bridgecrewio · Mar 6, 2025 · Mar 11, 2025 · Mar 11, 2025 · Mar 11, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.381...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.382...HEAD)
+
+## [3.2.382](https://github.com/bridgecrewio/checkov/compare/3.2.381...3.2.382) - 2025-03-06
+
+### Feature
+
+- **secrets:** Bump detect-secrets to remove more lock files - [#7039](https://github.com/bridgecrewio/checkov/pull/7039)
 
 ## [3.2.381](https://github.com/bridgecrewio/checkov/compare/3.2.379...3.2.381) - 2025-03-05
 

diff --git a/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts b/cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts
@@ -4,7 +4,7 @@ import * as appsync from '@aws-cdk/aws-appsync';
 // Example of a log configuration that does not enable field-level logging
 // FINDING
 const logConfig: appsync.LogConfig = {
-  // log configuration details
+  fieldLogLevel: appsync.FieldLogLevel.ALL
 };
 
 // This should not match the pattern as it includes a logConfig with FieldLogLevel

diff --git a/checkov/cdk/checks/typescript/AppSyncFieldLevelLogs.yaml b/checkov/cdk/checks/typescript/AppSyncFieldLevelLogs.yaml
@@ -9,14 +9,20 @@ scope:
   languages:
     - typescript
 definition:
-  pattern: |
-    const $logConfig: $IMPORT.LogConfig = { <ANY> };
+  patterns:
+    or:
+    - pattern: |
+        const $logConfig: $IMPORT.LogConfig = $CONFIG;
+    - pattern: |
+        new $IMPORT.GraphqlApi($ARG1, $ARG2, {<ANY>, logConfig: $CONFIG, <ANY>});
   conditions:
-    - not_pattern: | 
-        new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>,  logConfig: $ARG});
-    - not_pattern: |
-        const $LOG: $IMPORT.LogConfig = { FieldLogLevel: $ARG };
-        <ANY>
-        new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>,  $LOG});
-    - metavariable: $ARG
-      regex: (ERROR|ALL)
+    - or:
+      - metavariable: $CONFIG
+        not_pattern: |
+          {<ANY>, fieldLogLevel: $ARG, <ANY> }
+      - metavariable:  $CONFIG
+        pattern: |
+          {<ANY>, fieldLogLevel: $ARG, <ANY> }
+        conditions:
+          - metavariable: $ARG
+            regex: (NONE)
diff --git a/checkov/serverless/runner.py b/checkov/serverless/runner.py
@@ -33,7 +33,7 @@
 from checkov.common.graph.graph_builder.consts import GraphSource
 from checkov.common.output.extra_resource import ExtraResource
 from checkov.serverless.parsers.parser import CFN_RESOURCES_TOKEN
-from checkov.serverless.utils import get_scannable_file_paths, get_files_definitions, SLS_FILE_MASK
+from checkov.serverless.utils import get_scannable_file_paths, get_files_definitions, SLS_FILE_MASK, get_resource_tags
 
 if TYPE_CHECKING:
     from checkov.common.graph.checks_infra.registry import BaseRegistry
@@ -44,10 +44,10 @@
     ("layers", layer_registry)
 ]
 SINGLE_ITEM_SECTIONS = [
+    ("provider", provider_registry),
     ("custom", custom_registry),
     ("package", package_registry),
     ("plugins", plugin_registry),
-    ("provider", provider_registry),
     ("service", service_registry)
 ]
 
@@ -203,7 +203,7 @@ def single_item_sections_checks(self,
             variable_evaluations: dict[str, Any] = {}
             entity = EntityDetails(sls_context_parser.provider_type, item_content)
             results = registry.scan(sls_file, entity, skipped_checks, runner_filter)
-            tags = cfn_utils.get_resource_tags(entity, registry)  # type:ignore[arg-type]
+            tags = get_resource_tags(entity, registry)
             if results:
                 for check, check_result in results.items():
                     censored_code_lines = omit_secret_value_from_checks(
@@ -264,7 +264,7 @@ def multi_item_sections_checks(self,
                         sls_context_parser.enrich_function_with_provider(item_name)
                     entity = EntityDetails(sls_context_parser.provider_type, item_content)
                     results = registry.scan(sls_file, entity, skipped_checks, runner_filter)
-                    tags = cfn_utils.get_resource_tags(entity, registry)  # type:ignore[arg-type]
+                    tags = get_resource_tags(entity, registry)
                     if results:
                         for check, check_result in results.items():
                             censored_code_lines = omit_secret_value_from_checks(

diff --git a/checkov/serverless/utils.py b/checkov/serverless/utils.py
@@ -1,15 +1,19 @@
 from __future__ import annotations
 
 import os
+import logging
 from collections.abc import Collection
 from enum import Enum
-from typing import Callable, Any
+from typing import Callable, Any, Optional
 from pathlib import Path
 
 from checkov.common.parallelizer.parallel_runner import parallel_runner
 from checkov.runner_filter import RunnerFilter
+from checkov.cloudformation import cfn_utils
 from checkov.serverless.parsers.parser import parse
 from checkov.common.runners.base_runner import filter_ignored_paths
+from checkov.serverless.registry import sls_registry
+from checkov.serverless.base_registry import ServerlessRegistry, EntityDetails
 
