Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: bridgecrewio/checkov
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3.2.382
Choose a base ref
...
head repository: bridgecrewio/checkov
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 3.2.383
Choose a head ref
  • 4 commits
  • 13 files changed
  • 4 contributors

Commits on Mar 6, 2025

  1. chore: update release notes

    gruebel authored and github-actions[bot] committed Mar 6, 2025
    Copy the full SHA
    380d77e View commit details

Commits on Mar 11, 2025

  1. feat(serverless): add tags enrichment to serverless (#7044)

    * add tags enrichment to serverless
    
    * fix import
    
    * fix mypy
    
    * remove mypy ignore
    
    * add more tests
    
    ---------
    
    Co-authored-by: Max Amelchenko <mamelchenko@paloaltonetworks.com>
    maxamel and Max Amelchenko authored Mar 11, 2025
    Copy the full SHA
    695587b View commit details
  2. fix(sast): Fix CKV_AWS_194 policy (#7048)

    fix policy
    
    Co-authored-by: Matan Shati <>
    matansha authored Mar 11, 2025
    Copy the full SHA
    8902350 View commit details
  3. fix(sast): Fix CKV_AWS_194 policy (#7048)

    fix policy
    
    Co-authored-by: Matan Shati <>
    matansha authored and actions-user committed Mar 11, 2025
    Copy the full SHA
    dfab4cc View commit details
8 changes: 7 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
# CHANGELOG

## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.381...HEAD)
## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.382...HEAD)

## [3.2.382](https://github.com/bridgecrewio/checkov/compare/3.2.381...3.2.382) - 2025-03-06

### Feature

- **secrets:** Bump detect-secrets to remove more lock files - [#7039](https://github.com/bridgecrewio/checkov/pull/7039)

## [3.2.381](https://github.com/bridgecrewio/checkov/compare/3.2.379...3.2.381) - 2025-03-05

Original file line number Diff line number Diff line change
@@ -4,7 +4,7 @@ import * as appsync from '@aws-cdk/aws-appsync';
// Example of a log configuration that does not enable field-level logging
// FINDING
const logConfig: appsync.LogConfig = {
// log configuration details
fieldLogLevel: appsync.FieldLogLevel.ALL
};

// This should not match the pattern as it includes a logConfig with FieldLogLevel
26 changes: 16 additions & 10 deletions checkov/cdk/checks/typescript/AppSyncFieldLevelLogs.yaml
Original file line number Diff line number Diff line change
@@ -9,14 +9,20 @@ scope:
languages:
- typescript
definition:
pattern: |
const $logConfig: $IMPORT.LogConfig = { <ANY> };
patterns:
or:
- pattern: |
const $logConfig: $IMPORT.LogConfig = $CONFIG;
- pattern: |
new $IMPORT.GraphqlApi($ARG1, $ARG2, {<ANY>, logConfig: $CONFIG, <ANY>});
conditions:
- not_pattern: |
new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>, logConfig: $ARG});
- not_pattern: |
const $LOG: $IMPORT.LogConfig = { FieldLogLevel: $ARG };
<ANY>
new $IMPORT.GraphqlApi(<ANY>, <ANY>, { <ANY>, $LOG});
- metavariable: $ARG
regex: (ERROR|ALL)
- or:
- metavariable: $CONFIG
not_pattern: |
{<ANY>, fieldLogLevel: $ARG, <ANY> }
- metavariable: $CONFIG
pattern: |
{<ANY>, fieldLogLevel: $ARG, <ANY> }
conditions:
- metavariable: $ARG
regex: (NONE)
8 changes: 4 additions & 4 deletions checkov/serverless/runner.py
Original file line number Diff line number Diff line change
@@ -33,7 +33,7 @@
from checkov.common.graph.graph_builder.consts import GraphSource
from checkov.common.output.extra_resource import ExtraResource
from checkov.serverless.parsers.parser import CFN_RESOURCES_TOKEN
from checkov.serverless.utils import get_scannable_file_paths, get_files_definitions, SLS_FILE_MASK
from checkov.serverless.utils import get_scannable_file_paths, get_files_definitions, SLS_FILE_MASK, get_resource_tags

if TYPE_CHECKING:
from checkov.common.graph.checks_infra.registry import BaseRegistry
@@ -44,10 +44,10 @@
("layers", layer_registry)
]
SINGLE_ITEM_SECTIONS = [
("provider", provider_registry),
("custom", custom_registry),
("package", package_registry),
("plugins", plugin_registry),
("provider", provider_registry),
("service", service_registry)
]

