Update dependency checkov to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
checkov	==2.0.1037 -> ==3.2.485

---

Release Notes

bridgecrewio/checkov (checkov)

v3.2.485

Bug Fix

• general: fix urllib3 dependency - #​7345

v3.2.484

Bug Fix

• terraform_plan: Correctly handle complex types for after_unknown - #​7333

v3.2.483

Feature

• general: anchor setuptools to fix metadata version - #​7330
• general: update our publishing job SHA to latest - #​7332
• terraform_plan: fix handling of resource_id for enrichment in tf_plan - #​7329

v3.2.482

v3.2.477

Bug Fix

• terraform_plan: compute the longest common prefix between two optional vertex - #​7320
• terraform_plan: Don't add values to empty list values in after_unknown - #​7319

v3.2.476

v3.2.475

v3.2.474

Documentation

• general: Add JAVA_FULL_DT environment variable to CLI reference - #​7312

v3.2.473

• no noteworthy changes

v3.2.472

Feature

• terraform: fix foreach module handling - #​7313

v3.2.471

Bug Fix

• terraform_plan: fix access to list by str in tf plan under _handle_complex_after_unknown - #​7299

v3.2.470

Bug Fix

• helm: Make Helm template detection less aggressive - #​7288

v3.2.469

Feature

• general: Control parallelism - #​7286

v3.2.468

v3.2.467

Bug Fix

• serverless: Fixed bad entity code line generation - #​7285

v3.2.466

Feature

• terraform: add aws_vpc_endpoint to RESOURCE_TYPES_JSONIFY - #​7281

Bug Fix

• general: Add exclusion for plan_with_providers test files in security scanning - #​7282

v3.2.465

v3.2.464

Feature

• secrets: support suppressions in JSON files - #​7275

v3.2.463

v3.2.462

v3.2.461

Bug Fix

• terraform: Handled git external module loading with sub-directory but without protocol - #​7272

v3.2.460

Bug Fix

• general: pin boto3 and botocore versions as failed test in Jenkins - #​7270

v3.2.459

v3.2.458

Bug Fix

• terraform: Fix conditional expression evaluation - #​7265
• terraform: Update FunctionAppsAccessibleOverHttps - #​7078

v3.2.457

Bug Fix

• dockerfile: Use proxy env vars in aiohttp client requests - #​7260

v3.2.456

Bug Fix

• terraform: Parse continue as a string rather as a python object - #​7261

v3.2.455

v3.2.454

Bug Fix

• serverless: Fixed extraction of code lines for serverless resources - #​7259

v3.2.453

v3.2.452

Feature

• general: Support Py 3.13 on build workflow - #​7222

v3.2.451

Feature

• terraform: Support parsing of provider functions - #​7237

v3.2.450

Bug Fix

• arm: filter out failed checks with resource names containing un-rendered functions - #​7231

v3.2.449

Bug Fix

• terraform: fix cloning external modules from private regsitries - #​7229
• terraform: fix issue 7216 module version parsing issue - #​7224

v3.2.448

v3.2.447

Bug Fix

• terraform: Added support in restricting to a specific GitHub organization for GithubActionsOIDCTrustPolicy - #​7221

v3.2.446

Feature

• kubernetes: include hidden folders in scan - #​7219

v3.2.445

Bug Fix

• helm: fix file paths to point to original files and not generated ones - #​7212
• secrets: fix omitting and masking - #​7218

v3.2.444

v3.2.443

Bug Fix

• secrets: fix omit and masking - #​7213

v3.2.442

Bug Fix

• secrets: fix relative path secrets - #​7211

v3.2.441

v3.2.440

Feature

• secrets: Bump detect secrets - #​7203

v3.2.439

Bug Fix

• serverless: Enhance yaml parsing, better support for file expansion - #​7115
• terraform: Better utilization of managed modules (if enabled) - #​7111

v3.2.438

v3.2.437

Bug Fix

• terraform: Handle explicitly-specified tfvars explicitly - #​7107

v3.2.436

Bug Fix

• terraform_plan: Support count in terraform plan files - #​7195

v3.2.435

Bug Fix

• kubernetes: Only filter out files that contain Helm built-in variables and functions - #​6922
• serverless: check if start and end line in serverless definitions context - #​7189

v3.2.434

v3.2.433

Bug Fix

• terraform_plan: add a check to avoid doing get on a none dict object in tfplan scan - #​7180

