Releases: Checkmarx/kics
v1.5.13
🚀 New features and improvements
added 4 queries for CloudFormation
🐛 Bug fixes
fix(query): azure aks rbac-variable changed (#5652) by @rndmh3ro
fix(query): azure aks policies addon var changed (#5661) by @rndmh3ro
fix(query): add missing name check in S3Bucket for AWS CloudFormation (#5642)
fix(bom): change AWS BOM resource_accessibility output values (#5639)
fix(detector): fixed memory leak (#5626)
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.55 to 1.44.59 (#5613) (#5617) (#5624) (#5628)
build(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 (#5627)
ci(deps): bump alpine from 3.16.0 to 3.16.1 (#5618)
ci(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 (#5623)
👻 Maintenance
update(docs): added KICS Auto Scanning Extension for Visual Studio documentation (#5662)
Contributors
Assets 2
v1.5.12
🚀 New features and improvements
feat(query): add new k8s rule to detect attach permission (RBAC) (#5491) by @Churro
feat(query): add query to check iam policy to invoke lambda (#5542) by @jplanckeel
🐛 Bug fixes
fix(query): add wafv2 to query incl. negative test (#5529) by @AlexEndris
fix(scan behavior): ignore broken synlink (#5533) by @liorj-orca
fix(keyExpectedValue): convert to a recommendation rather than a current status (#5574) (#5576) (#5575) by @liorj-orca
fix(keyExpectedValue): ansible-aws queries convert to a recommendation rather than a current status (#5589) by @liorj-orca
fix(keyExpectedValue): ansible-azure queries convert to a recommendation rather than a current status (#5590) by @liorj-orca
fix(keyExpectedValue): AzureResourceManager queries convert to a recommendation rather than a current status (#5592) by @liorj-orca
fix(keyExpectedValue): ansible-gcp queries convert to a recommendation rather than a current status (#5591) by @liorj-orca
fix(cloud provider flag): support alicloud in the cloud provider flag (#5561)
fix(query): add check for ALB use in Terraform AWS Security Query (#5593)
📦 Dependency updates bumps
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.10 to 2.12.0 (#5523) (#5563) (#5582)
build(deps): bump github.com/hashicorp/hcl/v2 from 2.12.0 to 2.13.0 (#5524)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.39 to 1.44.55 (#5525) (#5531) (#5538) (#5545) (#5548) (#5552) (#5557) (#5562) (#5566) (#5571) (#5581) (#5585) (#5595) (#5603)
build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.8.0 (#5530) (#5544)
build(deps): bump github.com/emicklei/proto from 1.10.0 to 1.11.0 (#5549)
build(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.2 (#5555) (#5572) (#5596)
build(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#5580)
build(deps): bump helm.sh/helm/v3 from 3.9.0 to 3.9.1 (#5597)
ci(deps): bump styfle/cancel-workflow-action from 0.9.1 to 0.10.0 (#5537)
ci(deps): bump golang from 1.18.3-alpine to 1.18.4-alpine (#5586)
Contributors
Assets 2
v1.5.11
🐛 Bug fixes
fix(query): uncomment cloud formation test sample (#5320) by @lipeavelar
fix(queries): align descriptionText to similar queries across different platforms #2 (#5460) by @roi-orca
fix(secrets inspector): added mutex to lock addVulnerability (#5503)
fix(analyzer): discard possible Dockerfile when they are not actually a Dockerfile (#5470)
update(dockerfile): fix CVE-2022-1586 and CVE-2022-29810 (#5492)
fix(resolver): exclude resolve path call for the same path reference (#5511)
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.39 (#5468) (#5472) (#5477) (#5490) (#5498) (#5508)
build(deps): bump github.com/gookit/color from 1.5.0 to 1.5.1 (#5469)
build(deps): bump golang.org/x/tools from 0.1.10 to 0.1.11 (#5467)
build(deps): bump github.com/hashicorp/go-getter from 1.6.1 to 1.6.2 (#5473)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.9 to 2.11.10 (#5476)
build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#5499)
build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#5507)
ci(deps): bump actions/setup-python from 3 to 4 (#5462)
👻 Maintenance