@@ -203,7 +203,7 @@ def single_item_sections_checks(self,
variable_evaluations: dict[str, Any] = {}
entity = EntityDetails(sls_context_parser.provider_type, item_content)
results = registry.scan(sls_file, entity, skipped_checks, runner_filter)
tags = cfn_utils.get_resource_tags(entity, registry) # type:ignore[arg-type]
tags = get_resource_tags(entity, registry)
if results:
for check, check_result in results.items():
censored_code_lines = omit_secret_value_from_checks(
@@ -264,7 +264,7 @@ def multi_item_sections_checks(self,
sls_context_parser.enrich_function_with_provider(item_name)
entity = EntityDetails(sls_context_parser.provider_type, item_content)
results = registry.scan(sls_file, entity, skipped_checks, runner_filter)
tags = cfn_utils.get_resource_tags(entity, registry) # type:ignore[arg-type]
tags = get_resource_tags(entity, registry)
if results:
for check, check_result in results.items():
censored_code_lines = omit_secret_value_from_checks(
27 changes: 26 additions & 1 deletion checkov/serverless/utils.py
Original file line number Diff line number Diff line change
@@ -1,15 +1,19 @@
from __future__ import annotations

import os
import logging
from collections.abc import Collection
from enum import Enum
from typing import Callable, Any
from typing import Callable, Any, Optional
from pathlib import Path

from checkov.common.parallelizer.parallel_runner import parallel_runner
from checkov.runner_filter import RunnerFilter
from checkov.cloudformation import cfn_utils
from checkov.serverless.parsers.parser import parse
from checkov.common.runners.base_runner import filter_ignored_paths
from checkov.serverless.registry import sls_registry
from checkov.serverless.base_registry import ServerlessRegistry, EntityDetails

SLS_FILE_MASK = os.getenv(
"CKV_SLS_FILE_MASK", "serverless.yml,serverless.yaml").split(",")
@@ -85,3 +89,24 @@ def get_files_definitions(
def _parallel_parse(f: str) -> tuple[str, tuple[dict[str, Any], list[tuple[int, str]]] | None]:
"""Thin wrapper to return filename with parsed content"""
return f, parse(f)


def get_resource_tags(entity: EntityDetails, registry: ServerlessRegistry = sls_registry) -> Optional[dict[str, str]]:
entity_details = registry.extract_entity_details(entity)

if not entity_details:
return None

entity_config = entity_details[-1]

if not isinstance(entity_config, dict):
return None

try:
tags = entity_config.get("tags")
if tags:
return cfn_utils.parse_entity_tags(tags)
except Exception as e:
logging.warning(f"Failed to parse tags for entity {entity} due to {e}")

return None
2 changes: 1 addition & 1 deletion checkov/version.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
version = '3.2.382'
version = '3.2.383'
2 changes: 1 addition & 1 deletion kubernetes/requirements.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
checkov==3.2.382
checkov==3.2.383
Original file line number Diff line number Diff line change
@@ -26,4 +26,9 @@ resources: # CloudFormation template syntax
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
SSEAlgorithm: AES256
Tags:
- Key: RESOURCE
Value: lambda
- Key: PUBLIC
Value: false
Original file line number Diff line number Diff line change
@@ -27,4 +27,9 @@ resources: # CloudFormation template syntax
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
SSEAlgorithm: AES256
Tags:
- Key: RESOURCE
Value: lambda
- Key: PUBLIC
Value: false
3 changes: 3 additions & 0 deletions tests/serverless/checks/aws/test_AWSCredentials.py
Original file line number Diff line number Diff line change
@@ -21,6 +21,9 @@ def test_summary(self):
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)

for failed_check in report.failed_checks:
self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})


if __name__ == '__main__':
unittest.main()
3 changes: 3 additions & 0 deletions tests/serverless/checks/aws/test_AdminPolicyDocument.py
Original file line number Diff line number Diff line change
@@ -25,6 +25,9 @@ def test_summary(self):
f"Skipped checks: {[fc.file_path for fc in report.skipped_checks]}")
self.assertEqual(summary['parsing_errors'], 0)

for failed_check in report.failed_checks:
self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})


if __name__ == '__main__':
unittest.main()
3 changes: 3 additions & 0 deletions tests/serverless/checks/aws/test_S3PublicACLRead.py
Original file line number Diff line number Diff line change
@@ -21,6 +21,9 @@ def test_summary(self):
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)

for failed_check in report.failed_checks:
self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})


if __name__ == '__main__':
unittest.main()
3 changes: 3 additions & 0 deletions tests/serverless/checks/aws/test_StarActionPolicyDocument.py
Original file line number Diff line number Diff line change
@@ -21,6 +21,9 @@ def test_summary(self):
self.assertEqual(summary['skipped'], 0)
self.assertEqual(summary['parsing_errors'], 0)

for failed_check in report.failed_checks:
self.assertEqual(dict(sorted(failed_check.entity_tags.items())), {"RESOURCE": "lambda", "PUBLIC": "False"})


if __name__ == '__main__':
unittest.main()