2.2.114 - 2022-12-04
- terraform: add CKV NCP rules about ncloud access control group rule - #3860
- secrets: fix Issue with 'NoneType' error in the custom detectors load_detectors - #3973
- terraform: remove redundant exc_info for module without source - #3974
2.2.112 - 2022-12-01
- dockerfile: add graph to Dockerfile - #3948
- terraform: add CKV NCP rules about access control group Inbound rule. - #3859
- terraform: Implement relative file path standard for tf plan file runs - #3918
- general: fix doc links on windows - #3959
- secrets: Fix omitting of secrets that are json encoded - #3964
- terraform_plan: Fix k8s checks edgecases for terraform plan - #3966
- terraform: OCI Security Group Control Problem - #3933
- secrets: remove the use of enable_secret_scan_all_files for custom secrets - #3954
- terraform: update Terraform modules docs - #3965
2.2.106 - 2022-11-30
- no noteworthy changes
2.2.105 - 2022-11-29
- terraform: add CKV NCP rules about Load Balancer Listener Using HTTPS - #3858
- terraform: add CKV NCP rules about server instance and public IP - #3857
- terraform: azurerm ACR check for retention policy - #3927
2.2.99 - 2022-11-27
- github: add CIS checks part 1. Most of the 1.1.x - #3937
- terraform: Azure ACR Enable Image Quarantine - #3925
- terraform: Azure use signed image in ACR - #3923
- bicep: ignore unresolvable properties for Bicep storage account checks - #3946
- gha: added test for step with no step name - #3945
2.2.96 - 2022-11-26
- no noteworthy changes
2.2.95 - 2022-11-24
- circleci: add check for detecting images without check resource - #3930
- terraform: ACR container scanning - #3922
- terraform: add CKV NCP check about NKS(kubernetes) logging - #3855
- terraform: Adding yaml based build time policies for corresponding PC run time policies - #3900
- general: update checks_metadata structure - #3929
- gha: and circleci resource names - #3914
- kubernetes: Handle invalid helm chart meta - #3939
- sca: fix related resource id for helm and kustomize - #3931
- terraform: better check names to avoid confusion - addresses #3912 - #3921
- terraform: CKV_AZURE_144 passes on defaults - #3938
- terraform: Removed duplicate check CKV_AZURE_60 - #3928
- secrets: Support custom detectors from the platform - #3926
2.2.86 - 2022-11-23
- terraform: add CKV_AWS_282 to ensure that Redshift Serverless namespace is encrypted by KMS - #3915
- terraform: Remove cross variables edges duplications - #3920
2.2.84 - 2022-11-22
- general: sign and push checkov image to GitHub registry - #3906
- secrets: Add Terraform multiline secrets handling - #3907
- terraform: ensure snapshots use encryption - #3899
- terraform: support cross-modules edges - #3909
2.2.80 - 2022-11-21
- terraform: add nested module address attribute - #3904
2.2.78 - 2022-11-20
- general: add output format cyclonedx_json - #3902
- general: add source to contributor metrics report - #3905
- terraform: Fix an edge case in AbsRDSParameter check - #3903
2.2.75 - 2022-11-17
- github: add output-file-path flag to checkov-action - #3897
- terraform: Dynamic blocks - added support for lookup null/true/false values - #3893
- sca: added dependency tree format - #3892
2.2.72 - 2022-11-16
- terraform: add CKV NCP rules about NKSPublicAccess - #3822
- terraform: Censor secrets from tfplan graph - #3894
- terraform: create cross-variable edges between resources from the same module - #3881
- general: remove filter value validation - #3896
- terraform: Fix dynamic blocks nested module - #3890
- terraform: handle empty enabled_cluster_log_types list - #3891
- sca: add scaCliScanId parameter - #3789
2.2.65 - 2022-11-15
- terraform: test checks for any port access - #3882
- terraform: Fixing some broke flow in dynamic blocks rendering - #3879
- terraform: Not adding dynamic blocks attributes to attributes - #3872
- general: Support s3 client config for govcloud - #3880
- sca: Add repoId to GET request - #3876
- sca: Fix bom report - #3867
- sca: Poll sca scan results using Polling API - #3841
- sca: remove src from repo path - #3884
2.2.58 - 2022-11-14
- general: number of words larger/less than or equal operators - #3827
- general: remove env var for running contributor metrics report and add logs - #3873
- terraform: add CKV NCP rules about Load Balancer Exposed to Internet - #3819
- terraform: Mask secret values in Terraform plan file reports by resource - #3868
- terraform: Support dynamic blocks with nested attributes - #3869