v3.2.432

Bug Fix

• terraform: Multiple fixes - #​7178

v3.2.431

v3.2.430

v3.2.429

Bug Fix

• general: Fix support for git external module syntax 'git::git@' - #​7175
• general: Remove asteval syntax error logs - #​7172

v3.2.428

v3.2.427

Feature

• secrets: Revert - Bump detect secrets - #​7171

Bug Fix

• terraform: dont move clone to internal dir - #​7159

v3.2.426

Feature

• secrets: Bump detect secrets - #​7158
• terraform: 7 new policies - #​7056

v3.2.425

v3.2.424

Feature

• terraform: Add SNS check and modify some - #​7154

Bug Fix

• secrets: Fix for git-history scan by commits - #​7160

v3.2.423

v3.2.422

Feature

• secrets: git-history allow scan by commits list - #​7155

Bug Fix

• general: exclude start_line and end_line from is empty solver - #​7156

v3.2.421

v3.2.420

Feature

• kustomize: export get kustomize resource id to a function - #​7153

Bug Fix

• general: Skip bc_api_key in output - #​7148
• terraform: Fixed crash when using variable rendering inside a list of len > 1 - #​7151

v3.2.419

v3.2.418

v3.2.417

Breaking Change

• general: Remove OpenAI - #​7146

v3.2.416

Bug Fix

• terraform_plan: use provider name not resource address to fix supported_provider matching - #​7119

v3.2.415

Bug Fix

• general: using asteval instead of using eval - #​7116

v3.2.414

Bug Fix

• terraform: Fix protocols for CKV2_AWS_74 and fix for CKV2_K8S_5 - #​7134

v3.2.413

Feature

• terraform: Add new check for overly permissive SQS policy - #​7125

Bug Fix

• terraform: support CLI notation in CKV_AZURE_228 for EventHub locations - #​7124

v3.2.412

v3.2.411

Feature

• secrets: Add support in git history for producer consumer - #​7123

Bug Fix

• general: Make --download-external-modules Optional[bool] - #​7121
• secrets: Fix test directory tree race - #​7122
• terraform: add aws_elasticache_serverless_cache to CKV2_AWS_5 - #​7079

v3.2.410

v3.2.409

v3.2.408

Feature

• terraform: Over permissive Lambda Cors check (Terraform & Cloudformation) - #​7113

Bug Fix

• general: base_runner: Properly escape excluded directories that begin with '.' - #​7112

v3.2.407

Feature

• terraform: Add new check and update old around cipher suites - #​7108

v3.2.406

Bug Fix

• kustomize: handle kustomize file with empty resources section - #​7109

v3.2.405

v3.2.404

Bug Fix

• terraform: Fix for multiple checks - #​7097

v3.2.403

Feature

• cloudformation: Update Lambda Runtime checks - #​7065

v3.2.402

Bug Fix

• terraform: Change to valid name - #​7089
• terraform: CKV2_IBM_1 - ignore case for load balancer of type private_path - #​7010
• terraform: rename test FunctionAppsAccessibleOverHttps - #​7085

Documentation

• general: Add install for debian - #​7083

v3.2.401

v3.2.400

Bug Fix

• general: typos discovered by codespell - #​7012
• terraform: Update FunctionAppsAccessibleOverHttps - #​7084

v3.2.399

v3.2.398

Bug Fix

• general: handle connected_node tuple in CustomJSONEncoder for json report (#​7062) - #​7063

v3.2.397

• no noteworthy changes

v3.2.396

Bug Fix

• terraform: Fix keeping range a range - #​7073

v3.2.395

Feature

• serverless: add check for empty resource attributes - #​7074

v3.2.394

Bug Fix

• terraform: Fix CKV2_GCP_12 and a few tests - #​7069

v3.2.393

Bug Fix

• general: Updated correct connected_node when creating graph report out of all options - #​7068

v3.2.392

Bug Fix

• terraform_plan: Run provider checks against all providers in plan - #​7061

v3.2.391

Bug Fix

• secrets: Bump detect-secrets to not flag AZ secrets in plan files - #​7064

v3.2.390

Feature

• terraform: add raw tf resource to graph - #​7047

Bug Fix

• general: Fix a few checks - #​7051
• general: Remove sneaky unicode characters that break a regex and console outputs on Windows - #​6987
• terraform: CKV_AWS_228 - support new AWS Opensearch TLS policy - #​7007

