrets: add timeout for scan history checks - #4523
- secrets: Support secret findings in git history - #4525
2.3.33 - 2023-02-21
- gitlab: fix gitlab ci yaml file processing - #4536
- sca: adding is_registry_url and printing in the cyclonedx only private registries urls - #4533
- sca: support also the key "registryUrl" when extracting registry_url for the report - #4535
- terraform: Optional module content path - #4537
2.3.29 - 2023-02-20
- cloudformation: Update CKV_AWS_46 to handle base64 encoded userdata - #4530
2.3.28 - 2023-02-19
- secrets: add flag for scan secrets history - #4513
- terraform: Used parentheses in key for foreach attributes but not count - #4520
- gha: fix output flag for usage in checkov-action - #4517
- terraform: add datasource option for headers check - #4496
- terraform: optimize check CKV2_AWS_60 - #4512
- general: Use new enforcement categories (#4456) - #4519
2.3.23 - 2023-02-18
- ansible: Add checks for the ansible builtin apt module - #4500
- gha: now looks for GHA on windows - #4515
2.3.22 - 2023-02-16
- sca: adding registry-url to the cyclonedx output report - #4511
- secrets: Add capability to iterate over git history - #4469
- terraform: Adding yaml based build time policies for corresponding PC run time policies - #4425
- secrets: import git - #4514
2.3.18 - 2023-02-15
- sca: add registry urls and description to the output report and to the csv report - #4485
- ansible: skip unsupported Ansible resources - #4504
- terraform: Fix an str split edge case in function - #4507
- terraform: fix enforcement rules mapping - #4509
2.3.14 - 2023-02-14
- secrets: log and filter potential uuid case - #4486
- terraform: Assign/override main vertices by the first new vertice. - #4493
- terraform: Support for loops in foreach statements - #4483
- terraform: Handle KeyError in hadle_for_loop func - #4501
- terraform: Handle type error in
_handle_for_loop_in_dict- #4495 - terraform: skip loading module that calls to the same dir - #4499
- general: Use new enforcement categories - #4456
- general: update installation on Alpine docs - #4474
2.3.7 - 2023-02-13
- graph: Add UT as an example of not-exists for the nested list. - #4484
- secrets: Save secrets line number - #4488
- terraform: AWS:check global DocDB cluster is encrypted - #4405
- terraform: check msk nodes are private - #4392
- terraform: support more json encoded objects as part of terraform resource and fix evaluation of true/false in json - #4487
- ansible: support nested blocks and empty module values - #4479
- cloudformation: Updated AWS_CKV_7 to not require rotation on asymmetric keys - #4476
2.3.3 - 2023-02-09
- secrets: limit multiline regex detector run - #4453
- terraform: Add foreach_attrs to config objects + UTs - #4463
- terraform: GCP: Ensure Basic role are not used at Org/Folder/Project level (CKV_GCP_115, CKV_GCP_116, CKV_GCP_117) - #4390
- kustomize: fix kustomize file path cli - #4466
- terraform: Allow different type of value in BaseResourceValueCheck - #4470
- terraform: deny statements with wildcards are valid - #4440
2.3.0 - 2023-02-09
- gha: adjust the attribute reference for GitHub Actions graph checks - #4445
- terraform: enable nested modules by default - #4448
- general: Create 3d combinations post runner - #4353
- gha: fix GHA _get_jobs edge case (string step) - #4444
- graph: added graph init to igraph db connector - #4455
2.2.356 - 2023-02-08
- sca: Add support for Dotnet files - #4189
- terraform: Create new resources for count/foreach resources - #4427
- terraform: extend CKV2_AWS_5 to support aws_ec2_spot_fleet_request - #4438
- general: Correct BigQueryDatasetEncryptedWithCMK name field - #4443
- kubernetes: Fix empty spec in k8s file - #4452
- kustomize: Fix kustomize cli file path - #4447
- secrets: remove CKV_SECRET_78 from SECRET_TYPE_TO_ID - #4446
- terraform: change module index separator in full path - #4437
2.2.348 - 2023-02-07
- cloudformation: support new default s3 encryption - #4429
- graph: added indices to igraph nodes - #4433
- secrets: Add args to analyze line is added and is removed for git history scan - #4426
- secrets: Comment out checkob multiline regex detectors - #4441
- terraform: Fix updating resource config - #4432
- secrets: Add secrets custom regex on file - #4430
2.2.341 - 2023-02-06
- ansible: add support for Ansible blocks - #4419
- general: Control check failure logging level - #4431
- graph: add validation for graph checks - #4352
- kubernetes: support inline skips for Kubernetes graph checks - #4412
- secrets: remove secrets dependency in generic record - #4424
- kustomize: remove redundant error in kustomize runner - #4428
- general: fix graph check link in docs - #4420
2.2.335 - 2023-02-05
- kustomize: support kustomize v5 - #4411
- terraform: [Foreach/Count Handling] Render dynamic foreach/count statement - #4398
- general: Checks edge-cases fixes in terraform and openapi - #4414
- general: Skip resources with no 'Type' defined + Checks containing wildcards for resource types leads to crash - #4408
- terraform: fix getting the module for resource named 'module' - #4418
