Merge branch 'bridgecrewio:main' into prdeshpande-main

CHANGELOG.md

@@ -1,6 +1,12 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.37...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.0.38...HEAD)
+
+## [3.0.38](https://github.com/bridgecrewio/checkov/compare/3.0.37...3.0.38) - 2023-11-16
+
+### Feature
+
+- **terraform:** Adding YAML based build time policies for corresponding PC runtime policies - [#5714](https://github.com/bridgecrewio/checkov/pull/5714)
 
 ## [3.0.37](https://github.com/bridgecrewio/checkov/compare/3.0.36...3.0.37) - 2023-11-15
 

checkov/terraform/checks/graph_checks/azure/AzureMSSQLserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_45"
+  name: "Ensure Microsoft SQL server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_mssql_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_mssql_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzureMariaDBserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_43"
+  name: "Ensure Azure MariaDB server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_mariadb_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_mariadb_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzureMySQLserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_44"
+  name: "Ensure Azure MySQL server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_mysql_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_mysql_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzurePostgreSQLserverConfigPrivEndpt.yaml

@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AZURE_42"
+  name: "Ensure Azure PostgreSQL server is configured with private endpoint"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+    - cond_type: "filter"
+      attribute: "resource_type"
+      operator: "within"
+      value:
+        - "azurerm_postgresql_server"
+
+    - cond_type: "connection"
+      resource_types:
+        - "azurerm_postgresql_server"
+      connected_resource_types:
+        - "azurerm_private_endpoint"
+      operator: "exists"

checkov/terraform/checks/graph_checks/azure/AzureSynapseWorkspaceVAisEnabled.yaml

@@ -0,0 +1,33 @@
+metadata:
+  id: "CKV2_AZURE_46"
+  name: "Ensure that Azure Synapse Workspace vulnerability assessment is enabled"
+  category: "GENERAL_SECURITY"
+definition:
+    and:
+      - resource_types:
+          - azurerm_synapse_workspace_security_alert_policy
+        connected_resource_types:
+          - azurerm_synapse_workspace
+        operator: exists
+        cond_type: connection
+
+      - resource_types:
+          - azurerm_synapse_workspace_vulnerability_assessment
+        connected_resource_types:
+          - azurerm_synapse_workspace_security_alert_policy
+        operator: exists
+        cond_type: connection
+
+      - cond_type: attribute
+        resource_types:
+          - azurerm_synapse_workspace_vulnerability_assessment
+        attribute: 'recurring_scans.*.enabled'
+        operator: equals
+        value: true
+
+      - cond_type: filter
+        attribute: resource_type
+        value:
+          - azurerm_synapse_workspace_vulnerability_assessment
+        operator: within
+

checkov/terraform/checks/graph_checks/ibm/IBM_LoadBalancerforVPCisPrivate.yaml

@@ -0,0 +1,18 @@
+metadata:
+  id: "CKV2_IBM_1"
+  name: "Ensure load balancer for VPC is private (disable public access)"
+  category: "GENERAL_SECURITY"
+
+definition:
+  and:
+
+    - cond_type: "attribute"
+      resource_types: "ibm_is_lb"
+      attribute: "type"
+      operator: "exists"
+
+    - cond_type: "attribute"
+      resource_types: "ibm_is_lb"
+      attribute: "type"
+      operator: "equals_ignore_case"
+      value: "private"

checkov/terraform/checks/graph_checks/ibm/IBM_VPCclassicAccessIsDisabled.yaml

@@ -0,0 +1,24 @@
+metadata:
+  id: "CKV2_IBM_2"
+  name: "Ensure VPC classic access is disabled"
+  category: "GENERAL_SECURITY"
+
+definition:
+  or:
+    - cond_type: "attribute"
+      resource_types: "ibm_is_vpc"
+      attribute: "classic_access"
+      operator: "not_exists"
+
+    - and:
+
+        - cond_type: "attribute"
+          resource_types: "ibm_is_vpc"
+          attribute: "classic_access"
+          operator: "exists"
+
+        - cond_type: "attribute"
+          resource_types: "ibm_is_vpc"
+          attribute: "classic_access"
+          operator: "equals_ignore_case"
+          value: "false"

checkov/version.py

@@ -1 +1 @@
-version = '3.0.37'
+version = '3.0.38'