- general: Fixed operator name for number_of_words_derivaties - #3875
- terraform: Fix dynamic attributes override each other - #3866
2.2.50 - 2022-11-13
- general: add reporting contributor metrics - #3823
- terraform: add CKV NCP rules about access key hard coding - #3820
- terraform: NSGRulePortAccessRestricted - Remove the condition for dynamic blocks - #3862
- kubernetes: handle empty spec object in k8s templates - #3865
- openapi: fixed error in invalid openapi template - #3863
- terraform: app_service Upgrade tests and add web app resources - #3838
- terraform: Handled nested unrendered vars - #3853
2.2.44 - 2022-11-11
- terraform: fix an issue with dynamics replacing a whole block - #3846
2.2.43 - 2022-11-10
- terraform: Wrap render dynamic blocks flow with try except - #3837
- bicep: make ARM AKS checks compatible with Bicep - #3836
- cloudformation: only parse valid tag key-pairs in CloudFormation - #3835
- general: Clear details before next check run to avoid duplications in output - #3711
2.2.38 - 2022-11-09
- secrets: add abstract multiline parser + implement multiline json parser - #3799
- terraform: Support for nested dynamic modules - #3813
- kubernetes: fixed unexpected list object - #3833
2.2.35 - 2022-11-08
- general: Added Number of Words operator - #3801
- terraform: add CKV NCP rules about LBTargetGroupUsingHTTPS - #3797
- terraform: add CKV NCP rules about NASEncrytionEnabled - #3796
- terraform: Add Env Var for rendering Dynamic Blocks - #3816
- terraform: Dynamic blocks breadcrumbs support - #3814
- terraform: PC Policy Team Yaml Policies Check-in - #3785
- terraform: PC-Policy-Team: Ensure GCP compute firewall ingress does not allow unrestricted access to all ports - #3786
- sca: Run package scan using API - #3812
2.2.31 - 2022-11-07
- azure: Add get resource names for azure_pipelines - #3798
- github: add graph to GitHub Actions - #3672
- terraform: add CKV NCP rules about LBListenerUsesSecureProtocols - #3782
- terraform: Dynamic Modules Support map type - #3800
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (1/4) - #3691
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (2/4) - #3702
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (3/4) - #3703
- terraform: include pods of kubernetes_deployment in kubernetes_pod checks (4/4) - #3738
- arm: CKV_AZURE_9 & CKV_AZURE_10 - Scan fails if protocol value is a wildcard - #3750
- azure: Remove redundant file path from resource name in azure pipelines - #3818
- secrets: fix slow secrets scan in yaml files - #3803
- secrets: fixed path of secrets tests to exclude - #3817
- terraform: fix gke resource name not string - #3811
- general: rationalize policy metadata error handling behavior - #3795
- sca: add new sca package scan - #3802
- sca: Extract checkov check links - #3790
2.2.22 - 2022-11-06
- kubernetes: Create keyword and network policy edge builders - #3763
2.2.21 - 2022-11-03
- general: add range_includes and inverted operator - #3752
- secrets: Add multiline detection to entropy keyword combinator - #3788
- terraform: render list entries via modules correctly - #3781
2.2.17 - 2022-11-02
- terraform: Add CKV_AWS_276 to ensure that API Gateway Method Settings data_trace_enabled is not set to True - #3761
- terraform: Fix
related_resource_id
for ImageReferencer inexternal_module
- #3780
- general: Fix typo in docs - #3694
2.2.15 - 2022-10-31
- github: split repo and org webhooks to separate files - #3764
- gitlab: Adding image detection check to gitlab ci - #3774
- openapi: pre-validate OpenAPI JSON files - #3760
- azure: Support .yaml extension - #3767
- github: print the result again in GHA - #3751
- terraform: reduce parsing time for large TF plan files - #3757
2.2.8 - 2022-10-30
- terraform: add CKV2_AWS_40 to Ensure AWS IAM policy does not allow full IAM privileges - #3712
- general: Get resources from platform and filter taggable resources for policies - #3621
2.2.5 - 2022-10-27
- graph: add support for modules in graph checks - #3635
- terraform: add CKV NCP rules about Network ACL. - #3668
- terraform: TF Dynamic Blocks support -
for_each
lists type - #3737
- terraform: fix a TF plan issue with CKV_AWS_274 - #3747
- terraform: fix false positive for write ACL yaml check - #3745
- general: Update Jenkins page to use Checkov image - #3725
2.2.0 - 2022-10-26
- github: Change github_failed_only output suffix to .md - #3595
- terraform: adjust the check result return for dependant variables to unknown in Python based checks - #3743
