Merge branch 'main' into remove-bc

bridgecrewio · Nov 8, 2023 · 9793e6f · 9793e6f
2 parents 7bad812 + d370cff
commit 9793e6f
Show file tree

Hide file tree

Showing 205 changed files with 6,368 additions and 2,797 deletions.
diff --git a/.github/exclude-patterns.txt b/.github/exclude-patterns.txt
@@ -34,3 +34,4 @@ tests/terraform/runner/tf_plan_skip_check_regex/resource/.*
 tests/terraform/runner/tfplan2.json
 .*Scans.md
 .*Pipfile.lock
+cdk_integration_tests/src/python
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -103,16 +103,16 @@ jobs:
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv
-      - name: Clone Terragoat - vulnerable terraform
-        run: git clone https://github.com/bridgecrewio/terragoat
       - name: Build & install checkov package
         run: |
           # remove venv, if exists
           pipenv --rm || true
           pipenv --python ${{ env.PYTHON_VERSION }}
           pipenv run pip install pytest pytest-xdist
           pipenv run python setup.py sdist bdist_wheel
-          pipenv run pip install dist/checkov-*.whl
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone Terragoat - vulnerable terraform
+        run: git clone https://github.com/bridgecrewio/terragoat
       - name: Run checkov with Prisma creds
         env:
           PRISMA_KEY: ${{ secrets.PRISMA_KEY }}
@@ -121,6 +121,44 @@ jobs:
           pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt
           grep "prismacloud.io" checkov_report_prisma.txt
           exit $?
+  sast-integration-tests:
+    strategy:
+      fail-fast: true
+      matrix:
+        python: ["3.8", "3.11"]
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    continue-on-error: true # for now it is ok to fail
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236  # v4
+        with:
+          python-version: ${{ matrix.python }}
+      - name: Install pipenv
+        run: |
+          python -m pip install --no-cache-dir --upgrade pipenv
+      - name: Build & install checkov package
+        run: |
+          # remove venv, if exists
+          pipenv --rm || true
+          pipenv --python ${{ matrix.python }}
+          pipenv run pip install pytest pytest-xdist
+          pipenv run python setup.py sdist bdist_wheel
+          bash -c 'pipenv run pip install dist/checkov-*.whl'
+      - name: Clone flask - Python repo for SAST
+        run: git clone https://github.com/pallets/flask
+      - name: Clone WebGoat - Java repo for SAST
+        run: git clone https://github.com/WebGoat/WebGoat
+      - name: Clone axios - JavaScript repo for SAST
+        run: git clone https://github.com/axios/axios
+      - name: Create checkov reports
+        env:
+          LOG_LEVEL: INFO
+          BC_API_KEY: ${{ secrets.BC_API_KEY }}
+        run: bash -c './sast_integration_tests/prepare_data.sh'
+      - name: Run integration tests
+        run: |
+          pipenv run pytest sast_integration_tests
   unit-tests:
     timeout-minutes: 30
     runs-on: ubuntu-latest
@@ -154,7 +192,7 @@ jobs:
         run: |
           pipenv run python -m pytest tests
   bump-version:
-    needs: [integration-tests, unit-tests, prisma-tests]
+    needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready
     runs-on: [self-hosted, public, linux, x64]
     environment: release
     permissions:

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Build GitHub Release changelog
         if: steps.prepare_release.outputs.create_release == 'true'
         id: build_github_release
-        uses: mikepenz/release-changelog-builder-action@6fd5cc6eaf7567dbd0f9666061215bb476f012fc  # v3
+        uses: mikepenz/release-changelog-builder-action@81ca5f10b8c238cbc36e53691a39273636d7d1f6  # v3
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT_SECRET }}
         with:

diff --git a/.github/workflows/pr-test.yml b/.github/workflows/pr-test.yml
@@ -156,7 +156,6 @@ jobs:
           python-version: ${{ matrix.python }}
           cache: "pipenv"
           cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv
@@ -202,7 +201,6 @@ jobs:
           python-version: ${{ matrix.python }}
           cache: "pipenv"
           cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # v4
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -18,7 +18,7 @@ repos:
       - id: teyit
         language_version: python3.9
   - repo: https://github.com/rhysd/actionlint
-    rev: v1.6.25
+    rev: v1.6.26
     hooks:
       - id: actionlint-docker
         # SC2129 - Consider using { cmd1; cmd2; } >> file instead of individual redirects.
@@ -33,7 +33,7 @@ repos:
         additional_dependencies:
           - vistir<0.7.0  # can be removed, when v4.0.0 of pipenv-setup comes out
   - repo: https://github.com/seddonym/import-linter  # checks the import dependencies between each other
-    rev: v1.12.0
+    rev: v1.12.1
     hooks:
       - id: import-linter
         language_version: python3.9