v3.2.389

v3.2.388

v3.2.387

v3.2.386

• no noteworthy changes

v3.2.385

Bug Fix

• terraform: Update all resources - #​7049

v3.2.384

Bug Fix

• terraform: Update CKV_ALI_1 - #​7040

v3.2.383

Feature

• serverless: add tags enrichment to serverless - #​7044

Bug Fix

• sast: Fix CKV_AWS_194 policy - #​7048

v3.2.382

Feature

• secrets: Bump detect-secrets to remove more lock files - #​7039

v3.2.381

Bug Fix

• general: prevent connected_node attribute from being overriden - #​7032
• secrets: ckv_secret_80 filtering fix - #​7037

v3.2.380

v3.2.379

Feature

• terraform: Add azure DB checks for flexible server private endpoints - #​7030

v3.2.378

Bug Fix

• secrets: Remove CKV_SECRET_80 instead of CKV_SECRET_6 - #​7029

v3.2.377

Feature

• terraform: adding 3 policies & tests - #​7011

Bug Fix

• cloudformation: Handle subs in CKV_AWS_384 - #​7022
• secrets: Fix Duplicated Violation in line bug - #​7027
• terraform: Fixed CKV2_GCP_10 to exclude non http triggered cloud functions from security_level requirement - #​7008
• terraform: Handle new resource type for CKV_GCP_73 - #​7023

v3.2.376

v3.2.375

v3.2.374

v3.2.373

Bug Fix

• terraform: CKV_GCP_74, CKV_GCP_76 incorrectly enforced for REGIONAL and GLOBAL managed proxy networks - #​7002

v3.2.372

Feature

• terraform: Add multiple checks - #​7016

Bug Fix

• terraform: Postgres latest stable version - #​7015

v3.2.371

v3.2.370

Bug Fix

• general: Handle ECS enhanced container insights - #​7001

v3.2.369

Bug Fix

• terraform: Multiple check fixes - #​6999

v3.2.368

Feature

• general: fix proxy access from git and registry loader - #​6992

v3.2.367

v3.2.366

Bug Fix

• bicep: Add bicep specific for CKV_AZURE_25 since ARM implementation fails - #​6996
• terraform: CKV_AZURE_249 & CKV_AWS_358 - better support for OIDC 'repo' detection regex and conditions order - #​6994

v3.2.365

v3.2.364

Bug Fix

• terraform: CKV_AWS_339 - Add EKS platform version 1.32 to allowed lists of versions - #​6988

v3.2.363

v3.2.362

Bug Fix

• secrets: Multiple matching groups are being caught as regex separated by | sign - #​6967
• secrets: Remove both random and base64 entropy secrets finding - #​6969

Platform

• general: Backfill more eval keys - #​6970

v3.2.361

v3.2.360

v3.2.359

v3.2.358

Feature

• general: Add env var for policy metadata - #​6979

v3.2.357

Feature

• general: initial support for python 3.13 - #​6962

Bug Fix

• terraform: OIDC checks fixes - #​6964

v3.2.356

v3.2.355

Feature

• terraform: Update CKV_AWS_358, add CKV_GCP_125 and CKV_AZURE_249 for OIDC claims analysis for GitHub - #​6960

Bug Fix

• terraform: Accept TLS 1.3 for Azure web apps and web app slots - #​6956

Platform

• terraform: Add eval keys - #​6929

v3.2.354

v3.2.353

Bug Fix

• general: Support CVE suppressions with the root file in repo - #​6948

v3.2.352

Feature

• terraform: add option to add external_modules_content_cache to terraform build_graph - #​6942

v3.2.351

Bug Fix

• terraform: Skip tsconfig in terraform plan - #​6941

v3.2.350

Feature

• terraform: add CKV_AZURE_248 - Azure batch account network access restriction - #​6928

Bug Fix

• terraform: Revert feat(terraform): Add a terraform block check (#​6904) - #​6937

v3.2.349

v3.2.348

v3.2.347

Feature

• general: Change behavior where if a config file is missing, run the scan as if there was no config file - #​6926

Bug Fix

• terraform: Fix for multiple checks - #​6933

v3.2.346

Feature

• terraform: add option to add proxy to request - #​6923

v3.2.345

Feature

• cloudformation: Add sensitive param check - #​6921
• terraform: add option to add proxy to request - #​6916
• terraform: check cognitive services restrict outbound network - #​6919