- terraform: retire CKV_AWS_128 in favour of CKV_AWS_162 - #4350
- terraform: SQS check was all types of wrong - #4382
2.2.332 - 2023-02-04
- cloudformation: Don't fail Aurora instances for MultiAZ not being set - #4316
2.2.331 - 2023-02-03
- general: fix compact json output - #4406
2.2.330 - 2023-02-02
- sca: Add a --support flag - #4397
- sca: Add a --support flag --revert - #4396
- secrets: add workdir info to secrets scanner - #4400
- secrets: extract new detector_utils file from entropy keyword combinator - #4385
- general: Remove empty links from GitLab SAST output - #4393
2.2.327 - 2023-02-01
- gha: add gha permissions lines - #4372
- sca: add extract nodes igraph - #4359
- sca: create bom report when extra_resources is not empty - #4388
- secrets: add support for runnable secrets plugins - #4368
- terraform: add CKV_GCP_114 to ensure that Public Access Prevention is enforced on GoogleCloudStorage bucket. - #4347
- terraform: Add cloudsplaining checks to tf aws_iam_policy CKV_AWS_287-290 - #4386
- terraform: get static foreach/count values of resources - #4374
2.2.320 - 2023-01-31
- sca: Add a --support flag - #4323
- sca: added extra supported package files to find_scannable_files - #4378
- terraform: add reset edges function to terraform local graph - #4373
- terraform: Added base class for cloudsplaining iam checks to be integrated between data and resource objects - #4338
- terraform: Added basic check with test for tf resource with IAM privilege escalation - #4376
- cloudformation: Skip SAM Global Tags propagation - #4383
- sca: extend image name validation - #4377
- terraform: simple check naming fix - #4371
2.2.316 - 2023-01-30
- sca: ignore package.json file when yarn.lock exists - #4370
- terraform: GCP check kms policy does not define public access - #4190
- terraform: GCP check policy isn't public - #4194
- sca: support BC_VUL_X IDs in GitLab SAST output - #4360
2.2.312 - 2023-01-29
- azure: fix container latest tag missing results - #4337
- azure: Add
.*.in azure checks to check in lists as well - #4355 - azure: Azure checks fixes - #4342
- azure: Azure checks fixes - #4354
- azure: Support string function_app min_tls_version as well - #4357
- kubernetes: k8s checks fixes - #4343
- sca: Fix multiple issues related to IR - #4358
- terraform: Terraform checks fixes - #4344
2.2.305 - 2023-01-28
- general: Add GitLab SAST output - #4315
2.2.304 - 2023-01-26
- general: fix env var name to
CKV_IGNORE_HIDDEN_DIRECTORIES- #4335
2.2.302 - 2023-01-25
- general: igraph library support - #4327
- general: add missing header in --list output - #4329
- kubernetes: extract pods only for supported resources - #4330
- sca: catch exceptional error during SCA results polling - #4331
- terraform: change terraform nested modules path separators - #4319
- terraform: handle unexpected container definition type - #4328
2.2.299 - 2023-01-24
- azure: change detect image source - #4320
- general: add empty azure image check - #4308
- general: add logs for async license and image retrieval - #4317
- sca: Support the new --image flag along the --docker-image flag - #4314
- general: ignore repo_id setting when list flag is set - #4313
- kubernetes: handle k8s resource with missing required data - #4318
- secrets: Change s3 path for enriched secrets upload - #4275
- terraform: handle unexpected container type - #4311
- general: Update README for supported Python versions - #4305
2.2.292 - 2023-01-23
- terraform: new app service checks for azurerm - #4072
- general: In case of a non-JSON response, log the response - #4304
- terraform_plan: fix in deep analysis - #4306
- terraform: fix default behaviour of CKV_GCP_19 - #4289
2.2.289 - 2023-01-22
- general: add Ansible framework - #4244
- general: Allow using
--repo-root-for-plan-enrichmentflag in GitHub Actions - #4292 - secrets: add new sanity test files for base64 entropy detector - #4298
- terraform: Adding yaml based build time policies for corresponding PC run time policies - #4265
- sca: fix dependency tree cli print - #4282
- terraform: fix Exception in image ref - #4297
- terraform: fix in variable rendering - #4296
- terraform: Fix policy str in graph checks - #4286
2.2.281 - 2023-01-19
- general: add Image referencer igraph support - #4277
- general: Support aiohttp for IR API calls - #4274
- general: Enable running cloned policies in case the OOTB policy is suppressed - #4281
- secrets: change default secret validation status to unavailable - #4284
- terraform: fix error for push_skipped_checks_down with definition that not in the definition context - #4272
2.2.278 - 2023-01-18
- azure: Add image referencer in azure pipelines - #4234
- gha: fix yaml parsing of multi files - #4270
- secrets: fix to keyword combinator to reduce FPs - #4260
- secrets: add guideline and severity to custom secret check metadata - #4276
2.2.274 - 2023-01-17
- gha: fix failing image retrieval in GHA IR - #4268
- cloudformation: fix CloudFormation checks related to number values - #4243
- general: Add normalization to change the name of nuget to dotNet lang - #4271
