fixes

cdk_integration_tests/src/python/DocDBEncryption/fail__1__.py

@@ -12,7 +12,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             "MyDocDBCluster",
             db_cluster_identifier="my-docdb-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
             port=27017,  # Specify the port as needed
         )

cdk_integration_tests/src/python/DocDBEncryption/pass.py

@@ -12,7 +12,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             "MyDocDBCluster",
             db_cluster_identifier="my-docdb-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             storage_encrypted=True,  # Enable storage encryption
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
             port=27017,  # Specify the port as needed

cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/fail__2__.py

@@ -13,7 +13,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine="neptune",
             db_cluster_identifier="my-neptune-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             storage_encrypted=False,  # Enable storage encryption
             port=8182,  # Specify the port as needed
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine=neptune.DatabaseClusterEngine.NEPTUNE,
             master_user=neptune.Login(
                 username="admin",
-                password="mypassword",
+                password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             ),
             default_database_name="mydb",
             removal_policy=core.RemovalPolicy.DESTROY,  # Set the removal policy as needed

cdk_integration_tests/src/python/NeptuneClusterStorageEncrypted/pass.py

@@ -13,7 +13,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine="neptune",
             db_cluster_identifier="my-neptune-cluster",
             master_username="admin",
-            master_user_password="mypassword",
+            master_user_password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             storage_encrypted=True,  # Enable storage encryption
             port=8182,  # Specify the port as needed
             availability_zones=["us-east-1a", "us-east-1b"],  # Specify the availability zones
@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             engine=neptune.DatabaseClusterEngine.NEPTUNE,
             master_user=neptune.Login(
                 username="admin",
-                password="mypassword",
+                password="mypassword", # checkov:skip=CKV_SECRET_6 test secret
             ),
             default_database_name="mydb",
             storage_encrypted=True,  # Enable storage encryption

checkov/cdk/checks/python/DAXEncryption.yaml

@@ -10,4 +10,8 @@ scope:
 definition:
   pattern: aws_cdk.aws_dax.CfnCluster(<ANY>)
   conditions:
-    - not_pattern: aws_cdk.aws_dax.CfnCluster(<ANY>, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(<ANY>, enabled=True , <ANY>), <ANY>)
+    - not_pattern: aws_cdk.aws_dax.CfnCluster(<ANY>, sse_specification=aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(<ANY>, enabled=True , <ANY>), <ANY>)
+    - not_pattern: |
+        $P = aws_cdk.aws_dax.CfnCluster.SSESpecificationProperty(<ANY>, enabled=True , <ANY>)
+        <ANY>
+        aws_cdk.aws_dax.CfnCluster(sse_specification=$P)

checkov/cdk/checks/python/LambdaDLQConfigured.yaml

@@ -15,7 +15,7 @@ definition:
           - not_pattern: aws_cdk.aws_lambda.Function(<ANY>, dead_letter_queue=$ARG, <ANY>)
       - pattern: aws_cdk.aws_lambda.CfnFunction(<ANY>)
         conditions:
-          - not_pattern: aws_cdk.aws_lambda.CfnFunction(<ANY>, dead_letter_config={<ANY>}, <ANY>)
+          - not_pattern: aws_cdk.aws_lambda.CfnFunction(<ANY>, dead_letter_config=$ARG, <ANY>)
       - pattern: aws_cdk.aws_sam.CfnFunction(<ANY>)
         conditions:
-          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, dead_letter_queue=aws_cdk.aws_sam.CfnFunction.DeadLetterQueueProperty(<ANY>), <ANY>)
+          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, dead_letter_queue=$ARG, <ANY>)

checkov/cdk/checks/python/LambdaInVPC.yaml

@@ -15,4 +15,4 @@ definition:
           - not_pattern: aws_cdk.aws_lambda.Function(<ANY>, vpc=$VPC, <ANY>)
       - pattern: aws_cdk.aws_sam.CfnFunction(<ANY>)
         conditions:
-          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, vpc_config=aws_cdk.aws_sam.CfnFunction.VpcConfigProperty(<ANY>), <ANY>)
+          - not_pattern: aws_cdk.aws_sam.CfnFunction(<ANY>, vpc_config=$ARG, <ANY>)

checkov/cdk/checks/python/WAFEnabled.yaml

@@ -10,4 +10,4 @@ scope:
 definition:
   pattern: aws_cdk.aws_cloudfront.CfnDistribution(<ANY>)
   conditions:
-    - not_pattern: 'aws_cdk.aws_cloudfront.CfnDistribution(<ANY>, distribution_config={<ANY>, "webAclId": <ANY> , <ANY>} , <ANY>)'
+    - not_pattern: 'aws_cdk.aws_cloudfront.CfnDistribution(<ANY>, distribution_config={"webAclId": $ARG} , <ANY>)'