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,56 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.14...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.25...HEAD)
+
+## [3.0.25](https://github.com/bridgecrewio/checkov/compare/3.0.24...3.0.25) - 2023-11-07
+
+### Bug Fix
+
+- **general:** do not require a repo ID when using an API key and --list - [#5726](https://github.com/bridgecrewio/checkov/pull/5726)
+
+## [3.0.24](https://github.com/bridgecrewio/checkov/compare/3.0.21...3.0.24) - 2023-11-06
+
+### Feature
+
+- **sast:** add new python CDK policies - [#5706](https://github.com/bridgecrewio/checkov/pull/5706)
+- **terraform:** Ensure that only critical system pods run on system nodes - [#5665](https://github.com/bridgecrewio/checkov/pull/5665)
+
+## [3.0.21](https://github.com/bridgecrewio/checkov/compare/3.0.19...3.0.21) - 2023-11-05
+
+### Feature
+
+- **terraform:** Ensure App Service Environment is zone redundant - [#5662](https://github.com/bridgecrewio/checkov/pull/5662)
+- **terraform:** Ensure that Standard Replication is enabled - [#5649](https://github.com/bridgecrewio/checkov/pull/5649)
+
+### Bug Fix
+
+- **sca:** Setting only relevant cves for the extracted reachable functions with risk factor of ReachableFunction as True - [#5715](https://github.com/bridgecrewio/checkov/pull/5715)
+- **terraform:** CKV_AWS_208 valid Amazon MQ versions - [#5653](https://github.com/bridgecrewio/checkov/pull/5653)
+
+## [3.0.19](https://github.com/bridgecrewio/checkov/compare/3.0.16...3.0.19) - 2023-11-02
+
+### Feature
+
+- **sca:** adjusting the cli-output to support indicating of reachable functions  - [#5713](https://github.com/bridgecrewio/checkov/pull/5713)
+- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5637](https://github.com/bridgecrewio/checkov/pull/5637)
+- **terraform:** bigtable deletion protection [depends on #5625] - [#5626](https://github.com/bridgecrewio/checkov/pull/5626)
+- **terraform:** drop and deletion checks for spanner - [#5625](https://github.com/bridgecrewio/checkov/pull/5625)
+
+### Bug Fix
+
+- **sast:** add cveid to reachability report - [#5708](https://github.com/bridgecrewio/checkov/pull/5708)
+
+## [3.0.16](https://github.com/bridgecrewio/checkov/compare/3.0.15...3.0.16) - 2023-11-01
+
+### Feature
+
+- **sca:** Extending reachability post-runner in checkov and enriching cves with ReachableFunction data - [#5707](https://github.com/bridgecrewio/checkov/pull/5707)
+
+## [3.0.15](https://github.com/bridgecrewio/checkov/compare/3.0.14...3.0.15) - 2023-10-31
+
+### Bug Fix
+
+- **general:** fix duplicate components in CycloneDX report - [#5705](https://github.com/bridgecrewio/checkov/pull/5705)
 
