Merge branch 'main' into fix-KubernetesDashboard-false-positive

bridgecrewio · Jul 30, 2024 · 13038d6 · 13038d6
2 parents bd3322f + a3cceb6
commit 13038d6
Show file tree

Hide file tree

Showing 1,356 changed files with 71,481 additions and 17,093 deletions.
diff --git a/.flake8 b/.flake8
@@ -3,7 +3,7 @@
 [flake8]
 max-line-length = 120
 # E203,E501 don't work with black together
-ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038
+ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909
 select = C,E,F,W,B,B9,A,TC
 extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
 

diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,21 @@
+---
+name: Feature request
+about: Feature requests or requests for enhancements that are not bugs.
+title: ''
+labels: 'contribution requested'
+assignees: ''
+
+---
+
+**Describe the feature**
+
+Explain the feature in detail. Note that feature requests are always reviewed, but prioritized based on popularity, effort, and impact. We also welcome contributions.
+
+**Examples**
+
+Please share an example code sample (in the IaC of your choice) + expected inputs and outputs from Checkov + the expected outcomes.
+
+**Additional context**
+
+Add any other context about the problem here.
+
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,14 +2,14 @@
 
 [//]: # "
     # PR Title
-    Be aware that we use the title to create changelog automatically and therefore only allow specific prefixes
-    - break:    to indicate a breaking change, this supersedes any of the types
+    We use the title to create changelog automatically and therefore only allow specific prefixes
+    - break:    to indicate a breaking change, this supersedes any of the other types
     - feat:     to indicate new features or checks
     - fix:      to indicate a bugfix or handling of edge cases of existing checks
     - docs:     to indicate an update to our documentation
     - chore:    to indicate adjustments to workflow files or dependency updates
     - platform: to indicate a change needed for the platform
-    Additionally a scope is needs to be added to the prefix, which indicates the targeted framework, in doubt choose 'general'.
+    Each prefix should be accompanied by a scope that specifies the targeted framework. If uncertain, use 'general'.
     #    
     Allowed prefixs:
     ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
@@ -34,10 +34,8 @@ Fixes # (issue)
 
 ## Checklist:
 
-- [ ] My code follows the style guidelines of this project
 - [ ] I have performed a self-review of my own code
 - [ ] I have commented my code, particularly in hard-to-understand areas
 - [ ] I have made corresponding changes to the documentation
 - [ ] I have added tests that prove my feature, policy, or fix is effective and works
 - [ ] New and existing tests pass locally with my changes
-- [ ] Any dependent changes have been merged and published in downstream modules
diff --git a/.github/checkov.yaml b/.github/checkov.yaml
@@ -12,7 +12,6 @@ skip-path:
 - tests/common/utils/conftest.py
 - tests/common/utils/test_secrets_utils.py
 - tests/sca_image/conftest.py
-- tests/sca_package/conftest.py
 - tests/sca_package_2/conftest.py
 - tests/secrets
 - tests/terraform/checks/provider
@@ -22,8 +21,18 @@ skip-path:
 - tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
 - tests/terraform/runner/tfplan2.json
 - tests/unit/test_secrets.py
+- tests/terraform/runner/resources/example/example.tf
+- tests/terraform/graph
+- tests/terraform/checks
+- /checkov/secrets/plugins/entropy_keyword_combinator.py
+- /checkov/secrets/plugins/detector_utils.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
+- /cdk_integration_tests/src/typescript
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -44,12 +44,12 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
       - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v3
@@ -92,13 +92,67 @@ jobs:
       - name: Run integration tests
         run: |
           pipenv run pytest integration_tests
+
+  integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v3
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
+        if: ${{ runner.os != 'windows' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
+      - name: Clone Cfngoat - vulnerable cloudformation
+        run: git clone https://github.com/bridgecrewio/cfngoat
+      - name: Clone Kubernetes-goat - vulnerable kubernetes
+        run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
+      - name: Create checkov reports
+        run: |
+          # Just making sure the API key tests don't run on PRs
+          bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
+        env:
+          LOG_LEVEL: INFO
+          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+          TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
+          GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run integration tests
+        run: |
+          pipenv run pytest integration_tests
+
   prisma-tests:
     runs-on: [ self-hosted, public, linux, x64 ]
     env:
       PYTHON_VERSION: "3.8"
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
@@ -126,13 +180,13 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     continue-on-error: true # for now it is ok to fail
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ matrix.python }}
       - name: Install pipenv
@@ -161,6 +215,47 @@ jobs:
       - name: Run integration tests
         run: |
           pipenv run pytest sast_integration_tests
+
+  sast-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true # for now it is ok to fail
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest sast_integration_tests
+
   unit-tests:
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -169,7 +264,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
@@ -194,7 +289,7 @@ jobs:
         run: |
           pipenv run python -m pytest tests
   bump-version:
-    needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready
+    needs: [integration-tests, unit-tests, prisma-tests, sast-integration-tests, integration-tests-old-python, sast-integration-tests-old-python]
     runs-on: [self-hosted, public, linux, x64]
     environment: release
     permissions:
@@ -215,7 +310,7 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Set up Python
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: '3.10'
       - name: Setup python for CodeQL
@@ -54,12 +54,12 @@ jobs:
           pipenv lock -r > requirements.txt
           pip install -r requirements.txt
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v2
+        uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac  # v2
         with:
           languages: python
           setup-python-dependencies: false
           config-file: ./.github/codeql-config.yml
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v2
+        uses: github/codeql-action/autobuild@2d790406f505036ef40ecba973cc774a50395aac  # v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118  # v2
+        uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac  # v2
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -27,7 +27,7 @@ jobs:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Set up Python ${{ env.PYTHON_VERSION }}
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3

diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
@@ -29,9 +29,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
       - name: Setup Pages
-        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d  # v3
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b  # v3
       - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@e4ef22193c23ea849fc3fea6dbce69da1ee65b6d  # v1
+        uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66  # v1
         with:
           source: ./docs
           destination: ./_site

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -94,7 +94,7 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
@@ -128,7 +128,7 @@ jobs:
         with:
           upload_url: ${{ needs.github-release.outputs.upload_url }}
           asset_path: checkov.zip
-          asset_name: checkov_${{ matrix.name }}_X86_64_${{ needs.github-release.outputs.version }}.zip
+          asset_name: checkov_${{ matrix.name }}_X86_64.zip
           asset_content_type: application/zip
   build-release-artifact-linux-arm:
     needs: [ github-release ]
@@ -164,5 +164,5 @@ jobs:
         with:
           upload_url: ${{ needs.github-release.outputs.upload_url }}
           asset_path: checkov.zip
-          asset_name: checkov_linux_arm64_${{ needs.github-release.outputs.version }}.zip
+          asset_name: checkov_linux_arm64.zip
           asset_content_type: application/zip
diff --git a/.github/workflows/pipenv-update.yml b/.github/workflows/pipenv-update.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
-      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
         with:
           python-version: ${{ env.PYTHON_VERSION }}
       - name: Install pipenv
@@ -42,7 +42,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
       - name: Create Pull Request
         id: cpr
-        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v5
         with:
           token: ${{ secrets.PAT_TOKEN }}
           title: '[AUTO-PR] Update pipenv packages'