update(query): improved "Resource Not Using Tags" description (#5483)
Contributors
Assets 2
v1.5.10
🚀 New features and improvements
added 2 queries for Ansible and Terraform
feat(filesystem): double star support to exclude folders (#5408)
feat(result): added resourceType and resourceName to CloudFormation queries result (#5361)
feat(result): added resourceType and resourceName to Terraform queries result (#5387)
🐛 Bug fixes
fix(query): s3 bucket policy accepts http requests (#5415) by @LupovichRan
fix(query): fixed incorrect Dockerfile metadata (#5424) by @ramprasathasokan
fix(queries): align descriptionText to similar queries across different platforms (#5446) by @roi-orca
fix(queries): fixed function check_schemes of openapi lib (#5433)
fix(queries): corrected policies (#5441)
fix(filesystem): added mutex to lock read and write on map (#5429)
fix(analyzer): fixed Dockerfile analyzer approach (#5407)
fix(inspector): fix timeout secrets inspector (#5419)
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.21 to 1.44.29 (#5404) (#5409) (#5414) (#5425) (#5431) (#5437) (#5445) (#5448)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.5 to 2.11.9 (#5420) (#5439) (#5444)
build(deps): bump github.com/hashicorp/terraform-json (#5405)
build(deps): bump github.com/spf13/viper from 1.11.0 to 1.12.0 (#5410)
build(deps): bump gopkg.in/yaml.v3 from 3.0.0 to 3.0.1 (#5413)
build(deps): bump github.com/open-policy-agent/opa from 0.40.0 to 0.41.0 (#5436)
build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (#5443)
ci(deps): bump golang from 1.18.2-alpine to 1.18.3-alpine (#5430)
👻 Maintenance
update(parser): support child modules in the tfplan payload (#5422)
update(dockerfile): added 256 color to Dockerfile (#5427)
update(queries): updated S3 Bucket queries for Terraform (#4872)
update(bom): updated AWS BOM S3 Bucket (#4873)
update(report): improved report message (#5418)
update(docs): added -t flag on docker run command (#5434)
Contributors
Assets 2
v1.5.9
🚀 New features and improvements
added 3 queries for Kubernetes and CloudFormation
feat(resolver): added openapi file resolver for json and yaml parsers (#5396)
feat(result): added resourceType and resourceName to Kubernetes queries result (#5355)
feat(result): added resourceType and resourceName to Azure Resource Management queries result (#5356)
feat(result): added resourceType and resourceName to Google Deployment Management queries result (#5357)
feat(result): added resourceType and resourceName to Ansible queries result (#5362)
🐛 Bug fixes
fix(query): fix/cmk rotation disabled on terraform asymmetric key creation (#5344) by @LupovichRan
fix(query): changed severity of Memcached Disabled query (#5349)
fix(ci): fixed access to CIFlag (#5395)
fix(cpu): fix number cpus macos (#5371)
fix(vulnerability builder): fixed and improved DefaultVulnerabilityBuilder (#5347)
fix(detector): fixed bug on GetBracketValues function (#5343)
📦 Dependency updates bumps
build(go): bump golang version to 1.18 (#5348)
build(deps): bump helm.sh/helm/v3 from 3.8.2 to 3.9.0 (#5374)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.2 to 2.11.5 (#5392)
build(deps): bump mvdan.cc/sh/v3 from 3.4.3 to 3.5.1 (#5341) (#5391)
build(deps): bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#5372) (#5378)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.11 to 1.44.21 (#5340) (#5345) (#5350) (#5353) (#5366) (#5373) (#5377) (#5385) (#5393) (#5397)
ci(deps): bump golangci/golangci-lint-action from 3.1.0 to 3.2.0 (#5339)
ci(deps): bump goreleaser/goreleaser-action from 2.9.1 to 3.0.0 (#5390)
ci(deps): bump alpine from 3.15.4 to 3.16.0 (#5394)
👻 Maintenance
update(resolver): implemented limit in resolver to 50 files (#5398)
update(kics): reduced the number of code files (#5325)
update(query): updated description of Ensure Administrative Boundaries Between Resources query (#5388)
updated(query): added support to .crt file for Client Certificate Authentication Not Setup Properly query (#5360)
Contributors: @LupovichRan
