Merge branch 'main' into mariaDBConvertToARM

.github/checkov.yaml

@@ -21,6 +21,15 @@ skip-path:
 - tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
 - tests/terraform/runner/tfplan2.json
 - tests/unit/test_secrets.py
+- tests/terraform/runner/resources/example/example.tf
+- tests/terraform/graph
+- tests/terraform/checks
+- /checkov/secrets/plugins/entropy_keyword_combinator.py
+- /checkov/secrets/plugins/detector_utils.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/pass.py
+- /cdk_integration_tests/src/python/RedshiftClusterEncryption/fail__1__.py
+- /cdk_integration_tests/src/python/RedshiftClusterPubliclyAccessible/fail__1__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
 - /cdk_integration_tests/src/typescript

CHANGELOG.md

@@ -1,6 +1,44 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.82...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.90...HEAD)
+
+## [3.2.90](https://github.com/bridgecrewio/checkov/compare/3.2.85...3.2.90) - 2024-05-09
+
+### Feature
+
+- **general:** Add deep-analysis to GHA - [#6288](https://github.com/bridgecrewio/checkov/pull/6288)
+- **terraform:** Add more hype policies - [#6239](https://github.com/bridgecrewio/checkov/pull/6239)
+
+### Bug Fix
+
+- **ansible:** fix ansible definitions raw type - [#6292](https://github.com/bridgecrewio/checkov/pull/6292)
+
+### Platform
+
+- **ansible:** add set definitions raw to ansible runner - [#6286](https://github.com/bridgecrewio/checkov/pull/6286)
+- **general:** Handle SAST suppressions (suppressions V2) - [#6109](https://github.com/bridgecrewio/checkov/pull/6109)
+
+### Documentation
+
+- **general:** add RENDER_EDGES_DUPLICATE_ITER_COUNT to docs - [#6291](https://github.com/bridgecrewio/checkov/pull/6291)
+- **general:** Update README links for PyPi - [#6231](https://github.com/bridgecrewio/checkov/pull/6231)
+
+## [3.2.85](https://github.com/bridgecrewio/checkov/compare/3.2.84...3.2.85) - 2024-05-08
+
+### Platform
+
+- **ansible:** add missing arg to ansible runner - [#6276](https://github.com/bridgecrewio/checkov/pull/6276)
+
+## [3.2.84](https://github.com/bridgecrewio/checkov/compare/3.2.82...3.2.84) - 2024-05-07
+
+### Feature
+
+- **sast:** Enable cdk ts integraion test - [#6158](https://github.com/bridgecrewio/checkov/pull/6158)
+
+### Bug Fix
+
+- **secrets:** add files for secret to skip - [#6275](https://github.com/bridgecrewio/checkov/pull/6275)
+- **terraform:** Update CKV_AWS_31 for RBAC - [#6224](https://github.com/bridgecrewio/checkov/pull/6224)
 
 ## [3.2.82](https://github.com/bridgecrewio/checkov/compare/3.2.79...3.2.82) - 2024-05-06
 

README.md

@@ -15,7 +15,7 @@
 
 **Checkov** is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages.
 
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](docs/7.Scan%20Examples/Helm.md), [Kustomize](docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](docs/7.Scan%20Examples/Bicep.md), [OpenAPI](docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
+It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Helm.md), [Kustomize](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Serverless%20Framework.md), [Bicep](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Bicep.md), [OpenAPI](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/OpenAPI.md) or [ARM Templates](https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
 
 It performs [Software Composition Analysis (SCA) scanning](docs/7.Scan%20Examples/Sca.md) which is a scan of open source packages and images for Common Vulnerabilities and Exposures (CVEs).
 
@@ -37,21 +37,21 @@ Checkov also powers [**Prisma Cloud Application Security**](https://www.prismacl
 - [Getting Started](#getting-started)
 - [Disclaimer](#disclaimer)
 - [Support](#support)
-- [Migration - v2 to v3](docs/1.Welcome/Migration.md)
+- [Migration - v2 to v3](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md)
 
  ## Features
 
- * [Over 1000 built-in policies](docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
+ * [Over 1000 built-in policies](https://github.com/bridgecrewio/checkov/blob/main/docs/5.Policy%20Index/all.md) cover security and compliance best practices for AWS, Azure and Google Cloud.
  * Scans Terraform, Terraform Plan, Terraform JSON, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless framework, Ansible, Bicep and ARM template files.
  * Scans Argo Workflows, Azure Pipelines, BitBucket Pipelines, Circle CI Pipelines, GitHub Actions and GitLab CI workflow files
  * Supports Context-awareness policies based on in-memory graph-based scanning.
  * Supports Python format for attribute policies and YAML format for both attribute and composite policies.
- * Detects [AWS credentials](docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
+ * Detects [AWS credentials](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Scanning%20Credentials%20and%20Secrets.md) in EC2 Userdata, Lambda environment variables and Terraform providers.
  * [Identifies secrets](https://www.prismacloud.io/prisma/cloud/secrets-security) using regular expressions, keywords, and entropy based detection.
  * Evaluates [Terraform Provider](https://registry.terraform.io/browse/providers) settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- * Policies support evaluation of [variables](docs/2.Basics/Handling%20Variables.md) to their optional default value.
- * Supports in-line [suppression](docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- * [Output](docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
+ * Policies support evaluation of [variables](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Handling%20Variables.md) to their optional default value.
+ * Supports in-line [suppression](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Suppressing%20and%20Skipping%20Policies.md) of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
+ * [Output](https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Reviewing%20Scan%20Results.md) currently available as CLI, [CycloneDX](https://cyclonedx.org), JSON, JUnit XML, CSV, SARIF and github markdown and link to remediation [guides](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/).
 