Bug Fix

• terraform_json: support CDKTF output in CKV_TF_3 - #​6918

v3.2.344

Bug Fix

• kubernetes: Add to nested resources on k8s graph inherit namespace - #​6912

v3.2.343

v3.2.342

Feature

• serverless: serverless definitions context - #​6910
• serverless: Serverless graph integration - #​6911
• terraform: Add a terraform block check - #​6904

v3.2.341

v3.2.340

v3.2.339

Bug Fix

• general: Fix jsonpath-key handling for special characters like "/" and reduce log size - #​6907
• serverless: Fix serverless check crash - #​6909

v3.2.337

v3.2.336

Feature

• general: add cortex:skip for suppressions - #​6908

Bug Fix

• terraform: fix CKV_AZURE_136 for replicas - #​6895
• terraform: Fix CKV_AZURE_227 for Azure V4 - #​6906

v3.2.335

v3.2.334

Feature

• serverless: Serverless graph vertices - #​6894

Bug Fix

• secrets: fix indentation to remove duplications - #​6626

v3.2.333

v3.2.332

Feature

• terraform: Add multi skip inline suppression - #​6860
• terraform: New bedrock check - #​6892

Bug Fix

• kubernetes: fix json file parsing - #​6891
• terraform: Fix CKV2_AZURE_31 - #​6893

v3.2.331

v3.2.330

v3.2.329

v3.2.328

Feature

• serverless: Serverless refactor for graph implementation - #​6885

Documentation

• general: docs flags update - #​6888

v3.2.327

Bug Fix

• terraform: Convert to graph check - #​6875

v3.2.326

Feature

• general: add new CIDR operator - #​6877

Bug Fix

• arm: Fix resource ID generation to use variables - #​6884

v3.2.325

v3.2.324

Bug Fix

• terraform_plan: run post_runner after get_enriched_resources for terraform_plan - #​6883

v3.2.322

Feature

• general: Update range includes to handle range values - #​6867

Bug Fix

• general: fix_memory error with adding new env - #​6879
• general: revert comment out ARM test - #​6882

v3.2.321

v3.2.320

Feature

• terraform: Add new checks to match run checks - #​6868

Bug Fix

• arm: Fix arm root folder - #​6880
• terraform: Update CKV_AZURE_164 to correct check on trust policy - #​6757

v3.2.319

v3.2.318

v3.2.317

Feature

• terraform: support resource_type attribute - #​6872

Bug Fix

• arm: Fix arm report resource naming - #​6876
• terraform: Fix two checks and logs - #​6874

v3.2.316

v3.2.315

v3.2.314

Feature

• general: add logs for suppression - #​6873

Bug Fix

• arm: Fix arm resource naming on integration with Prisma - #​6870

v3.2.313

v3.2.312

Bug Fix

• arm: Fix arm graph breadcrumbs - #​6869

v3.2.311

Bug Fix

• cloudformation: Fixed issue where Ref was not rendered correctly if the parameter name was identical to the default value - #​6856
• secrets: fix find line - #​6864
• secrets: masking test format - #​6859
• secrets: multiline matches show the secret and not the first line - #​6854

v3.2.310

v3.2.309

v3.2.308

v3.2.307

Bug Fix

• arm: Change ARM graph creation log lvl to debug - #​6857

v3.2.306

v3.2.305

Feature

• sca: support java full dependency tree scan - #​6834
• terraform: Add check - ensure AWS CodeGuru resource contains CMK - #​6851

Bug Fix

• general: Used jsonpath to update vertex attributes - #​6852
• terraform: Update EKS supported versions - #​6826
• terraform: Update CKV_AZURE_171 to check automatic_upgrade_channel - #​6756

v3.2.304

v3.2.303

v3.2.302

v3.2.301

Bug Fix

• secrets: skip empty match - #​6849

v3.2.300

Feature

• azure: add new policies for Azure Synapse arm - #​6553
• helm: Made helm + kustomize use the Kubernetes graph registry - #​6847
• secrets: Adding check_id to EnrichedSecret class - #​6842
• secrets: Masking secrets files - #​6848

Bug Fix

• secrets: add prerun support for singleline - #​6846
• terraform: Update CKV_AZURE_167 to correct check on retention policy - #​6758

v3.2.299

v3.2.298

v3.2.297

v3.2.296

Feature

• cloudformation: Support Fn::Sub in cases of using a pseudo parameter - #​6835
• terraform: support resource_type attribute - revert - #​6843