 ## [3.0.14](https://github.com/bridgecrewio/checkov/compare/3.0.13...3.0.14) - 2023-10-30
 

diff --git a/cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py b/cdk_integration_tests/src/python/APIGatewayCacheEnable/fail__2__.py
@@ -0,0 +1,50 @@
+from aws_cdk import core
+from aws_cdk import aws_apigateway as apigateway
+from aws_cdk import aws_sam as sam
+class MyApiGatewayStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create an API Gateway stage with cache cluster enabled
+        api = apigateway.RestApi(
+            self,
+            "MyApi",
+            rest_api_name="MyApiName",
+        )
+
+        stage = apigateway.Stage(
+            self,
+            "MyApiStage",
+            stage_name="prod",  # Replace with your desired stage name
+            deployment=api.latest_deployment,
+        )
+
+class MySAMApiStack2(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a Serverless API with cache cluster enabled
+        sam_api = sam.CfnApi(
+            self,
+            "MySAMApi",
+            stage_name="prod",  # Specify the stage name
+            definition_body={
+                "openapi": "3.0.1",
+                "info": {
+                    "title": "MyAPI",
+                },
+                "paths": {
+                    "/example": {
+                        "get": {
+                            "responses": {
+                                "200": {
+                                    "description": "A sample response",
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+        )
diff --git a/cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py b/cdk_integration_tests/src/python/APIGatewayCacheEnable/pass.py
@@ -0,0 +1,54 @@
+from aws_cdk import core
+from aws_cdk import aws_apigateway as apigateway
+from aws_cdk import aws_sam as sam
+class MyApiGatewayStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create an API Gateway stage with cache cluster enabled
+        api = apigateway.RestApi(
+            self,
+            "MyApi",
+            rest_api_name="MyApiName",
+        )
+
+        stage = apigateway.Stage(
+            self,
+            "MyApiStage",
+            stage_name="prod",  # Replace with your desired stage name
+            deployment=api.latest_deployment,
+            cache_cluster_enabled=True,  # Enable cache cluster
+            cache_cluster_size="0.5",  # Specify the cache cluster size
+        )
+
+class MySAMApiStack2(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a Serverless API with cache cluster enabled
+        sam_api = sam.CfnApi(
+            self,
+            "MySAMApi",
+            cacheClusterEnabled=True,  # Enable cache cluster
+            cacheClusterSize="0.5",  # Specify the cache cluster size
+            stage_name="prod",  # Specify the stage name
+            definition_body={
+                "openapi": "3.0.1",
+                "info": {
+                    "title": "MyAPI",
+                },
+                "paths": {
+                    "/example": {
+                        "get": {
+                            "responses": {
+                                "200": {
+                                    "description": "A sample response",
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+        )
diff --git a/cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py b/cdk_integration_tests/src/python/BackupVaultEncrypted/fail__1__.py
@@ -0,0 +1,14 @@
+from aws_cdk import core
+from aws_cdk import aws_backup as backup
+
+class MyBackupStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a Backup Vault with the specified encryption key ARN
+        backup_vault = backup.CfnBackupVault(
+            self,
+            "MyBackupVault",
+            name="MyBackupVault",
+        )
diff --git a/cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py b/cdk_integration_tests/src/python/BackupVaultEncrypted/pass.py
@@ -0,0 +1,18 @@
+from aws_cdk import core
+from aws_cdk import aws_backup as backup
+
+class MyBackupStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Replace 'your-encryption-key-arn' with the actual KMS key ARN you want to use
+        encryption_key_arn = 'your-encryption-key-arn'
+
+        # Create a Backup Vault with the specified encryption key ARN
+        backup_vault = backup.CfnBackupVault(
+            self,
+            "MyBackupVault",
+            name="MyBackupVault",
+            encryption_key_arn=encryption_key_arn,
+        )
diff --git a/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py b/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/fail__1__.py
@@ -0,0 +1,16 @@
+from aws_cdk import core
+from aws_cdk import aws_logs as logs
+
+class MyBadLogGroupStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a CloudWatch Logs log group without specifying KMS key
+        log_group = logs.LogGroup(
+            self,
+            "MyBadLogGroup",
+            log_group_name="MyLogGroupName",
+            retention=logs.RetentionDays.ONE_MONTH,  # Set the retention policy as needed
+            # KMS key is not specified
+        )
diff --git a/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py b/cdk_integration_tests/src/python/CloudWatchLogGroupKMSKey/pass.py
@@ -0,0 +1,16 @@
+from aws_cdk import core
+from aws_cdk import aws_logs as logs
+
+class MyLogGroupStack(core.Stack):
+
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a CloudWatch Logs log group with KMS key ID
+        log_group = logs.LogGroup(
+            self,
+            "MyLogGroup",
+            log_group_name="MyLogGroupName",
+            retention=logs.RetentionDays.ONE_MONTH,  # Set the retention policy as needed
+            kms_key=1,  # Specify the KMS key
+        )
diff --git a/cdk_integration_tests/src/python/DAXEncryption/fail__1__.py b/cdk_integration_tests/src/python/DAXEncryption/fail__1__.py
@@ -0,0 +1,20 @@
+from aws_cdk import core
+from aws_cdk import aws_dax as dax
+
+class DAXClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Create a DAX cluster
+        dax_cluster = dax.CfnCluster(
+            self, "MyDAXCluster",
+            cluster_name="MyDAXCluster",
+            description="My DAX Cluster",
+            iam_role_arn="arn:aws:iam::123456789012:role/DAXServiceRole",
+            node_type="dax.r5.large",
+            replication_factor=2,
+        )
+
+app = core.App()
+DAXClusterStack(app, "DAXClusterStack")
+app.synth()