 ## Screenshots
 
@@ -172,7 +172,7 @@ Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
 	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
 ```
 
-Start using Checkov by reading the [Getting Started](docs/1.Welcome/Quick%20Start.md) page.
+Start using Checkov by reading the [Getting Started](https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Quick%20Start.md) page.
 
 ### Using Docker
 
@@ -462,13 +462,13 @@ Defaults:
 
 Contribution is welcomed!
 
-Start by reviewing the [contribution guidelines](CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
+Start by reviewing the [contribution guidelines](https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md). After that, take a look at a [good first issue](https://github.com/bridgecrewio/checkov/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22).
 
 You can even start this with one-click dev in your browser through Gitpod at the following link:
 
 [![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/bridgecrewio/checkov)
 
-Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](docs/6.Contribution/Contribution%20Overview.md).
+Looking to contribute new checks? Learn how to write a new check (AKA policy) [here](https://github.com/bridgecrewio/checkov/blob/main/docs/6.Contribution/Contribution%20Overview.md).
 
 ## Disclaimer
 `checkov` does not save, publish or share with anyone any identifiable customer information.  

checkov/ansible/runner.py

@@ -2,6 +2,8 @@
 
 from typing import TYPE_CHECKING, Any
 
+from checkov.common.graph.checks_infra.registry import BaseRegistry
+
 from checkov.ansible.checks.registry import registry
 from checkov.ansible.graph_builder.graph_components.resource_types import ResourceType
 from checkov.ansible.graph_builder.local_graph import AnsibleLocalGraph
@@ -27,6 +29,7 @@ def __init__(
         source: str = "Ansible",
         graph_class: type[ObjectLocalGraph] = AnsibleLocalGraph,
         graph_manager: ObjectGraphManager | None = None,
+        external_registries: list[BaseRegistry] | None = None,
     ) -> None:
         super().__init__(
             db_connector=db_connector,
@@ -128,3 +131,6 @@ def build_definitions_context(
         definitions_raw: dict[str, list[tuple[int, str]]],
     ) -> dict[str, dict[str, Any]]:
         return build_definitions_context(definitions=definitions, definitions_raw=definitions_raw)
+
+    def set_definitions_raw(self, definitions_raw: dict[str, list[tuple[int, str]]]) -> None:
+        self.definitions_raw = definitions_raw

checkov/cloudformation/checks/resource/aws/CognitoUnauthenticatedIdentities.py

@@ -0,0 +1,28 @@
+from typing import Any
+
+from checkov.common.models.enums import CheckResult, CheckCategories
+from checkov.cloudformation.checks.resource.base_resource_value_check import BaseResourceValueCheck
+
+
+class CognitoUnauthenticatedIdentities(BaseResourceValueCheck):
+    def __init__(self) -> None:
+        name = "Ensure AWS Cognito identity pool does not allow unauthenticated guest access"
+        id = "CKV_AWS_366"
+        supported_resources = ('AWS::Cognito::IdentityPool',)
+        categories = (CheckCategories.IAM,)
+        super().__init__(
+            name=name,
+            id=id,
+            categories=categories,
+            supported_resources=supported_resources,
+            missing_block_result=CheckResult.FAILED,
+        )
+
+    def get_expected_value(self) -> Any:
+        return False
+
+    def get_inspected_key(self) -> str:
+        return 'Properties/AllowUnauthenticatedIdentities'
+
+
+check = CognitoUnauthenticatedIdentities()

checkov/cloudformation/checks/resource/aws/ElasticacheReplicationGroupEncryptionAtTransitAuthToken.py

@@ -23,7 +23,8 @@ def scan_resource_conf(self, conf: dict[str, Any]) -> CheckResult:
         """
         properties = conf. get("Properties")
         if properties and isinstance(properties, dict):
-            if "TransitEncryptionEnabled" in properties.keys() and "AuthToken" in properties.keys():
+            if "TransitEncryptionEnabled" in properties.keys() and ("AuthToken" in properties.keys() or
+                                                                    "UserGroupIds" in properties.keys()):
                 if conf["Properties"]["TransitEncryptionEnabled"]:
                     return CheckResult.PASSED
         return CheckResult.FAILED

checkov/common/bridgecrew/integration_features/features/policy_metadata_integration.py

@@ -22,6 +22,7 @@ class PolicyMetadataIntegration(BaseIntegrationFeature):
     def __init__(self, bc_integration: BcPlatformIntegration) -> None:
         super().__init__(bc_integration=bc_integration, order=0)
         self.check_metadata: dict[str, Any] = {}
+        self.sast_check_metadata: dict[str, Any] = {}
         self.bc_to_ckv_id_mapping: dict[str, str] = {}
         self.pc_to_ckv_id_mapping: dict[str, str] = {}
         self.ckv_id_to_source_incident_id_mapping: dict[str, str] = {}
@@ -145,6 +146,8 @@ def _handle_public_metadata(self, check_metadata: dict[str, Any]) -> None:
     def _handle_customer_run_config(self, run_config: dict[str, Any]) -> None:
         self.check_metadata = run_config['policyMetadata']
         for ckv_id, pol in self.check_metadata.items():
+            if 'SAST' in ckv_id:
+                self.sast_check_metadata[ckv_id] = pol
             self.bc_to_ckv_id_mapping[pol['id']] = ckv_id
             if self.bc_integration.is_prisma_integration() and pol.get('pcPolicyId'):
                 self.pc_to_ckv_id_mapping[pol['pcPolicyId']] = ckv_id