2.2.271 - 2023-01-16
- dockerfile: Add checks for PYTHONHTTPSVERIFY and NODE_TLS_REJECT_UNAUTHORIZED - #4223
- secrets: Skip invalid secrets checks + soft/hard fails - #4247
- terraform: Azure search service checks - #4064
- terraform: GCP checks for definition of a firewall resource for a network - #4188
- general: Support encoding of function object - #4259
- kubernetes: handle missing subjects in k8s cluster role binding - #4262
- kubernetes: handle resources with incompatible selector - #4257
- secrets: Change secret validation status message - #4250
- terraform: default value for CKV_AZURE_5 - #4237
- terraform: fix get_current_module_index for path that contain .tf in them - #4261
2.2.264 - 2023-01-15
- general: fix circleci crash when cannot find image - #4249
- general: fix circleci yaml-doc - #4246
- kubernetes: set default k8s graph env vars to true - #4225
- terraform: Add new checks for ensuring execution history logging and Xray for State Machine is enabled - #4240
- cloudformation: Fix edge-cases in checks - #4251
- kubernetes: removed env vars from tests - #4252
- secrets: Change secret validation status message - #4238
- secrets: Revert "fix(secrets): Change secret validation status message" - #4248
2.2.258 - 2023-01-12
- terraform: PC-Policy-Team - GCP PostgreSQL Instance Database Policies - #4090
2.2.257 - 2023-01-11
- secrets: Change verify secrets key to include relative path - #4232
- terraform: improve cross-variable edges performance - #4231
2.2.254 - 2023-01-10
- secrets: add function to add the custom policies to the metadata integration not in the multiprocess - #4221
2.2.252 - 2023-01-09
- kubernetes: support more types of k8s pod template containers - #4208
- secrets: Add secret validation status to reduced report - #4219
- secrets: fix unquoted secret value - #4214
- terraform_plan: support multiple references in one resource - #4206
- kubernetes: allow filtering of custom with built-in Kubernetes check IDs - #4204
- secrets: add long to see metadata_integration - #4220
- terraform_plan: fix module resources ids - #4211
2.2.246 - 2023-01-08
- dockerfile: Add checks for unsafe wget and pip usages - #4202
- secrets: Implement lower entropy threshold on a line with keyword - #4210
- terraform: add CKV2_AWS_51 to Ensure AWS Managed IAMFullAccess IAM policy is not used. - #4174
- terraform: CDN and service bus checks for azure - #4059
- secrets: add logs - #4215
- secrets: add logs to secrets - #4213
- secrets: Disable verify secrets if skip_download is specified - #4209
- secrets: fix relative file path in secrets saved to coordinator - #4212
2.2.239 - 2023-01-06
- general: fix incorrect billing message when frameworks are removed from --framework list - #4201
2.2.238 - 2023-01-05
- dockerfile: Add check for unsafe curl usages - #4186
- general: add logic to vcs scanning to prevent empty repo collabs failing check - #4199
- terraform: Adding yaml based build time policies for corresponding PC run time policies - #4113
- general: handle variable dependent values in policy - #4200
- secrets: Fix api key condition in verify_secrets - #4195
- secrets: Remove raw string modifier from re.compile - #4197
2.2.234 - 2023-01-04
- sca: enable CHECKOV_RUN_SCA_PACKAGE_SCAN_V2 env var - #4192
- secrets: Call secrets verify API - #4181
- general: set newer jsonschema dependency bound- solves #2227 - #4183
- general: Update exclude-patterns.txt - #4187
- general: fix links in contributing docs - #4184
2.2.230 - 2023-01-03
- general: Skip check in json file - #4172
2.2.229 - 2023-01-01
- gha: add support for gha existing graph - #4175
- secrets: change secretsCoordinator to dict format - #4169
- terraform: added aws_ssoadmin_managed_policy_attachment resource to CKV_AWS_274 - #4173
- general: add link to BaseGraphRegistry checks - #4177
- general: change CODE_LINK_BASE from master to main - #4178
- kubernetes: remove unneeded context check - #4171
- kustomize: fixed kustomize abs_file_path - #4159
- terraform: out of range error by checking if list is empty - #4176
2.2.220 - 2022-12-29
- sca: remove report_results from checkov, as it is not used at all - #4161
- general: fix f-string log message - #4170
- general: fix reference link in Contributing docs page - #4164
2.2.217 - 2022-12-28
- general: Make code blocks for json check results focused on the relevant part - #4130
- openapi: Add v2 openAPI new checks - #4112
- terraform: new azure storage checks - #4021
- github: Handle entity configurations of type list - #4160
- sca: Fix extra space in output of dependencies - #4162
2.2.212 - 2022-12-27
- azure: Add check - azure keyvalut public network access - #4155
- terraform: fix edge-case in CKV_AZURE_183 check - #4154
- terraform: fix graph checks nested modules - #4157
- terraform: fix or connection graph checks nested modules - #4158
2.2.207 - 2022-12-26
- kubernetes: Support graph edges for nested (related) Pod resources. - #4100
- secrets: Keep original secrets data in runtime for further validation - #4144
- secrets: Keep original secrets data in runtime for further validation - #4149