v1.5.8
🚀 New features and improvements
added 4 queries for Kubernetes
feat(query): add new k8s rule to detect port-forwarding into containers (RBAC) (#5266) by @Churro
feat(query): add new k8s rule to detect account impersonation (RBAC) (#5267) by @Churro
feat(query): add new k8s rule to detect bind or escalate permissions (RBAC) (#5268) by @Churro
feat(query): add new k8s rule to detect exec permissions (RBAC) (#5286) by @Churro
🐛 Bug fixes
fix(query): adjusted severity rating and added searchLine in rbac_wildcard_in_rule k8s rule (#5264) by @Churro
fix(password and secrets): improve performance (#5334)
fix(cpu): fixed number of cpus available info (#5321)
fix(samples): k8s queries (#5322)
fix(doc): fix syntax (#5309) by @nv35
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.4 to 1.44.11 (#5297) (#5299) (#5306) (#5318) (#5323) (#5329) (#5330)
build(deps): bump github.com/moby/buildkit from 0.10.2 to 0.10.3 (#5324)
build(deps): bump github.com/johnfercher/maroto from 0.36.1 to 0.37.0 (#5331)
ci(deps): bump golang from 1.18.1-alpine to 1.18.2-alpine (#5332)
ci(deps): bump docker/setup-qemu-action from 1 to 2 (#5315)
ci(deps): bump docker/build-push-action from 2.10.0 to 3.0.0 (#5316)
ci(deps): bump docker/login-action from 1.14.1 to 2.0.0 (#5317)
👻 Maintenance
update(query): update Network ACL With Unrestricted Access To RDP (#5296)
update(query): update category and severities according with issue 5220 (#5292)
update(query): update StatefulSet Without Service Name for Kubernetes (#5303)
update(query): update Remote Desktop Port Open To Internet and HTTP Port Open To Internet (#5307)
update(query): update Audit Policy Not Cover Key Security Concerns for Kubernetes (#5326)
update(query): update Missing Flag From Dnf Install for Dockerfile (#5310)
update(query): update Storage Account Not Using Latest TLS Encryption Version for Terraform Azure (#5314)
update(queries): add check for traffic direction in port queries in some providers (#5313)
update(docs): update installation options and notes (#5293) by @konstruktoid
update(docs): removed results formats list from results section (#5308)
Contributors: @Churro, @konstruktoid, @nv35
v1.5.7
🚀 New features and improvements
added 19 new queries (Terraform, Kubernetes)
feat(report): added Code Climate report (#5261)
🐛 Bug fixes
fix(query): extended scope of MissingAttribute rule in seccomp k8s rule (#5201) by @Churro
fix(query): fixed searchKey and resource kind in pod_or_container_without_resource_quota k8s rule (#5199) by @Churro
fix(query): fixed searchKey and resource kind in pod_or_container_without_limit_range k8s rule (#5198) by @Churro
fix(query): added support for aws_iam_policy_document.Principals to policy_without_principal tf rule (#5196) by @Churro
fix(query): fixed SNS Topic is Publicly Accessible (#5210)
fix(query): fixed Api Gateway Without Content Encoding (#5215)
fix(query): fixed Api Gateway Without Content Encoding on Terraform platform (#5227)
fix(query): fixed ALB Listening on HTTP for AWS CloudFormation (#5212)
fix(query): updated ecr_repositories_not_encrypted TF rule to match KMS type (#5195) by @Churro
fix(queries): fixed aws unique identifiers from common queries (#5236)
fix(query): remove viewer from list of improper privileges (#5211) by @jaevans
fix(query): added possibility of security group being declared as a variable (#5208)
fix(filesystem): fixed GetExcludedPaths (#5288)
fix(e2e): results json compare (index out of range) (#5209)
fix(yaml parser): added model.NewIgnore.Reset() at the beginning of the YAML parser (#5255)
docs(implementations): fix changed directory for kics assets queries (#5213) by @roock
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.43.39 to 1.44.4 (#5200) (#5218) (#5224) (#5230) (#5244) (#5256) (#5269) (#5281)
build(deps): bump github.com/tidwall/gjson from 1.14.0 to 1.14.1 (#5217)
build(deps): bump github.com/emicklei/proto from 1.9.2 to 1.10.0 (#5216)
build(deps): bump github.com/hashicorp/hcl/v2 from 2.11.1 to 2.12.0 (#5238)
