break(general): v3 release (#5681)

.flake8

@@ -5,7 +5,7 @@ max-line-length = 120
 # E203,E501 don't work with black together
 ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907
 select = C,E,F,W,B,B9,A,TC
-extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*
+extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*
 
 [flake8:local-plugins]
 extension =

.github/PULL_REQUEST_TEMPLATE.md

@@ -12,7 +12,7 @@
     Additionally a scope is needs to be added to the prefix, which indicates the targeted framework, in doubt choose 'general'.
     #    
     Allowed prefixs:
-    ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
+    ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
     #
     ex.
     feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance

.github/pr-title-checker-config.json

@@ -7,11 +7,11 @@
     "prefixes": [
       "chore: "
     ],
-    "regexp": "^(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): "
+    "regexp": "^(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): "
   },
   "MESSAGES": {
     "success": "PR title is valid",
     "failure": "PR title is invalid",
-    "notice": "Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): '"
+    "notice": "Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): '"
   }
 }

.github/workflows/build.yml

@@ -150,6 +150,7 @@ jobs:
       - name: Test with pytest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IS_TEST: true
         run: |
           pipenv run python -m pytest tests
   bump-version:

.github/workflows/pr-test.yml

@@ -142,6 +142,92 @@ jobs:
         run: |
           pipenv run pytest integration_tests -k 'not api_key'
 
+  sast-integration-tests:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: [ "3.8" ]
+        os: [ ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone jenkins - Java repo for SAST
+        run: git clone https://github.com/jenkinsci/jenkins
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.BC_API_KEY }}
+        if: env.BC_API_KEY != null
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.BC_API_KEY }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest sast_integration_tests
+
+  cdk-integration-tests:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: [ "3.8" ]
+        os: [ ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
+        with:
+          python-version: ${{ matrix.python }}
+          cache: "pipenv"
+          cache-dependency-path: "Pipfile.lock"
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d  # v3
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.BC_API_KEY }}
+        if: env.BC_API_KEY != null
+        run: bash -c './cdk_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.BC_API_KEY }}
+        if: env.BC_API_KEY != null
+        run: |
+          pipenv run pytest cdk_integration_tests
+
   performance-tests:
     env:
       PYTHON_VERSION: "3.8"
@@ -182,6 +268,16 @@ jobs:
       - name: Clone kubernetes-yaml-templates
         run: git clone https://github.com/dennyzhang/kubernetes-yaml-templates.git
         working-directory: ${{ env.working-directory }}
+# TODO: migrate to separate performance tests
+#      - name: Clone Python-Mini-Projects
+#        run: git clone https://github.com/alimoustafa2000/Python-Mini-Projects.git
+#        working-directory: ${{ env.working-directory }}
+#      - name: Clone NodeJs
+#        run: git clone https://github.com/harshitbansal373/NodeJs.git
+#        working-directory: ${{ env.working-directory }}
+#      - name: Clone Mini-Project-using-Java
+#        run: git clone https://github.com/ikanurfitriani/Mini-Project-using-Java.git
+#        working-directory: ${{ env.working-directory }}
       - name: Run performance tests
         run: |
           pipenv run pytest

.gitignore

@@ -104,7 +104,6 @@ ENV/
 ### VirtualEnv template
 # Virtualenv
 # http://iamzed.com/2009/05/07/a-primer-on-virtualenv/
-.Python
 [Ii]nclude
 [Ll]ib
 [Ll]ib64
@@ -174,4 +173,9 @@ tests/20*
 .vimspector.json
 !tests/terraform/graph/variable_rendering/test_resources/tfvar_module_variables/modules/instance
 tests/common/runner_registry/packages_csv_results/
-tests/console
+tests/console
+
+# sast go mod
+checkov/sast_core/vendor
+
+*.prof

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "checkov/sast/sast_core"]
+	path = checkov/sast/sast_core
+	url = [email protected]:bridgecrewio/SAST-Core.git

Pipfile

@@ -88,6 +88,7 @@ openai = "*"
 spdx-tools = ">=0.8.0,<0.9.0"
 license-expression = "*"
 rustworkx = "*"
+pydantic = ">=1.10.7,<2.0.0"  # TODO: need to upgrade it to v2
 
 [requires]
 python_version = "3.8"

README.md

@@ -402,7 +402,7 @@ checkov --config-file path/to/config.yaml
 ```
 Users can also create a config file using the `--create-config` command, which takes the current command line args and writes them out to a given path. For example:
 ```sh
-checkov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --no-guide --quiet --repo-id bridgecrew/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-fixes --skip-framework dockerfile secrets --skip-suppressions --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml
+checkov --compact --directory test-dir --docker-image sample-image --dockerfile-path Dockerfile --download-external-modules True --external-checks-dir sample-dir --quiet --repo-id bridgecrew/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 --skip-framework dockerfile secrets --soft-fail --branch develop --check CKV_DOCKER_1 --create-config /Users/sample/config.yml
 ```
 Will create a `config.yaml` file which looks like this:
 ```yaml
@@ -421,18 +421,15 @@ external-checks-dir:
 external-modules-download-path: .external_modules 
 framework:
   - all 
-no-guide: true 
 output: cli 
 quiet: true 
 repo-id: bridgecrew/sample-repo 
 skip-check: 
   - CKV_DOCKER_3 
   - CKV_DOCKER_2 
-skip-fixes: true 
 skip-framework:
   - dockerfile
   - secrets
-skip-suppressions: true 
 soft-fail: true
 ```
 
@@ -472,7 +469,7 @@ Looking to contribute new checks? Learn how to write a new check (AKA policy) [h
 `checkov` does not save, publish or share with anyone any identifiable customer information.  
 No identifiable customer information is used to query Bridgecrew's publicly accessible guides.
 `checkov` uses Bridgecrew's API to enrich the results with links to remediation guides.
-To skip this API call use the flag `--no-guide`.
+To skip this API call use the flag `--skip-download`.
 
 ## Support
 

cdk_integration_tests/prepare_data.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# iterate over all the cdk python checks
+for file in "checkov/cdk/checks/python"/*; do
+  # Ensure it's a yaml file
+  if [[ -f "$file" && "$file" == *.yaml ]]; then
+      basename=$(basename -- "$file")
+      filename="${basename%.*}"
+      check_id=$(grep 'id:' $file | awk '{print $2}')
+      if [[ $check_id != CKV* ]]; then
+        #expects only CKV check ids
+        continue
+      fi
+      # create a report for this check
+      echo "creating report for check: $filename, id: $check_id"
+      pipenv run checkov -s --framework cdk --repo-id cli/cdk -o json --check $check_id \
+        -d "cdk_integration_tests/src/python/$filename"  > "checkov_report_cdk_python_$filename.json"
+  fi
+done
+
+#todo: iterate over all the cdk typescript checks - when ts supported in sast