- general: fix excluded paths for path with special characters - #4152
- terraform: add test path to exclude-patterns - #4150
- terraform: fix edge-case in CKV_AZURE_37 check - #4153
- terraform: fix getting graph entity config in terraform runner - #4146
- terraform: remove redundant nested definitions - #4147
2.2.201 - 2022-12-25
- secrets: add support to conditionQuery - #4086
- terraform: fix edge-case in CKV_AZURE_183 check - #4145
2.2.199 - 2022-12-22
- gha: support on directive in workflow files - #4125
- sca: run old package scanning for IDE scan - #4133
- secrets: expose maximum 6 characters of secret values - #4140
- circleci: add resource to ir - #4135
- general: Reformat PR template - #4139
- kubernetes: move Kubernetes context error message - #4132
- terraform: add aws_transfer_server to CKV2_AWS_5 check - #4137
- terraform: Add some more supported keys to bigquery public acl check ignore list to avoid false positive - #3969
- terraform: fix azure network address invalid value - #4131
2.2.191 - 2022-12-21
- general: add the stack trace to the error message when caught by main.py - #4121
- sca: add GCP Terraform resources for Image Referencer - #4094
- sca: protecting checkov with try/catch wrapping - #4104
2.2.186 - 2022-12-20
- general: move the jsonpath try/catch up a level to catch more errors - #3911
- sca: returning exit code 2 in case of error for downloading twistcli - #4105
- dockerfile: adjust the file abs path for Dockerfile graph results - #4118
- openapi: fix an open API CKV_OPENAPI_6 check - #4109
- sca: fixing integration tests - #4117
- terraform_plan: use abs path for repo_root_for_plan_enrichment - #4115
- terraform: CKV2_AZURE_21 changed blob access type to private - #3898
- terraform: fix support for getting module-referenced resources context - #4110
- terraform: add previous get_tf_definition_key function - #4114
2.2.180 - 2022-12-19
- general: Use --no-fail-on-crash to gracefully exit commit_repository and setup_bridgecrew_credentials - #4099
- terraform_plan: add check details to TF plan scan results - #4091
- terraform: new azurerm checks - App config - #3988
- terraform: Omit values from graph checks - #4076
- general: change env var name for no-fail-on-crash flag - #4107
- github: Fix GHA IR resource names in case of 2 identical images - #4108
- terraform: azurerm storage defaults - fix for storage case #3516 - #4083
- terraform: fix nested module resources ids in the report - #4098
2.2.172 - 2022-12-18
- general: Add no-fail-on-crash flag - #4097
- gha: add fix for gha graphs and UT - #4084
- kubernetes: inject k8s FF flags to instance instead of constructor - #4096
- terraform: add a method for get the entity definition path from the entity itself - #4095
- terraform: add address attribute to all scanned terraform blocks - #4074
2.2.168 - 2022-12-15
- kubernetes: Add kubernetes YAML checks to checkov packaging - #4073
- kubernetes: move whorf to dedicated repo - #4062
- terraform_plan: add Image Referencer for Terraform plan files - #4063
- terraform: add CKV NCP rules about AutoScalingGroup, Load Balancer - #3821
- terraform: add CKV NCP rules about Nat Gateways and Route - #3854
- terraform: combine tf plan and tf graphs for nested modules - #4066
- terraform: More azurerm checks for terraform - #3970
- openapi: Fix in PathSchemeDefineHTTP opeAPI check - #4079
- terraform: CKV_AZURE_43 add new test case - #4082
2.2.158 - 2022-12-14
- github: more CIS checks- part3 - #4057
- terraform: Adding yaml based build time policies for corresponding PC run time policies - #3962
- secrets: fix secrets crash when secret is non string - #4077
2.2.155 - 2022-12-13
- github: more CIS checks- part2 - #4017
- kubernetes: added CKV2_K8S_EXAMPLE_1 only in tests as an example for k8s graph check for pod which is publicly accessible - #4060
- kubernetes: added deployment name to pod resource id - #4040
- sca: fix root packages fixed version - #4070
- sca: invoke packaging.Version instead of parse - #4065
- secrets: fix error when secret is None - #4071
- terraform: checkov fix as resource container_group modified - #4061
- terraform: fixed unexpected data for IAMPublicActionsPolicy - #4067
- terraform: fixed unexpected data for MonitorLogProfileRetentionDays - #4068
- general: Apply licensing from platform - #3961
2.2.148 - 2022-12-12
- gha: Add gha graph infra - #4058
- gha: add infra for gha graphs - #4052
- sca: fixed dependencies default value - #4056
- sca: added indirect cves fix versions - #4023
- secrets: Inject secrets omitter to runner registry - #4054
- terraform_plan: support jsonpath queries in AWS IAM policy strings for Terraform plan - #4033
- terraform: Extend secret attributes to omit mapping - #4028
- terraform: tf plan combine graphs pass params - #4051
- terraform: add missing resource aws_route53_resolver_endpoint #3968 - #3995
- terraform: fix getting local dest module path - #4055
- terraform: Fix some errors in Dynamic Blocks rendering - #4050
2.2.139 - 2022-12-11
- graph: Added
