Releases: Checkmarx/kics
v1.5.3
🐛 Bug fixes
fix(analyzer): fixed and improved regexes in analyzer #4857
fix(reports): version output on reports #4879
fix(query): extend container_is_privileged k8s rule to cover additional resource kinds by @Churro in #4882
fix(library): fixed "Generic:354: rego_type_error: rule named engines redeclared at Common:354" #4862
fix(query): corrected tag flagging invalid_image k8s rule by @Churro in #4894
📦 Dependency updates bumps
build(deps): bump mvdan.cc/sh/v3 from 3.4.2 to 3.4.3 #4865
build(deps): bump github.com/aws/aws-sdk-go from 1.42.53 to 1.43.9 #4902 #4861
ci(deps): bump actions/setup-python from 2.3.2 to 3 #4900
ci(deps): bump goreleaser/goreleaser-action from 2.8.1 to 2.9.1 #4899
ci(deps): bump peter-evans/create-pull-request from 3.12.1 to 3.14.0 #4897
ci(deps): bump actions/setup-node from 2 to 3 #4880
ci(deps): bump actions/checkout from 2 to 3 #4903
ci(deps): bump alpine from 3.14.3 to 3.15.0 #4559
ci(deps): bump golangci/golangci-lint-action from 2.5.2 to 3.1.0 #4898
ci(deps): bump docker/login-action from 1.12.0 to 1.14.1 #4904 #4855
👻 Maintenance
refactor(query): simplify docker_daemon_socket_is_exposed_to_containers k8s rule by @Churro in #4890
update(query): update "Trusted Microsoft Services Not Enabled" #4858
update(docs): updated roadmap #4868
update(queries): multi-staged aware for Docker queries #4877
delete(queries): delete "update" and "upgrade" Dockerfile queries #4878
💔 Deprecation
_Please be notified that KICS deprecated the availability of binaries in the GitHub releases assets as of version 1.5.2.
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
Full Changelog: v1.5.2...v1.5.3
Contributors
Assets 2
v1.5.2
🚀 New features and improvements
added 4 new queries (Ansible, CloudFormation, and Terraform)
feat(terraformer): added terraformer integration with AZURE #4802
feat(terraformer): added terraformer integration with GCP #4804
feat(terraform): added support for better IAM Policy evaluation and basic terraform resource relationship querying by @rams3sh in #4766
feat(docs): added Bamboo integration #4791
feat(docs): added AWS CodeBuild integration #4790
feat(cli): multiple paths for queries #4813
🐛 Bug fixes
fix(bom): fixed SQS #4820
fix(golang): fixed generic error message go-getter #4792
fix(analyzer): fixed anlyzer scan on GDM #4805
fix(query): containers-run-with-low-uid k8s query should consider statement precedence by @Churro in #4788
fix(query): update seccomp-profile-is-not-configured rule to match seccompProfile attribute by @Churro in #4789
fix(query): fixed vulnerable policies queries #4811
fix(query): extended readinessProbe k8s rule to cover additional resources by @Churro in #4829
fix(query): changed severity, description text and URL in "Liveness Probe Is Not Defined" query #4834
fix(query): covered additional deprecated API versions in k8s rule by @Churro in #4830
fix(query): update service_does_not_target_pod k8s rule with new logic to match labels and ports by @Churro in #4817
fix(query): be able to check default_tags on multiple providers by @jycamier in #4839
fix(query): fixed "Service Control Policies Disabled" query #4843
📦 Dependency updates bumps
ci(deps): bump actions/setup-python from 2.3.1 to 2.3.2 #4797
ci(deps): bump golang from 1.17.6-alpine to 1.17.7-alpine #4827
build(deps): bump github.com/open-policy-agent/opa from 0.37.1 to 0.37.2 #4826
build(deps): bump github.com/tidwall/gjson from 1.13.0 to 1.14.0 #4786
build(deps): bump github.com/aws/aws-sdk-go from 1.42.47 to 1.42.48 #4800
build(deps): bump github.com/aws/aws-sdk-go from 1.42.52 to 1.42.53 #4837
👻 Maintenance
update(report): added Checkmarx logo to pdf and HTML reports #4838 #4844 #4847
update(report): improved junit report #4796
update(docs): updated ASFF documentation by #4784
update(docs): added mention to 'descriptionID' in creating-queries documentation #4835
update(analyzer): only anaylze possible IaC files #4814
remove(query): removed "Use of Apk Upgrade" query #4832
💔 Deprecation
_Please be notified that KICS deprecated the availability of binaries in the GitHub releases assets as of version 1.5.2.
