checkov v2.1.214 releases: Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Cloudformation, or kubernetes and detects security and compliance misconfigurations.
- Over 1000 built-in policies cover security and compliance best practices for AWS, Azure, and Google Cloud.
- Scans Terraform, Terraform Plan, CloudFormation, Kubernetes, Dockerfile, Serverless framework, and ARM template files.
- Supports Context-awareness policies based on in-memory graph-based scanning.
- Supports Python format for attribute policies and YAML format for both attribute and composite policies.
- Detects AWS credentials in EC2 Userdata, Lambda environment variables, and Terraform providers.
- Identifies secrets using regular expressions, keywords, and entropy-based detection.
- Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- Policies support the evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, JSON, JUnit XML, and github markdown and link to remediation guides.
- general: leverage SARIF helpUri for guideline and SCA link – #3492
- github: Improving GHA schema validation – #3513
- kubernetes: added base class K8SEdgeBuilder – #3530
- terraform: GCP Cloud functions should not be public – #3477
- github: add missing schema files to distribution package – #3537
- sca: changes on cve suppressions to match package and image scan – #3502
- sca: send exception log when exceeded retries – #3534
- terraform: make test case insensitive for CKV_ALI_35,CKV_ALI_36,CKV_ALI_37 – #3507
- terraform: do not evaluate OCI policy statements – #3411
Copyright 2019 Bridgecrew