not_withinattribute solver for graph checks - #4041 - kubernetes: Add CKV2_K8S_2 graph check for potential privilege escalation in
nodes/proxyorpods/execwithcreatepermissions - #4034 - kubernetes: Add CKV2_K8S_3 no
impersonatepermissions forServiceAccount/Node- #4037 - kubernetes: Added CKV2_K8S_4 check to not allow modifying of services/status - #4038
- kubernetes: Added CKV2_K8S_5 check that no service account or node can read all secrets - #4042
- secrets: Accepting json reports from bucket in secrets_omitter - #4039
- terraform: add CKV NCP rules about Route Table Association - #3856
- kubernetes: Corrected list format for yaml files in new k8s graph check tests - #4035
- secrets: custom secret add support for value str and not only list - #4024
- terraform: Fix in dot separator in the dynamic argument - #4036
2.2.130 - 2022-12-08
- general: Apply policy-level suppressions as skipped checks - #4020
- github: Add 3 CIS checks: 1.1.3, 1.1.8, 1.1.10 - #4003
- kubernetes: Added CKV2_K8S_1 to ensure RoleBinding do not allow privilege escalation to a ServiceAccount/Node - #4004
- secrets: Omit secrets from reports based on secrets reports - #3991
- secrets: Omit secrets from reports based on secrets reports - #4015
2.2.124 - 2022-12-07
- sca: change sca packages output to include dependencies structure - #3957
- secrets: Adding check length for secret - #3985
- terraform: nested modules support in graph - #3935
- circleci: fix executors in resource_id - #4008
- secrets: Bump detect secrets version - #3997
- terraform: Fix an issue in dynamic blocks - #4006
- terraform: fix CKV_AWS_283 check - #4005
- terraform: Fix CKV_AZURE_168 check - #4000
- terraform: Fix some issues in dynamic blocks flow - #4002
- terraform: Fix TF checks crashes - #3992
2.2.116 - 2022-12-06
- general: Report failed attempts at reporting contributor metrics - #3984
- kubernetes: create simple resources id for pods; allow enabling k8s graph features using env vars - #3975
- terraform: check for insecure protocols - #3958
- terraform: Check resource-based policies for public access - #3989
- terraform: Dynamic Blocks support for loop in for_each attribute - #3982
- terraform: new aks checks for Azure - #3951
- dockerfile: fix Dockerfile inline skip handling - #3976
- secrets: fix_Record_code_block_secrets - #3987
- terraform: azurerm kusto cluster encryption - wrong attribute tested for - #3972
2.2.114 - 2022-12-04
- terraform: add CKV NCP rules about ncloud access control group rule - #3860
- secrets: fix Issue with 'NoneType' error in the custom detectors load_detectors - #3973
- terraform: remove redundant exc_info for module without source - #3974
2.2.112 - 2022-12-01
- dockerfile: add graph to Dockerfile - #3948
- terraform: add CKV NCP rules about access control group Inbound rule. - #3859
- terraform: Implement relative file path standard for tf plan file runs - #3918
- general: fix doc links on windows - #3959
- secrets: Fix omitting of secrets that are json encoded - #3964
- terraform_plan: Fix k8s checks edgecases for terraform plan - #3966
- terraform: OCI Security Group Control Problem - #3933
- secrets: remove the use of enable_secret_scan_all_files for custom secrets - #3954
- terraform: update Terraform modules docs - #3965
2.2.106 - 2022-11-30
- no noteworthy changes
2.2.105 - 2022-11-29
- terraform: add CKV NCP rules about Load Balancer Listener Using HTTPS - #3858
- terraform: add CKV NCP rules about server instance and public IP - #3857
- terraform: azurerm ACR check for retention policy - #3927
2.2.99 - 2022-11-27
- github: add CIS checks part 1. Most of the 1.1.x - #3937
- terraform: Azure ACR Enable Image Quarantine - #3925
- terraform: Azure use signed image in ACR - #3923
- bicep: ignore unresolvable properties for Bicep storage account checks - #3946
- gha: added test for step with no step name - #3945
2.2.96 - 2022-11-26
- no noteworthy changes
2.2.95 - 2022-11-24
- circleci: add check for detecting images without check resource - #3930
- terraform: ACR container scanning - #3922
- terraform: add CKV NCP check about NKS(kubernetes) logging - #3855
- terraform: Adding yaml based build time policies for corresponding PC run time policies - #3900
- general: update checks_metadata structure - #3929
- gha: and circleci resource names - #3914
- kubernetes: Handle invalid helm chart meta - #3939
- sca: fix related resource id for helm and kustomize - #3931
- terraform: better check names to avoid confusion - addresses #3912 - #3921
- terraform: CKV_AZURE_144 passes on defaults - #3938
- terraform: Removed duplicate check CKV_AZURE_60 - #3928
- secrets: Support custom detectors from the platform - #3926
2.2.86 - 2022-11-23
- terraform: add CKV_AWS_282 to ensure that Redshift Serverless namespace is encrypted by KMS - #3915
- terraform: Remove cross variables edges duplications - #3920
2.2.84 - 2022-11-22
- general: sign and push checkov image to GitHub registry - #3906
- secrets: Add Terraform multiline secrets handling - #3907
- terraform: ensure snapshots use encryption - #3899
- terraform: support cross-modules edges - #3909