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
Contributors
Assets 2
v1.5.1
🚀 New features and improvements
added 18 new queries (Google Deployment Manager, CloudFormation, Buildah, and Terraform)
feat(analyzer): added support to Cloud Development Kit for Terraform (CDKTF) (#4770)
feat(buildah): added initial Buildah support (#4740)
🐛 Bug fixes
fix(query): fix terraform query for ingress/egress description (#4736)
fix(golang): fixed golang data races and make file (#4741)
fix(version): fixed bug with version checking (#4675) (#4760)
fix(parser): added type handler to Terraform convertBody function (#4768)
fix(parser): added YAML alias as string (#4767)
fix(query): limited "IAM Access Analyzer Undefined" only for AWS (#4772)
fix(query): service should match containerPort using targetPort (#4762)
fix(report): fixed CycloneDX report for compressed files (#4761)
fix(report): fixed null ASFF report (#4756)
📦 Dependency updates bumps
build(deps): bump github.com/hashicorp/hcl/v2 from 2.10.1 to 2.11.1 (#4716)
build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#4717)
build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.0.0 (#4718)
build(deps): bump github.com/aws/aws-sdk-go from 1.37.0 to 1.42.44 (#4765)
build(deps): bump github.com/johnfercher/maroto from 0.33.0 to 0.34.0 (#4746)
build(deps): bump helm.sh/helm/v3 from 3.7.2 to 3.8.0 (#4747)
build(deps): bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#4745)
build(deps): bump github.com/tdewolff/minify/v2 from 2.9.29 to 2.10.0 (#4778)
build(deps): bump github.com/emicklei/proto from 1.9.1 to 1.9.2 (#4777)
build(deps): bump github.com/open-policy-agent/opa from 0.34.2 to 0.37.1 (#4776)
ci(deps): bump peter-evans/create-pull-request from 3.12.0 to 3.12.1 (#4769)
ci(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 (#4775)
👻 Maintenance
update(report): updated gitlab sast report schema version (#4720)
update(terraformer): added timestamp to generated import folder (#4733)
build(env): added dev build tag (#4729)
docs(kics.io): removed references to binaries usage and changed all cmds to Docker cmds (#4757)
💔 Deprecation
Please be notified that KICS is deprecating the availability of binaries in the GitHub releases assets as of 1.5.0.
We intend to stop publishing the binaries along with KICS 1.5.2 (scheduled for Mid of February).
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
v1.5.0
🚀 New features and improvements
feat(terraformer): added terraformer integration (#4686)
added 10 AWS SAM queries for CloudFormation
added 31 new queries (AWS SAM, Ansible, Cloudformation, Terraform, Google Deployment Manager)
feat(SAM): added support to AWS Serverless Application Model
feat(report): added ASFF report (#4684)
feat(parser): support of YAML alias (#4659)
feat(secrets inspector): consideration of kics-scan enable/disabled comment commands (#4654)
feat(cli): added chars limit on vulnerable line display (#4668)
feat(cli): added contribution appeal when the user includes external queries (#4669)
feat(bom): added SQS Queue Policy (#4619)
feat(bom): split encryption from accessibility (#4632)
🐛 Bug fixes
fix(yaml): ignore lines by comments (#4662)
fix(core): Fixed bug when trying to read encrypted zip file (#4639)
fix(parser): fixed KICS panic in getLastElementLine (#4651)
fix(detector): fixed KICS panic in getKeyWithCurlyBrackets (#4673)
fix(parser): fixed KICS panic in empty fifo value access (#4658)
fix: deleted extraction folder after KICS scan (#4638)
fix(bom): corrected get_accessibility for aws_bucket (#4664)
fix(query): deleting searchLine in "Resource Not Using Tags" for Terraform (#4618)
fix(query): updated "S3 Bucket Without Enabled MFA Delete" for Terraform (#4635)
fix(query): updated "CloudFront Without Minimum Protocol TLS 1.2" for Ansible, CloudFormation, and Terraform (#4636)
