Merge branch 'main' into mariaDBConvertToARM

.flake8

@@ -3,7 +3,7 @@
 [flake8]
 max-line-length = 120
 # E203,E501 don't work with black together
-ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038
+ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909
 select = C,E,F,W,B,B9,A,TC
 extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
 

.github/checkov.yaml

@@ -23,6 +23,7 @@ skip-path:
 - tests/unit/test_secrets.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/fail__2__.py
 - /cdk_integration_tests/src/python/ElasticacheReplicationGroupEncryptionAtTransitAuthToken/pass.py
+- /cdk_integration_tests/src/typescript
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml
 - /checkov/cdk/checks/python/GlueDataCatalogEncryption.yaml

.github/workflows/build.yml

@@ -44,7 +44,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -92,6 +92,60 @@ jobs:
       - name: Run integration tests
         run: |
           pipenv run pytest integration_tests
+
+  integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v3
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
+        if: ${{ runner.os != 'windows' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
+      - name: Clone Cfngoat - vulnerable cloudformation
+        run: git clone https://github.com/bridgecrewio/cfngoat
+      - name: Clone Kubernetes-goat - vulnerable kubernetes
+        run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
+      - name: Create checkov reports
+        run: |
+          # Just making sure the API key tests don't run on PRs
+          bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
+        env:
+          LOG_LEVEL: INFO
+          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+          TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
+          GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run integration tests
+        run: |
+          pipenv run pytest integration_tests
+
   prisma-tests:
     runs-on: [ self-hosted, public, linux, x64 ]
     env:
@@ -126,7 +180,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     continue-on-error: true # for now it is ok to fail
@@ -161,6 +215,47 @@ jobs:
       - name: Run integration tests
         run: |
           pipenv run pytest sast_integration_tests
+
+  sast-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true # for now it is ok to fail
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest sast_integration_tests
+
   unit-tests:
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -194,7 +289,7 @@ jobs:
         run: |
           pipenv run python -m pytest tests
   bump-version:
-    needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready
+    needs: [integration-tests, unit-tests, prisma-tests, sast-integration-tests, integration-tests-old-python, sast-integration-tests-old-python]
     runs-on: [self-hosted, public, linux, x64]
     environment: release
     permissions:

.github/workflows/pr-test.yml

@@ -115,7 +115,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -166,11 +166,66 @@ jobs:
         run: |
           pipenv run pytest integration_tests -k 'not api_key'
 
+  integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v4
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
+        if: ${{ runner.os != 'windows' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        shell: bash
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
+      - name: Clone Cfngoat - vulnerable cloudformation
+        run: git clone https://github.com/bridgecrewio/cfngoat
+      - name: Clone Kubernetes-goat - vulnerable kubernetes
+        run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        run: |
+          # Just making sure the API key tests don't run on PRs
+          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest integration_tests -k 'not api_key'
+
   sast-integration-tests:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -214,11 +269,59 @@ jobs:
         run: |
           pipenv run pytest sast_integration_tests
 
+  sast-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest sast_integration_tests
+
   cdk-integration-tests:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -245,6 +348,50 @@ jobs:
           LOG_LEVEL: INFO
           BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
           PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+          ENABLE_SAST_TYPESCRIPT: true
+        if: env.BC_API_KEY != null
+        run: bash -c './cdk_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest cdk_integration_tests
+
+  cdk-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+          ENABLE_SAST_TYPESCRIPT: true
         if: env.BC_API_KEY != null
         run: bash -c './cdk_integration_tests/prepare_data.sh'
       - name: Run integration tests

.gitpod.Dockerfile

@@ -1,5 +1,5 @@
 FROM gitpod/workspace-python
-RUN pyenv install 3.7.12
+RUN pyenv install 3.10.14
 RUN wget -q -O get_kustomize.sh https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \
  chmod 700 get_kustomize.sh; \
  mkdir -p /usr/local/bin; \