2.2.80 - 2022-11-21
- terraform: add nested module address attribute - #3904
2.2.78 - 2022-11-20
- general: add output format cyclonedx_json - #3902
- general: add source to contributor metrics report - #3905
- terraform: Fix an edge case in AbsRDSParameter check - #3903
2.2.75 - 2022-11-17
- github: add output-file-path flag to checkov-action - #3897
- terraform: Dynamic blocks - added support for lookup null/true/false values - #3893
- sca: added dependency tree format - #3892
2.2.72 - 2022-11-16
- terraform: add CKV NCP rules about NKSPublicAccess - #3822
- terraform: Censor secrets from tfplan graph - #3894
- terraform: create cross-variable edges between resources from the same module - #3881
- general: remove filter value validation - #3896
- terraform: Fix dynamic blocks nested module - #3890
- terraform: handle empty enabled_cluster_log_types list - #3891
- sca: add scaCliScanId parameter - #3789
2.2.65 - 2022-11-15
- terraform: test checks for any port access - #3882
- terraform: Fixing some broke flow in dynamic blocks rendering - #3879
- terraform: Not adding dynamic blocks attributes to attributes - #3872
- general: Support s3 client config for govcloud - #3880
- sca: Add repoId to GET request - #3876
- sca: Fix bom report - #3867
- sca: Poll sca scan results using Polling API - #3841
- sca: remove src from repo path - #3884
2.2.58 - 2022-11-14
- general: number of words larger/less than or equal operators - #3827
- general: remove env var for running contributor metrics report and add logs - #3873
- terraform: add CKV NCP rules about Load Balancer Exposed to Internet - #3819
- terraform: Mask secret values in Terraform plan file reports by resource - #3868
- terraform: Support dynamic blocks with nested attributes - #3869
- general: Fixed operator name for number_of_words_derivaties - #3875
- terraform: Fix dynamic attributes override each other - #3866
2.2.50 - 2022-11-13
- general: add reporting contributor metrics - #3823
- terraform: add CKV NCP rules about access key hard coding - #3820
- terraform: NSGRulePortAccessRestricted - Remove the condition for dynamic blocks - #3862
- kubernetes: handle empty spec object in k8s templates - #3865
- openapi: fixed error in invalid openapi template - #3863
- terraform: app_service Upgrade tests and add web app resources - #3838
- terraform: Handled nested unrendered vars - #3853
2.2.44 - 2022-11-11
- terraform: fix an issue with dynamics replacing a whole block - #3846
2.2.43 - 2022-11-10
- terraform: Wrap render dynamic blocks flow with try except - #3837
- bicep: make ARM AKS checks compatible with Bicep - #3836
- cloudformation: only parse valid tag key-pairs in CloudFormation - #3835
- general: Clear details before next check run to avoid duplications in output - #3711
2.2.38 - 2022-11-09
- secrets: add abstract multiline parser + implement multiline json parser - #3799
- terraform: Support for nested dynamic modules - #3813
- kubernetes: fixed unexpected list object - #3833
2.2.35 - 2022-11-08
- general: Added Number of Words operator - #3801
- terraform: add CKV NCP rules about LBTargetGroupUsingHTTPS - #3797
- terraform: add CKV NCP rules about NASEncrytionEnabled - #3796
- terraform: Add Env Var for rendering Dynamic Blocks - #3816
- terraform: Dynamic blocks breadcrumbs support - #3814
- terraform: PC Policy Team Yaml Policies Check-in - #3785
- terraform: PC-Policy-Team: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports - #3786
- sca: Run package scan using API - #3812
2.2.31 - 2022-11-07
- azure: Add get resource names for azure_pipelines - #3798
- github: add graph to GitHub Actions - #3672
- terraform: add CKV NCP rules about LBListenerUsesSecureProtocols - #3782
- terraform: Dynamic Modules Support map type - #3800
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (1/4) - #3691
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (2/4) - #3702
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (3/4) - #3703
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (4/4) - #3738
- arm: CKV_AZURE_9 & CKV_AZURE_10 - Scan fails if protocol value is a wildcard - #3750
- azure: Remove redundant file path from resource name in azure pipelines - #3818
- secrets: fix slow secrets scan in yaml files - #3803
- secrets: fixed path of secrets tests to exclude - #3817
- terraform: fix gke resource name not string - #3811
- general: rationalize policy metadata error handling behavior - #3795
- sca: add new sca package scan - #3802
- sca: Extract checkov check links - #3790
2.2.22 - 2022-11-06
- kubernetes: Create keyword and network policy edge builders - #3763
2.2.21 - 2022-11-03
- general: add range_includes and inverted operator - #3752
- secrets: Add multiline detection to entropy keyword combinator - #3788
- terraform: render list entries via modules correctly - #3781
2.2.17 - 2022-11-02
- terraform: Add CKV_AWS_276 to ensure that API Gateway Method Settings data_trace_enabled is not set to True - #3761
- terraform: Fix
related_resource_idfor ImageReferencer inexternal_module- #3780
- general: Fix typo in docs - #3694