fix(query): refactored "DB Security Group Has Public IP" for Ansible, CloudFormation, and Terraform (#4665)
fix(report): added space between description and results in pdf report (#4637)
📦 Dependency updates bumps
ci(deps): bump golang from 1.17.5-alpine to 1.18beta1-alpine (#4670)
ci(deps): bump golang from 1.17.5-alpine to 1.17.6-alpine (#4674)
ci(deps): bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (#4687)
ci(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#4621)
ci(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#4702)
build(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 (#4681)
build(deps): bump github.com/tidwall/gjson from 1.11.0 to 1.13.0 (#4696)
build(deps): bump helm.sh/helm/v3 from 3.7.1 to 3.7.2 (#4680)
build(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.1 (#4679)
build(deps): forced 'github.com/containerd/containerd' version to v1.5.9 (#4671)
build(deps): bump github.com/getsentry/sentry-go from 0.11.0 to 0.12.0 (#4677)
build(deps): bump github.com/tdewolff/minify/v2 from 2.9.22 to 2.9.29 (#4678) (#4703)
build(deps): forced github.com/docker/cli version to v20.10.12+incompatible (#4666)
👻 Maintenance
update(docs): add example in docs for config setting exclude paths (#4624)
feat(queries): update terraform registry data on commons.json (#4629)
feat(docs): updated docs of azure pipelines integrations for old KICS versions (#4683)
update(secrets & passwords): add allow rule for mysql password hashes (#4627)
💔 Deprecation
Please be notified that KICS is deprecating the availability of binaries in the GitHub releases assets as of 1.5.0.
We intend to stop publishing the binaries along with KICS 1.5.2 (scheduled for Mid of February).
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
v1.4.9
🚀 New features and improvements
added 20 new queries (Terraform, Ansible, Cloudformation, gRPC, Google Deployment Manager)
feat(gdm): added support to Google Deployment Manager (#4530)
feat(grpc): added support to gRPC (#4532)
feat(report): added CycloneDX SBOM report (#4579)
feat(report): added JUnit report (#4568)
feat(ci): added KICS Scan workflow on PR to master (#4561)
🐛 Bug fixes
fix(query): fixed query Multiple RUN, ADD, COPY, Instructions Listed (#4567) (#4573)
fix(query): "Azure Container Registry With No Locks" for Ansible (#4610)
fix(core): fixed negative lines and terminal checking (#4583)
fix(logs): fixed log error messages polution (#4597)
fix(report): corrected scan end time in pdf report (#4607)
fix(parser): fixed dockerfile parser with wrong payload when using arguments (#4591) (#4613)
📦 Dependency updates
ci(deps): bump peter-evans/create-pull-request from 3.11.0 to 3.12.0 (#4592)
ci(deps): bump actions/setup-python from 2.3.0 to 2.3.1 (#4574)
ci(deps): bump golang from 1.17.3-alpine to 1.17.5-alpine (#4588)
👻 Maintenance
feat(query): add allow rule for ansible-vault (#4605)
refactor(query): policies for CloudFormation (#4540)
docs(queries): all query csv file downloads now come with the name kics-queries.csv (#4532)
🚨 Breaking Changes
KICS will now point to 1 instead of -1 in the reports when failing to find the line containing the vulnerability (#4583)
v1.4.8
🚀 Added
added 30 new queries (Terraform, Ansible and Cloudformation)
feat(report): added sonarqube report (#4418) (#4539)
feat(report): added expected value to PDF report (#4552)
feat(docs & passwords and secrets): consideration of kics-scan ignore command and LinesIgnore (#4485) (#4419) (#4503)
feat(ci): add pre-commit hook (#4520)
✨ Changed
refactor(core): changed tests to use a constants platforms (#4534)
🔧 Fixed
increased results accuracy
fix(scan): not reporting error when progress bar fails to close (#4551)
fix(parser): fixed YAML parser panic with wrong type for interface (#4536)
fix(password and secrets): fixed MS Teams regex hardcoded team_name (#4537)
💪 For The Bolder