build(deps): bump github.com/moby/buildkit from 0.10.1 to 0.10.2 (#5270)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.1 to 2.11.2 (#5257)
ci(deps): bump checkmarx/kics-action from 1.4 to 1.5 (#5207)
ci(deps): bump github/codeql-action from 1 to 2 (#5243)
👻 Maintenance
update(analyzer): analyzer usage when types flag is passed (#5222)
update(query): updated Unpinned Package Version in Apk Add (#5181)
update(query): updated metadata of Add Instead Copy query (#5233)
update(docs): updated missing technologies supported in docs (#5223) (#5226)
update(docs): removed -q flag from integration examples (#5225)
New Contributors
- @jaevans made their first contribution in #5211
- @roock made their first contribution in #5213
- @tspearconquest made their first contribution in #5282
Full Changelog: v1.5.6...v1.5.7
Contributors
Assets 2
v1.5.6
🚀 New features and improvements
added 54 new queries (Docker Compose, Kubernetes, and CloudFormation)
feat(bom): support BoM for CloudFormation (#5178)
feat(scripts): added query metadata validation script (#5167)
🐛 Bug fixes
fix(script): queries validator files filtering (#5202)
fix(query): update Viewer Protocol Policy Allows HTTP (#5174)
fix(query): renamed folder and query, changed query description (#5173)
delete(query): Remove false positive host_aliases_undefined_or_empty k8s rule (#5077) by @Churro
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.43.28 to 1.43.39 (#5111) (#5114) (#5134) (#5171) (#5180) (#5182) (#5186)
build(deps): bump github.com/open-policy-agent/opa from 0.38.1 to 0.39.0 (#5110)
build(deps): bump github.com/johnfercher/maroto from 0.35.0 to 0.36.1 (#5109) (#5169)
build(deps): bump github.com/tdewolff/minify/v2 from 2.10.0 to 2.11.1 (#5170)
build(deps): bump github.com/BurntSushi/toml from 1.0.0 to 1.1.0 (#5143)
build(deps): bump github.com/moby/buildkit from 0.10.0 to 0.10.1 (#5163)
build(deps): bump helm.sh/helm/v3 from 3.8.1 to 3.8.2 (#5185)
build(deps): bump github.com/spf13/viper from 1.10.1 to 1.11.0 (#5187)
ci(deps): bump alpine from 3.15.3 to 3.15.4 (#5142)
ci(deps): bump golang from 1.18.0-alpine to 1.18.1-alpine (#5184)
ci(deps): bump actions/setup-go from 2 to 3 (#5168)
👻 Maintenance
update(kics): improve KICS overall performance (#5112)
update(logs): added debug and info log messages (#5192)
update(docs): updated documentation (#5138)
Full Changelog: v1.5.5...v1.5.6
Contributors
Assets 2
v1.5.5
🚀 New features and improvements
added 30 new queries (Kubernetes, and Docker Compose)
feat(analyzer): added Docker Compose initial support (#4851)
feat(report): added CSV report (#5046)
feat(logs): added lines scanned and lines parsed (#5050)
feat(analyzer & parser): added Kubeblet Configuration support (#5001) (#5013)
🐛 Bug fixes
fix(secrets regex): added "Avoiding Secrets Manager arn" (#5048)
fix(pre-commit): pre-commit hook fix and integration update (#5031) (#5069)
fix(query): updated ebs not optimized queries (#5020) by @lipeavelar
fix(query): defined NET_BIND_SERVICE as exception in containers_with_added_capabilities k8s rule (#4888) by @Churro
fix(query): extended containers_running_as_root k8s rule to work if no securityContext is defined (#4886) by @Churro
fix(query): refined missing_app_armor_config k8s rule to operate on specific containers (#4895) by @Churro
fix(query): fixed "S3 Static Website Host Enabled" for CF (#5060)
fix(query): added kubelet config file to Kubelet Read Only Port is Not Set To Zero query (#5010)
fix(query): added kubelet config to Anonymous Auth Is Not Set To False query (#5014)
fix(query): added kubelet config to Authorization Mode Set To Always Allow query (#5017)
fix(query): update validCertificate.pem for "Certificate Has Expired" query (#5059) (#5061)
fix(query): fixed Client Certificate Authentication Not Setup Properly (#5091)
delete(query): removed query lambda_function_without_tags (#5036) by @jycamier
delete(query): removed redundant default_service_account_in_use k8s rule (#5078) by @Churro