2.2.15 - 2022-10-31
- github: split repo and org webhooks to separate files - #3764
- gitlab: Adding image detection check to gitlab ci - #3774
- openapi: pre-validate OpenAPI JSON files - #3760
- azure: Support .yaml extension - #3767
- github: print the result again in GHA - #3751
- terraform: reduce parsing time for large TF plan files - #3757
2.2.8 - 2022-10-30
- terraform: add CKV2_AWS_40 to Ensure AWS IAM policy does not allow full IAM privileges - #3712
- general: Get resources from platform and filter taggable resources for policies - #3621
2.2.5 - 2022-10-27
- graph: add support for modules in graph checks - #3635
- terraform: add CKV NCP rules about Network ACL. - #3668
- terraform: TF Dynamic Blocks support -
for_eachlists type - #3737
- terraform: fix a TF plan issue with CKV_AWS_274 - #3747
- terraform: fix false positive for write ACL yaml check - #3745
- general: Update Jenkins page to use Checkov image - #3725
2.2.0 - 2022-10-26
- github: Change github_failed_only output suffix to .md - #3595
- terraform: adjust the check result return for dependant variables to unknown in Python based checks - #3743
- terraform: return UNKNOWN for unrendered values in graph checks - #3689
- terraform: add CKV NCP rule about block storage encryption. - #3628
- terraform: add CKV NCP rule about vpc volume encryption. - #3629
- terraform: add CKV NCP rules about Network ACL. - #3630
- terraform: Create checks for aws managed admin policy - #3741
- terraform: local_authentication_disabled - cosmodb check to look at SQL Api only CKV_AZURE_140 - #3648
2.1.294 - 2022-10-25
- kubernetes: Create label selector edge builder - #3715
- terraform: add CKV NCP rules about access control group Inbound rule. - #3627
- terraform: add versioned kubernetes resources to terraform kubernetes checks (5/5) - #3657
- general: skip scanning VCS configuration if only files are passed in - #3729
2.1.290 - 2022-10-24
- circleci: CircleCI Image Reference using Mixin class - #3707
- kubernetes: fix in CPURequests check - #3727
2.1.288 - 2022-10-24
- github: fix GITHUB_OUTPUT and GITHUB_ENV issues of checkov-action - #3726
- gitlab: Modify gitlab ci resource id - #3706
2.1.286 - 2022-10-23
- graph: equals/not_equals_ignore_case operators (solvers) - #3698
- github: Fix GHA off value error resulting in checkov hanging - #3713
- gitlab: vcs gitlab groups retrieval - #3716
- kubernetes: fix in ServiceAccountTokens check - #3717
- terraform: Add debug logs to yaml parsing logic - #3718
2.1.282 - 2022-10-20
- general: Custom Policies integration must run before Suppresion integration - #3701
- terraform: Add or condition for TLS 1.3 policy, supporting CKV_AWS_103 - #3700
- terraform: Fix TF AbsGoogleComputeFirewallUnrestrictedIngress check - #3704
2.1.277 - 2022-10-19
- terraform: add CKV NCP rules about access control group outbound rule. - #3624
- terraform: add versioned kubernetes resources to terraform kubernetes checks (2/5) - #3654
- terraform: add versioned kubernetes resources to terraform kubernetes checks (3/5) - #3655
- terraform: add versioned kubernetes resources to terraform kubernetes checks (4/5) - #3656
- cloudformation: Fix ALBListenerTLS12 check - #3697
- helm: undo file_abs_path manipulation for helm files - #3692
- kubernetes: Couple of fixes in Checks - #3686
- terraform: Fix CloudArmorWAFACLCVE202144228 check - #3696
2.1.273 - 2022-10-18
- kustomize: stop kustomize run, if there is nothing to process - #3681
- sca: Enable multiple image referencer framework results in the same scan - #3652
- terraform: add versioned kubernetes resources to terraform kubernetes checks (1/5) - #3653
- general: Fix broken links - #3685
2.1.270 - 2022-10-13
- terraform: Outdated check for google_container_cluster binary authorization - #3612
2.1.269 - 2022-10-12
- terraform: Added new Terraform-AWS python IAMUserNotUsedForAccess(CKV_AWS_273) policy - #3574
- argo: only scan Argo Workflows files - #3644
- kubernetes: minor fix for getting entity type from template - #3645
- kustomize: add --client=true to kubectl version command, to prevent checkov waiting for timeout if cluster is unreachable - #3641
- terraform: update CKV_AWS_213 to also cover AWS predefined security policies - #3615
2.1.266 - 2022-10-11
- general: add Azure Pipelines framework - #3579
- dockerfile: handle quoted absolute path in CKV_DOCKER_10 - #3626
- kubernetes: handled missing field secretKeyRef in template - #3639
- kubernetes: handled missing key in k8s templates - #3640
- terraform: extend CKV2_AWS_15 to support aws_lb_target_group - #3617
- terraform: handle unexpected value for enabled_cloudwatch_logs_exports - #3638
2.1.258 - 2022-10-06
- dockerfile: add Image Referencer for Dockerfile - #3571
- cloudformation: Fixed unexpected null properties for LaunchConfigurationEBSEncryption - #3620
2.1.255 - 2022-10-04
- general: allow file destination mapping via output-file-path flag - #3593
2.1.254 - 2022-10-03
- github: GHA Image Referencer using IR Mixin class - #3583
- graph: add support for guideline field to custom graph checks - #3600