build(deps): bump github.com/open-policy-agent/opa from 0.33.0 to 0.34.2 (#4469) (#4506)
build(deps): bump github.com/moby/buildkit from 0.9.2 to 0.9.3 (#4538)
v1.4.7
Added
added 11 terraform queries
feat(engine): added data source policy to terraform (#4409)
feat(parser): enabled parsers ignore comment by line (#4491) (#4420) (#4480) (#4486) (#4489) (#4497)
feat(passwords and secrets): validation of query ids in custom secrets regexes (#4478)
feat(docs): added MegaLinter in the list of integrations (#4488)
Changed
refactor(passwords and secrets mechanism): changed flags include-query, exclude-query mechanism for query password and secrets (#4444)
refactor(query): updated query Chown Flag Exists description (#3768) (#4466)
build(deps): bump github.com/tidwall/gjson from 1.10.2 to 1.11.0 (#4453)
build(deps): bump github.com/moby/buildkit from 0.9.1 to 0.9.2 (#4458)
build(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 (#4459)
build(deps): bump github.com/zclconf/go-cty from 1.9.1 to 1.10.0 (#4460)
Fixed
increased accuracy
fix(race): fix kics Golang data races (#4448)
fix(detector): fix panic with interpolated brackets in detector (#4415)
fix(source): fixed KICS panic when reading invalid metadata (#4413) (#4465)
fix(report): fixed bug with invalid startLine on sarif report (#4483)
fix(passwords and secrets): excluded TF file function reference in results (#4433)
v1.4.6-1
v1.4.6
Added
added 2 new queries
feat(e2e): added E2E Test for BoM (#4404)
feat(parser): removed resources with count set to 0 in payload (#4395)
feat(kics): add version checking (#4414)
feat(integration): added Terraform Cloud integration (#4427)
Changed
fix(query): correcting severity and category for 'Default Azure Storage Account Network Access Is Too Permissive' (#4401)
build(deps): bump goreleaser/goreleaser-action from 2.7.0 to 2.8.0 (#4400)
build(deps): bump github.com/gookit/color from 1.4.2 to 1.5.0 (#4406)
build(deps): bump github.com/tidwall/gjson from 1.9.4 to 1.10.2 (#4425)
refactor(scan & printer): implementation of a new approach (#4322)
refactor(report): if no files to scan are found kics will no longer create report files (#4322)
Fixed
increased accuracy
fix(ci): fixed wrong path to common.json (#4407)
fix(helm): fixed helm only excluding template files (#4393)
fix(inspector): KICS panicking when using KICS repo with -q flag (#4397) (#4394)
fix(parser): parsers now stringify the original content in a formatted way (#4396)
v1.4.5
Added
9 new queries
feat(engine): support Azure Blueprint (#4386) (#4358) (#4356)
query(bom): add mvp queries storage, queue, in-memory data structure (#4381)
feat(bom): add new flag --bom to enable Bill of Materials in results.json (#4375)
feat(parser): added support to parse and scan terraform plans (#4362)
feat(parser): added terraform ternary parser resolution (#4370)
feat(docker): add ubi7 based image for redhat's openshift (#4326)
Changed
feat(query): refactored arm queries to use walk (#4354)
build(deps): bump github.com/tidwall/gjson from 1.9.1 to 1.9.4 (#4374)
build(deps): bump helm.sh/helm/v3 from 3.7.0 to 3.7.1 (#4383)
build(deps): bump containerd to v1.5.7 to solve depandabot warning (#4341)
build(deps): bump github.com/hashicorp/go-getter from 1.5.8 to 1.5.9 (#4337)
build(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.33.0 (#4332)
build(deps): bump github.com/moby/buildkit from 0.8.3 to 0.9.1 (#4334)
Fixed
increased accuracy
fix(helm): failed to parse invalid yaml for helm (#4380)
fix(helm): fixed helms payload should only print payload lines when the flag is activated (#4382)
fix(parser): fixed json parser with incorrect kics_line (#4327) (#4328)
fix(engine): handle regexp compilation errors (#4347)
fix(analyzer): fixed k8s overriding analyzer match for arm sample (#4353)
fix(report): fixed missing/cut off descriptions (#4344)