search

turbot / steampipe-plugin-terraform

Use SQL to instantly query resources, data sources and more from Terraform code. Open source CLI. No DB required.
https://hub.steampipe.io/plugins/turbot/terraform
Apache License 2.0
28 stars 3 forks source link

Bump github.com/Checkmarx/kics from 1.4.9 to 1.7.13 #86

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 7 months ago

Bumps github.com/Checkmarx/kics from 1.4.9 to 1.7.13.

Release notes

Sourced from github.com/Checkmarx/kics's releases.

v1.7.13

🚀 New features and improvements

feat(scanner): parallel scanning by @​liorj-orca in Checkmarx/kics#6833 feat(nifcloud): add terraform nifcloud queries by @​tunakyonn in Checkmarx/kics#6897 feat(tencentcloud): add cbs disk without encrypted for tencentcloud by @​hellertang in Checkmarx/kics#6904 feat(query): added CWE infos to common and dockerfile queries #6373 by @​Jeeppler in Checkmarx/kics#6839 feat(engine): ignore terraform cache folders by @​dim-ops in Checkmarx/kics#6240 feat(cli): lead with similarity id question in Checkmarx/kics#6840 feat(results): update cyclonedx reports to support v1.5 in Checkmarx/kics#6841 feat(engine): improve similarity id in Checkmarx/kics#6851 feat(engine): add a timeout to decode results in Checkmarx/kics#6846 feat(tests): add new test workflows in Checkmarx/kics#6861 feat(cwe): add cwe into sarif report and KICS CLI results in Checkmarx/kics#6845 feat(query): cloudformation DynamoDB Table Not Encrypted in Checkmarx/kics#6619 feat(cli): control the information in Checkmarx/kics#6854 feat(query): docker compose Shared Volumes Between Containers in Checkmarx/kics#6714 feat(query): cloudformation ECS Cluster with Container Insights Disabled in Checkmarx/kics#6673 feat(query): crossplane ECS Cluster with Container Insights Disabled in Checkmarx/kics#6675 feat(query): pulumi ECS Cluster with Container Insights Disabled in Checkmarx/kics#6678 feat(cwe): adding CWE results into all reports in Checkmarx/kics#6876 feat(query): cloud formation api gateway access logging disabled in Checkmarx/kics#6863

🐛 Bug fixes

fix(query): lambda_iam_invokefunction_misconfigured by @​Tohar-orca in Checkmarx/kics#6822 fix(test): sort paths related to the e2e in Checkmarx/kics#6848 fix(engine): improve ansible detection in Checkmarx/kics#6880 fix(query): unnecessary private information in Checkmarx/kics#6716 fix(query): terraform descriptionURLs Changed in Checkmarx/kics#6486 fix(query): fixed false positive when no pid namespace is defined in Checkmarx/kics#6860 fix(query): docker compose deprecated network not set in Checkmarx/kics#6715 fix(query): improve query Key Vault Not Recoverable in Checkmarx/kics#6862 fix(query): terraform DynamoDB Table Point In Time Recovery Disabled in Checkmarx/kics#6617 fix(query): pulumi DynamoDB Table Point In Time Recovery Disabled in Checkmarx/kics#6624 fix(query): deprecated Memcached disabled query in Checkmarx/kics#6642 fix(query): checkFollowedBy query refactor in Checkmarx/kics#6545 fix(query): iam_access_analyzer_not_enabled skipping files in Checkmarx/kics#6873 fix(query): cloudformation cloudFront_without_waf in Checkmarx/kics#6641 fix(query): countLines, IgnoreLines and fileCommands in Checkmarx/kics#6611 fix(flag): validating if output path is valid in Checkmarx/kics#6877 fix(tests): uncommon testing in Checkmarx/kics#6898 fix(dependencies): replace directive order update in Checkmarx/kics#6903 fix(query): openapi Maximum Length Undefined in Checkmarx/kics#6717 fix(analyzer): gitignore only being used to exclude files from the project itself in Checkmarx/kics#6896

📦 Dependency updates bumps

build(deps): bump helm.sh/helm/v3 from 3.13.1 to 3.14.1 in Checkmarx/kics#6884 update(buildkit): buildkit upgrade to v0.12.5 in Checkmarx/kics#6912 build(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 in Checkmarx/kics#6900

👻 Maintenance

... (truncated)

Changelog

Sourced from github.com/Checkmarx/kics's changelog.

Changes in v1.6.0

Breaking Changes

Processing .gitignore – paths assumed for KICS scan exclusion

From v1.6, KICS will read .gitignore file in the root of the project to exclude from the scan the paths therein.

How does this impact your scans?

  • You will only be affected by this change in case you use KICS locally on your develop environment.
    • Notice that if you are using KICS on top of a repository (e.g., as part of a CI/CD pipeline) those paths already do not exist, so there will be no effect for those scenarios.
  • You’ll notice an apparent loss of results: results identified in files under the .gitignore paths will no more be identified.

Consistency between scan with and without the -t flag

-t or --type flag is used to instruct KICS to scan only files of specific technologies.

Before v1.6, KICS with -t flag would scan the project and, in case there are no files of the specified technologies, it will terminate with a message “No files were scanned” and no other output.

From v1.6, KICS will keep its behavior consistent whether -t flag is used or not. Meaning: it will always output results file, even if it is an “empty” results report is created due to no files being scanned, as shown in the image below.

How does this impact your scans?

  • You will only be affected by this change in case you use KICS with flag -t/--type AND there are no files of the specified “type” in the scanned project.
  • If you rely on the message “No files were scanned” for some post-scan action, this change will also affect you, because that message disappears now.

Masking Secrets – Hide secrets from results when KICS finds them

From v1.6, KICS will mask/hide identified secrets out of results reports, in order to avoid exposing them to undesirable report readers.

How does this impact your scans?

  • This is not likely to impact you in any way.
  • Notice that results of secrets and passwords will appear in a slightly different, but more secure, fashion (see below an example of an HTML report)

... (truncated)

Commits
  • 295c5e3 Merge pull request #6915 from Checkmarx/feature/kicsbot-update-docs-index
  • 696d3a8 update
  • 0b552e0 docs(kicsbot): preparing for release 1.7.13
  • 7da676c Merge pull request #6856 from Checkmarx/feature/kicsbot-update-queries-docs
  • 305c24c Merge branch 'master' into feature/kicsbot-update-queries-docs
  • bd90606 Merge pull request #6896 from Checkmarx/kics-1329
  • 02b86be Merge branch 'master' into kics-1329
  • c802e6f Merge pull request #6912 from Checkmarx/buildkit-upgrade
  • dc80878 bump(buildkit): buildkit upgrade to v0.12.5
  • 1c6e6d6 Merge branch 'master' into kics-1329
  • Additional commits viewable in compare view


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

github-actions[bot] commented 5 months ago

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] commented 2 months ago

This PR is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] commented 1 month ago

This PR was closed because it has been stalled for 90 days with no activity.

dependabot[bot] commented 1 month ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.