- sca: Add root path references to shorten file paths in Image Referencer results - #3609
- sca: support Image referencer in CLI - #3601
- github: bug fixes in CKV_GITHUB_6, CKV_GITHUB_7, CKV_GITHUB_9 - #3605
- github: Fix resource id and file path for GHA IR - #3610
- terraform: extend check for google cloud functions 2nd generation - #3607
- terraform: fix port is bool ingress rule - #3606
2.1.247 - 2022-10-02
- general: added cli argument for extra resources in report - #3588
- serverless: added extra resources for serverless and dockerfile - #3576
- terraform: add CKV_NCP_1 about lb target group health check, CKV_NCP_2 about access control group description - #3569
- cloudformation: fix lc ebs encryption - #3598
- github: changed the schema to accept no description for org - #3589
- secrets: Skip secrets from files encoded with special codecs - #3597
2.1.242 - 2022-09-29
- general: switch from black-list to block-list - #3581
- kubernetes: added resources mappings for roles objects - #3582
- github: fix variables initialization - #3585
- kubernetes: Handle templates without name for PeerClientCertAuthTrue check - #3577
- openapi: fix openapi schema bug - #3587
- sca: fix CycloneDX output for Docker images - #3586
- secrets: change entropy limit in Combinator plugin - #3575
- terraform: fix external modules ids in graph report - #3584
- terraform: Handle malformed database_flags for GCP DB checks - #3578
2.1.236 - 2022-09-28
- general: Add enforcement rules to entrypoint.sh - #3573
- openapi: add CKV_OPENAPI_7 to ensure http is not used in path definition - #3547
- sca: add Image Referencer for Kubernetes, Helm and Kustomize - #3505
- terraform: add CKV_AWS_272 to validate Lambda function code-signing - #3556
- terraform: add new gcp postgresql checks - #3532
- terraform: allow resources without values in TF plan - #3563
2.1.229 - 2022-09-27
- kubernetes: [CKV_K8S_68] Remove unnecessary condition check from ApiServerAnonymousAuth.py - #3543
2.1.228 - 2022-09-26
- general: use current branch name instead of master for the checkov-action - #3568
2.1.227 - 2022-09-23
- general: Multi skip docs - #3561
2.1.226 - 2022-09-22
- gitlab: GitlabCI ImageReferencer - #3544
- general: Fix TOC rendering issue on checkov.io - #3551
2.1.223 - 2022-09-21
- general: only add
helpUrito SARIF if it is non-empty - #3542 - kubernetes: [CKV_K8S_140] Update ApiServerTlsCertAndKey.py to check RHS values - #3506
- kubernetes: [CKV_K8S_90] Remove unnecessary condition check from ApiServerProfiling.py - #3541
2.1.219 - 2022-09-20
- cloudformation: add CKV_AWS_197 for CFN - #3536
- sca: Split
PRESENT_CACHED_RESULTSenv var to 2 feature flag like vars - #3518
- general: handle fixes for cloned OOTB policies - #3535
- helm: fix helm signal abort handler - #3539
- terraform: APIGatewayAuthorization check missing authorization - #3545
- terraform: fix tfvars rendering - #3533
2.1.214 - 2022-09-19
- general: leverage SARIF helpUri for guideline and SCA link - #3492
- github: Improving GHA schema validation - #3513
- kubernetes: added base class K8SEdgeBuilder - #3530
- terraform: GCP Cloud functions should not be public - #3477
- github: add missing schema files to distribution package - #3537
- sca: changes on cve suppressions to match package and image scan - #3502
- sca: send exception log when exceeded retries - #3534
- terraform: make test case insensitive for CKV_ALI_35,CKV_ALI_36,CKV_ALI_37 - #3507
- terraform: do not evaluate OCI policy statements - #3411
2.1.212 - 2022-09-18
2.1.210 - 2022-09-15
- sca: add Image Referencer for CloudFormation - #3501
- helm: add try catch to helm cmd run - #3508
- general: upload run metadata to S3 - #3461
2.1.207 - 2022-09-14
- general: fix format of cli command reference table - #3504
- sca: skip old CVE suppressions (without 'accountIds') - #3503
2.1.205 - 2022-09-13
- general: add flag for summary position - #3497
2.1.204 - 2022-09-12
- sca: licenses suppressions by type - #3491
- arm: unexpected data type in ACRAnonymousPullDisabled - #3496
- general: remove duplicated reports - #3495
2.1.201 - 2022-09-08
- general:
intersects/not_intersectsoperators (solvers) - #3482
- gha: Gracefully handle bad GHA job definitions - #3489
- sca: do not skip the scan if BC_LIC is used with --check - #3488
2.1.196 - 2022-09-07
2.1.193 - 2022-09-06
- cloudformation: fix bug in cfn parser - #3473
- sca: Add images data to image_cached_results for ImageReferencer scan - #3468
- secrets: modify checkov secrets scanner to scan all files based on ff - #3474
2.1.188 - 2022-09-05
- cloudformation: json parser support triple quote string - #3463
- terraform: gcp postgresql default values - #3457
2.1.184 - 2022-09-04
- general: trim API urls - #3460
- general: adjust example for custom check with guideline - #3459
2.1.182 - 2022-09-02
- sca: Added fix details to junitxml - #3456
- terraform: Added 5 python (CKV_AWS_267-271) and 2 yaml (CKV2_AWS_38-39) policies. - #3438
2.1.179 - 2022-09-01
- graph: cache jsonpath attributes parser results - #3451
- general: revert dropping checks metadata for empty reports - #3453