delete(query): removed redundant resource_with_allow_privilege_escalation k8s rule (#5076) by @Churro
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.43.19 to 1.43.28 (#5004) (#5019) (#5033) (#5041) (#5047) (#5079) (#5083)
build(deps): bump github.com/johnfercher/maroto from 0.34.0 to 0.35.0 (#5040)
ci(deps): bump golang from 1.17.8-alpine to 1.18.0-alpine (#5003)
ci(deps): bump alpine from 3.15.1 to 3.15.3 (#5015) (#5039) (#5082)
ci(deps): bump peter-evans/create-pull-request from 3.14.0 to 4 (#5038)
ci(deps): bump actions/cache from 2.1.7 to 3 (#5025)
ci(deps): bump peter-evans/repository-dispatch from 1 to 2 (#5032)
👻 Maintenance
update(common lib): improved performance of get_nested_values_info (#5075) by @Churro
update(docs): gitlab integration: clarify that SAST report requires an ultimate license (#5086) by @floh96
update(printer): moved printer package from internal to use KICS as a module (#5066)
update(query): updated "Kubelet Server Periodic Certificate Switch Disabled" to "Rotate Kubelet Server Certificate Not Active" (#5030)
update(query): updated AWS IAM Policy Grants Full Permissions for Terraform (#5064)
update(BoM): updated BoM queries and BoM docs (#5074)
Contributors
Assets 2
v1.5.4
🚀 New features and improvements
added 107 new queries (Terraform Alicloud, Terraform Azure, Terraform AWS, Kubernetes), new total is 2245
feat(alicloud): added support to Alicloud provider for Terraform
feat(analyzer & parser): decrypt Ansible Vault file on the fly in (#4976)
feat(docs): added environment variables list to documentation in (#4979)
🐛 Bug fixes
fix(query): revise list of unsafe sysctls in cluster_allows_unsafe_sysctls k8s rule by @Churro in (#4883)
fix(query): fix searchKey and additional resource kinds in volume_mount_with_os_directory_write_permissions k8s rule by @Churro in (#4889)
fix(query): extend image_without_digest k8s rule to cover further resource kinds by @Churro in (#4892)
fix(query): extend container_requests_not_equal_to_its_limits k8s rule to cover further resource kinds and remove redundant checks by @Churro in (#4974)
fix(query): extend image_pull_policy_of_container_is_not_always k8s rule to cover additional resource kinds by @Churro in (#4891)
fix(query): extend net_raw_capabilities_not_being_dropped k8s rule to cover further resource kinds by @Churro in (#4884)
fix(query): k8s rule service_account_token_automount_not_disabled should also consider automount option in ServiceAccount by @Churro in (#4887)
fix(query): add a missing SSE way for SQS by @jycamier in (#4984)
fix(query): show privilege_escalation_allowed k8s alert also in case no securityContext is defined by @Churro in (#4885)
fix(query): extend memory_limits_not_defined k8s rule to cover further resource kinds by @Churro in (#4943)
fix(query): extend memory_requests_not_defined k8s rule to cover further resource kinds by @Churro in (#4944)
fix(query): fix path to spec in root_container_not_mounted_as_read_only k8s rule by @Churro in (#4893)
fix(query): S3 Bucket Policy Accepts Http Requests in #4949
fix(report): fix pdf description row length in (#4937)
📦 Dependency updates bumps
build(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.38.1 in (#4913) (#4987)
build(deps): bump github.com/moby/buildkit from 0.9.3 to 0.10.0 in (#4958)
build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0 in (#4966)
build(deps): bump helm.sh/helm/v3 from 3.8.0 to 3.8.1 in (#4957)
build(deps): bump github.com/getsentry/sentry-go from 0.12.0 to 0.13.0 in (#4965)
build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 in (#4995)
build(deps): bump github.com/aws/aws-sdk-go from 1.43.9 to 1.43.19 in (#4932) (#4956) (#4967) (#4973) (#4986) (#4994)
ci(deps): bump docker/build-push-action from 2.9.0 to 2.10.0 in (#4985)
ci(deps): bump golang from 1.17.7-alpine to 1.17.8-alpine in (#4933)
👻 Maintenance
update(ubi): update ubi to version 8 in (#4905)
update(docs-generator): added trace to severities in (#4998)
Full Changelog: v1.5.3...v1.5.4