- terraform: return UNKNOWN for unrendered values in graph checks - #3689
- terraform: add CKV NCP rule about block storage encryption. - #3628
- terraform: add CKV NCP rule about vpc volume encryption. - #3629
- terraform: add CKV NCP rules about Network ACL. - #3630
- terraform: Create checks for aws managed admin policy - #3741
- terraform: local_authentication_disabled - cosmodb check to look at SQL Api only CKV_AZURE_140 - #3648
2.1.294 - 2022-10-25
- kubernetes: Create label selector edge builder - #3715
- terraform: add CKV NCP rules about access control group Inbound rule. - #3627
- terraform: add versioned kubernetes resources to terraform kubernetes checks (5/5) - #3657
- general: skip scanning VCS configuration if only files are passed in - #3729
2.1.290 - 2022-10-24
- circleci: CircleCI Image Reference using Mixin class - #3707
- kubernetes: fix in CPURequests check - #3727
2.1.288 - 2022-10-24
- github: fix GITHUB_OUTPUT and GITHUB_ENV issues of checkov-action - #3726
- gitlab: Modify gitlab ci resource id - #3706
2.1.286 - 2022-10-23
- graph: equals/not_equals_ignore_case operators (solvers) - #3698
- github: Fix GHA off value error resulting in checkov hanging - #3713
- gitlab: vcs gitlab groups retrieval - #3716
- kubernetes: fix in ServiceAccountTokens check - #3717
- terraform: Add debug logs to yaml parsing logic - #3718
2.1.282 - 2022-10-20
- general: Custom Policies integration must run before Suppresion integration - #3701
- terraform: Add or condition for TLS 1.3 policy, supporting CKV_AWS_103 - #3700
- terraform: Fix TF AbsGoogleComputeFirewallUnrestrictedIngress check - #3704
2.1.277 - 2022-10-19
- terraform: add CKV NCP rules about access control group outbound rule. - #3624
- terraform: add versioned kubernetes resources to terraform kubernetes checks (2/5) - #3654
- terraform: add versioned kubernetes resources to terraform kubernetes checks (3/5) - #3655
- terraform: add versioned kubernetes resources to terraform kubernetes checks (4/5) - #3656
- cloudformation: Fix ALBListenerTLS12 check - #3697
- helm: undo file_abs_path manipulation for helm files - #3692
- kubernetes: Couple of fixes in Checks - #3686
- terraform: Fix CloudArmorWAFACLCVE202144228 check - #3696
2.1.273 - 2022-10-18
- kustomize: stop kustomize run, if there is nothing to process - #3681
- sca: Enable multiple image referencer framework results in the same scan - #3652
- terraform: add versioned kubernetes resources to terraform kubernetes checks (1/5) - #3653
- general: Fix broken links - #3685
2.1.270 - 2022-10-13
- terraform: Outdated check for google_container_cluster binary authorization - #3612
2.1.269 - 2022-10-12
- terraform: Added new Terraform-AWS python IAMUserNotUsedForAccess(CKV_AWS_273) policy - #3574
- argo: only scan Argo Workflows files - #3644
- kubernetes: minor fix for getting entity type from template - #3645
- kustomize: add --client=true to kubectl version command, to prevent checkov waiting for timeout if cluster is unreachable - #3641
- terraform: update CKV_AWS_213 to also cover AWS predefined security policies - #3615
2.1.266 - 2022-10-11
- general: add Azure Pipelines framework - #3579
- dockerfile: handle quoted absolute path in CKV_DOCKER_10 - #3626
- kubernetes: handled missing field secretKeyRef in template - #3639
- kubernetes: handled missing key in k8s templates - #3640
- terraform: extend CKV2_AWS_15 to support aws_lb_target_group - #3617
- terraform: handle unexpected value for enabled_cloudwatch_logs_exports - #3638
2.1.258 - 2022-10-06
- dockerfile: add Image Referencer for Dockerfile - #3571
- cloudformation: Fixed unexpected null properties for LaunchConfigurationEBSEncryption - #3620
2.1.255 - 2022-10-04
- general: allow file destination mapping via output-file-path flag - #3593
2.1.254 - 2022-10-03
- github: GHA Image Referencer using IR Mixin class - #3583
- graph: add support for guideline field to custom graph checks - #3600
- sca: Add root path references to shorten file paths in Image Referencer results - #3609
- sca: support Image referencer in CLI - #3601
- github: bug fixes in CKV_GITHUB_6, CKV_GITHUB_7, CKV_GITHUB_9 - #3605
- github: Fix resource id and file path for GHA IR - #3610
- terraform: extend check for google cloud functions 2nd generation - #3607
- terraform: fix port is bool ingress rule - #3606
2.1.247 - 2022-10-02
- general: added cli argument for extra resources in report - #3588
- serverless: added extra resources for serverless and dockerfile - #3576