 SLS_FILE_MASK = os.getenv(
     "CKV_SLS_FILE_MASK", "serverless.yml,serverless.yaml").split(",")
@@ -85,3 +89,24 @@ def get_files_definitions(
 def _parallel_parse(f: str) -> tuple[str, tuple[dict[str, Any], list[tuple[int, str]]] | None]:
     """Thin wrapper to return filename with parsed content"""
     return f, parse(f)
+
+
+def get_resource_tags(entity: EntityDetails, registry: ServerlessRegistry = sls_registry) -> Optional[dict[str, str]]:
+    entity_details = registry.extract_entity_details(entity)
+
+    if not entity_details:
+        return None
+
+    entity_config = entity_details[-1]
+
+    if not isinstance(entity_config, dict):
+        return None
+
+    try:
+        tags = entity_config.get("tags")
+        if tags:
+            return cfn_utils.parse_entity_tags(tags)
+    except Exception as e:
+        logging.warning(f"Failed to parse tags for entity {entity} due to {e}")
+
+    return None
diff --git a/checkov/version.py b/checkov/version.py
@@ -1 +1 @@
-version = '3.2.382'
+version = '3.2.383'
diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt
@@ -1 +1 @@
-checkov==3.2.382
+checkov==3.2.383
diff --git a/tests/serverless/checks/aws/example_S3PublicACLRead/S3PublicACLRead-FAILED/serverless.yml b/tests/serverless/checks/aws/example_S3PublicACLRead/S3PublicACLRead-FAILED/serverless.yml
@@ -26,4 +26,9 @@ resources: # CloudFormation template syntax
         BucketEncryption:
           ServerSideEncryptionConfiguration:
             - ServerSideEncryptionByDefault:
-                SSEAlgorithm: AES256
+                SSEAlgorithm: AES256
+        Tags:
+          - Key: RESOURCE
+            Value: lambda
+          - Key: PUBLIC
+            Value: false
diff --git a/tests/serverless/checks/aws/example_S3PublicACLRead/S3PublicACLRead-PASSED/serverless.yml b/tests/serverless/checks/aws/example_S3PublicACLRead/S3PublicACLRead-PASSED/serverless.yml
@@ -27,4 +27,9 @@ resources: # CloudFormation template syntax
         BucketEncryption:
           ServerSideEncryptionConfiguration:
             - ServerSideEncryptionByDefault:
-                SSEAlgorithm: AES256
+                SSEAlgorithm: AES256
+        Tags:
+          - Key: RESOURCE
+            Value: lambda
+          - Key: PUBLIC
+            Value: false
diff --git a/tests/serverless/checks/aws/test_AWSCredentials.py b/tests/serverless/checks/aws/test_AWSCredentials.py
@@ -21,6 +21,9 @@ def test_summary(self):
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
+        for failed_check in report.failed_checks:
+            self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/tests/serverless/checks/aws/test_AdminPolicyDocument.py b/tests/serverless/checks/aws/test_AdminPolicyDocument.py
@@ -25,6 +25,9 @@ def test_summary(self):
                          f"Skipped checks: {[fc.file_path for fc in report.skipped_checks]}")
         self.assertEqual(summary['parsing_errors'], 0)
 
+        for failed_check in report.failed_checks:
+            self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/tests/serverless/checks/aws/test_S3PublicACLRead.py b/tests/serverless/checks/aws/test_S3PublicACLRead.py
@@ -21,6 +21,9 @@ def test_summary(self):
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
+        for failed_check in report.failed_checks:
+            self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})
+
 
 if __name__ == '__main__':
     unittest.main()
diff --git a/tests/serverless/checks/aws/test_StarActionPolicyDocument.py b/tests/serverless/checks/aws/test_StarActionPolicyDocument.py
@@ -21,6 +21,9 @@ def test_summary(self):
         self.assertEqual(summary['skipped'], 0)
         self.assertEqual(summary['parsing_errors'], 0)
 
+        for failed_check in report.failed_checks:
+            self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})
+
 
 if __name__ == '__main__':
     unittest.main()