Bug Fix

• terraform: CKV_GCP_32 (GoogleComputeBlockProjectSSH) Add other common enabling values - #​6663

v3.2.295

v3.2.294

v3.2.293

Feature

• terraform: support resource_type attribute - #​6830

Bug Fix

• general: fixed mypy issue - #​6838

v3.2.292

v3.2.291

Feature

• general: remove specific botocore version - #​6796

Bug Fix

• arm: fix ARM graph block types - #​6824
• dockerfile: Handle heredoc - #​6828
• sast: filter unsupported policies - #​6833

v3.2.290

v3.2.289

v3.2.288

v3.2.287

Bug Fix

• graph: fix internal checks loading when adding custom policies in cli - #​6819

v3.2.286

Feature

• secrets: Add npm detector - #​6821

Bug Fix

• secrets: fix empty diff scan - #​6822

v3.2.285

v3.2.284

v3.2.283

v3.2.282

Bug Fix

• arm: finish variable rendering and use definitions context - #​6814

v3.2.281

Documentation

• general: Update Python versions and add env vars to the docs - #​6812

v3.2.280

Bug Fix

• arm: add middleware function for platform integration for Arm definitions - #​6811
• secrets: Update CKV_SECRET_4 to duplication list GENERIC_PRIVATE_KEY - #​6810
• terraform: Add opensearch to CKV2_AWS_5 - #​6807

v3.2.279

v3.2.278

Bug Fix

• arm: Align arm definitions function arguments - #​6808

v3.2.277

Bug Fix

• secrets: add detector for IbmCosHmac - #​6790

v3.2.276

Bug Fix

• terraform: Fix possible exception when for_each data has boolean values - #​6733

v3.2.275

Feature

• arm: Add arm definition context - #​6801

Bug Fix

• cloudformation: change parse log level - #​6794
• general: pipenv==2024.0.3 - #​6803
• secrets: omit all secrets value in line - #​6802
• terraform: Security group attached to aws_mskconnect_connector is not recognized - #​6780

v3.2.274

v3.2.273

v3.2.272

v3.2.271

Feature

• sca: add enableDotnetCpm env var to sca scan request - #​6786

v3.2.270

Feature

• arm: add variable and parameters edges and rendering - #​6787
• arm: arm custom policy support - #​6769

v3.2.269

Bug Fix

• terraform: Fix crash when version isn't a float - #​6783

v3.2.268

Feature

• terraform_plan: Support after_unknown evaluation of complex attributes - #​6784

v3.2.267

• no noteworthy changes

v3.2.266

Feature

• arm: unsupported module soft fail - #​6775

v3.2.265

v3.2.264

v3.2.263

v3.2.262

Feature

• terraform: 2 new checks - #​6764
• terraform: Add s3 data transport check - #​6763

Bug Fix

• helm: Remove helm target dir after scanning - #​6767
• kubernetes: Handle non-sting params in command - #​6768

v3.2.261

v3.2.260

v3.2.259

v3.2.258

Bug Fix

• terraform: Set timeout for parsing Terraform files with hcl2. - #​6759

v3.2.257

Bug Fix

• ansible: handle empty tasks - #​6751

v3.2.256

Feature

• terraform: New checks - #​6720

Bug Fix

• general: Fix operator docs - #​6735
• sca: add Pipfile and Pipfile.lock to supported package files list - #​6746
• terraform: extend CKV2_AWS_5 to include DMS Serverless (#​6628) - #​6630
• terraform: Remove dataproc.admin from multiple checks - #​6725
• terraform: Security group attached to an Elastic DocumentDB cluster is not recognized by check CKV2_AWS_5 - #​6687

Documentation

• general: update README.md - #​6719

v3.2.255

v3.2.254

Bug Fix

• terraform: Added ssl_mode attribute support to CKV_GCP_6 - #​6703

v3.2.253

Feature

• general: allow tool name field to be customised using cli arguments - #​6692
• secrets: Change log level - #​6716
• terraform: Add check for local user in storage - #​6715

Bug Fix

• terraform: Update CKV_AZURE_228 for automatic calculation - #​6714

v3.2.252

v3.2.251

Feature

• general: add severity metadata to custom policy - #​6579

v3.2.250

Bug Fix

• secrets: fix suppressions and duplications - #​6710

v3.2.249

Feature

• general: revert packages read permissions - #​6706
• terraform_plan: remove secret - #​6705

Bug Fix

• secrets: fix suppression and duplication - #​6701
• secrets: Revert suppression and duplication - #​6708
• terraform: Fix foreach multi attributes in field - #​6707

v3.2.248

[`v3.2.2

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 3.x releases. But if you manually upgrade to 3.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.