- terraform: add CKV_NCP_1 about lb target group health check, CKV_NCP_2 about access control group description - #3569
- cloudformation: fix lc ebs encryption - #3598
- github: changed the schema to accept no description for org - #3589
- secrets: Skip secrets from files encoded with special codecs - #3597
2.1.242 - 2022-09-29
- general: switch from black-list to block-list - #3581
- kubernetes: added resources mappings for roles objects - #3582
- github: fix variables initialization - #3585
- kubernetes: Handle templates without name for PeerClientCertAuthTrue check - #3577
- openapi: fix openapi schema bug - #3587
- sca: fix CycloneDX output for Docker images - #3586
- secrets: change entropy limit in Combinator plugin - #3575
- terraform: fix external modules ids in graph report - #3584
- terraform: Handle malformed database_flags for GCP DB checks - #3578
2.1.236 - 2022-09-28
- general: Add enforcement rules to entrypoint.sh - #3573
- openapi: add CKV_OPENAPI_7 to ensure http is not used in path definition - #3547
- sca: add Image Referencer for Kubernetes, Helm and Kustomize - #3505
- terraform: add CKV_AWS_272 to validate Lambda function code-signing - #3556
- terraform: add new gcp postgresql checks - #3532
- terraform: allow resources without values in TF plan - #3563
2.1.229 - 2022-09-27
- kubernetes: [CKV_K8S_68] Remove unnecessary condition check from ApiServerAnonymousAuth.py - #3543
2.1.228 - 2022-09-26
- general: use current branch name instead of master for the checkov-action - #3568
2.1.227 - 2022-09-23
- general: Multi skip docs - #3561
2.1.226 - 2022-09-22
- gitlab: GitlabCI ImageReferencer - #3544
- general: Fix TOC rendering issue on checkov.io - #3551
2.1.223 - 2022-09-21
- general: only add
helpUri
to SARIF if it is non-empty - #3542 - kubernetes: [CKV_K8S_140] Update ApiServerTlsCertAndKey.py to check RHS values - #3506
- kubernetes: [CKV_K8S_90] Remove unnecessary condition check from ApiServerProfiling.py - #3541
2.1.219 - 2022-09-20
- cloudformation: add CKV_AWS_197 for CFN - #3536
- sca: Split
PRESENT_CACHED_RESULTS
env var to 2 feature flag like vars - #3518
- general: handle fixes for cloned OOTB policies - #3535
- helm: fix helm signal abort handler - #3539
- terraform: APIGatewayAuthorization check missing authorization - #3545
- terraform: fix tfvars rendering - #3533
2.1.214 - 2022-09-19
- general: leverage SARIF helpUri for guideline and SCA link - #3492
- github: Improving GHA schema validation - #3513
- kubernetes: added base class K8SEdgeBuilder - #3530
- terraform: GCP Cloud functions should not be public - #3477
- github: add missing schema files to distribution package - #3537
- sca: changes on cve suppressions to match package and image scan - #3502
- sca: send exception log when exceeded retries - #3534
- terraform: make test case insensitive for CKV_ALI_35,CKV_ALI_36,CKV_ALI_37 - #3507
- terraform: do not evaluate OCI policy statements - #3411
2.1.212 - 2022-09-18
2.1.210 - 2022-09-15
- sca: add Image Referencer for CloudFormation - #3501
- helm: add try catch to helm cmd run - #3508
- general: upload run metadata to S3 - #3461
2.1.207 - 2022-09-14
- general: fix format of cli command reference table - #3504
- sca: skip old CVE suppressions (without 'accountIds') - #3503
2.1.205 - 2022-09-13
- general: add flag for summary position - #3497
2.1.204 - 2022-09-12
- sca: licenses suppressions by type - #3491
- arm: unexpected data type in ACRAnonymousPullDisabled - #3496
- general: remove duplicated reports - #3495
2.1.201 - 2022-09-08
- general:
intersects/not_intersects
operators (solvers) - #3482
- gha: Gracefully handle bad GHA job definitions - #3489
- sca: do not skip the scan if BC_LIC is used with --check - #3488
2.1.196 - 2022-09-07
2.1.193 - 2022-09-06
- cloudformation: fix bug in cfn parser - #3473
- sca: Add images data to image_cached_results for ImageReferencer scan - #3468
- secrets: modify checkov secrets scanner to scan all files based on ff - #3474
2.1.188 - 2022-09-05
- cloudformation: json parser support triple quote string - #3463
- terraform: gcp postgresql default values - #3457
2.1.184 - 2022-09-04
- general: trim API urls - #3460
- general: adjust example for custom check with guideline - #3459
2.1.182 - 2022-09-02
- sca: Added fix details to junitxml - #3456
- terraform: Added 5 python (CKV_AWS_267-271) and 2 yaml (CKV2_AWS_38-39) policies. - #3438
2.1.179 - 2022-09-01
- graph: cache jsonpath attributes parser results - #3451
- general: revert dropping checks metadata for empty reports - #3453