Releases: Checkmarx/kics
v1.6.4
🚀 New features and improvements
feat(query): added "Vulnerable OpenSSL Version" for Dockerfile #5973
feat(bom): added Cassandra for CloudFormation #5988
feat(bom): added Kinesis support for CloudFormation and Terraform #5983
🐛 Bug fixes
fix(analyzer): improved regexes #5979
fix(query): improved regex of "Asymmetric private key" #5984
fix: changing directory name of viewer_protocol_policy_allows_http by @jycamier in #5981
fix(query): fix queries expected value by @liorj-orca in #5970
📦 Dependency updates bumps
ci(deps): bump goreleaser/goreleaser-action from 3.1.0 to 3.2.0 #5945
ci(deps): bump tj-actions/verify-changed-files from 11.1 to 12.0 #5946
build(deps): bump github.com/zclconf/go-cty from 1.11.0 to 1.11.1 #5948
build(deps): bump github.com/aws/aws-sdk-go from 1.44.116 to 1.44.121 #5959
ci(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 by #5958
build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0 by #5971
build(deps): bump github.com/zclconf/go-cty from 1.11.1 to 1.12.0 #5972
👻 Maintenance
docs(queries): update queries catalog #5942
update(docs): certification documentation #5992
update(docs): added required go version + how to build kics binary #5982
Contributors
Assets 2
v1.6.3
🚀 New features and improvements
- update(query): fixed typos in query folder name and query name in #5954
🐛 Bug fixes
- fix(query): Update Password And Secrets Security Query Documentation in #5938
- fix(ExpToString): fixed TraverseIndex evaluation in #5939
- fix(query): update CloudWatch Log Group Without KMS Security Query MetaData in #5943
- fix(query): readjusted "Memcached Disabled" to "Redis Disabled" in #5952
- fix(query): improved regex to find AWS Access Key in assets/queries/terraform/aws/hardcoded_aws_access_key_in_lambda in #5951
- fix(masked_secrets): Mask Secrets in All Vulnerability Preview in #5949
📦 Dependency updates bumps
- bump(deps): bump express, debug, and sentry-go in #5957
- bump(deps): express dependencies in #5962
- bump(deps): reverted debug and updated dependencies in #5963
- build(deps): bump github.com/tdewolff/minify/v2 from 2.12.3 to 2.12.4 in #5904
- docs(kicsbot): update images digest in #5906
- ci(deps): bump golang from 1.19.1-alpine to 1.19.2-alpine in #5909
- build(deps): bump github.com/aws/aws-sdk-go from 1.44.109 to 1.44.114 in #5914
- ci(deps): bump docker/build-push-action from 3.1.1 to 3.2.0 in #5924
- ci(deps): bump styfle/cancel-workflow-action from 0.10.1 to 0.11.0 in #5925
- ci(deps): bump docker/login-action from 2.0.0 to 2.1.0 in #5926
- build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0 in #5928
- build(deps): bump github.com/open-policy-agent/opa from 0.44.0 to 0.45.0 in #5929
- build(deps): bump k8s.io/apimachinery from 0.25.2 to 0.25.3 in #5933
- bump: updating software versions in #5918
- build(deps): bump github.com/aws/aws-sdk-go from 1.44.114 to 1.44.116 in #5936
- build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in #5930
- build(deps): bump k8s.io/api from 0.25.2 to 0.25.3 in #5937
- build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 in #5940
- build(deps): bump k8s.io/client-go from 0.25.2 to 0.25.3 in #5941
👻 Maintenance
v1.6.2
🚀 New features and improvements
feat(bom): bill of materials for rds in aws cloudformation #5856
feat(bom): bill of material rds for terraform #5843
feat(bom): bill of materials for aws dynamodb #5861
🐛 Bug fixes
fix(query): correct GCP KMS crypto key rotation period queries + descriptions by @Churro in #5863
fix(query): terraform/aws/iam_access_key_is_exposed by @jycamier in #5846
fix(query): fix false positive in aws_instance by @patrickpichler in #5903
fix(query): remove redundant and flawed GCP KMS key rotation query by @Churro in #5864
fix(query): fix false positive for rds backup_retention_period not set by @patrickpichler in #5902
fix community link for contribution #5854
fix(query): drop Configuration Aggregator to All Regions Disabled Security severity to MEDIUM by @patrickpichler in #5901
fix(query): reduce NET_RAW capability not being dropped severity to MEDIUM by @patrickpichler in #5900
fix(query): cover additional deprecated API versions in k8s rule by @Churro in #5867
📦 Dependency updates bumps
build(deps): bump github.com/tdewolff/minify/v2 from 2.12.1 to 2.12.2 #5857
build(deps): bump k8s.io/client-go from 0.25.1 to 0.25.2 #5827
build(deps): bump github.com/aws/aws-sdk-go from 1.44.101 to 1.44.107 #5840
build(deps): bump github.com/aws/aws-sdk-go from 1.44.107 to 1.44.109 #5866
build(deps): bump github.com/tdewolff/minify/v2 from 2.12.2 to 2.12.3 #5868
ci(deps): bump checkmarx/kics-action from 1.5 to 1.6 #5852
ci(deps): bump styfle/cancel-workflow-action from 0.10.0 to 0.10.1 #5865
👻 Maintenance
Add community meetings schedule & link #5912
docs(queries): update queries catalog #5869
docs(kicsbot): update images digest #5853
New Contributors
@patrickpichler made their first contribution in #5901
Contributors
Assets 2
v1.6.1
🚀 New features and improvements
added 2 queries for CloudFormation and Terraform
update(coverage): code coverage improvements (#5744)
feat(workflows): add workflow to check latest software versions (#5823)
🐛 Bug fixes
fix(query): fix query descriptionText for s3 logging disabled kms rotation and iam policies (#5810) by @tomk-orca
fix(query): fix queries expected value to 'should be...' (#5816) by @liorj-orca
fix(query): fix dockerfile security query regex (#5826)
fix(query): change s3 bucket acl grants write acp security query (#5780)
fix(query): remove string check in open api security query (#5831)
fix(query): change s3 bucket with all permissions security query (#5781)
fix(query): update s3 bucket policy accepts http requests security query (#5832)
fix(query): updated lambda_function_with_privileged_role (#5833)
fix(query): fix responses with wrong http status code security query (#5834)
fix(query): fixed Docker queries related to issues 5115, 5116, and 5118 (#5295)
fix(bug): bug in get metrics script (#5796)
fix(bug): add support for certificate body process from tfvar (#5837)
fix(terraform data source): added data resources resolver (#5839)
📦 Dependency updates bumps
build(deps): bump github.com/GoogleCloudPlatform/terraformer from 0.8.21 to 0.8.22 (#5817) by @tomk-orca
build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#5766)
build(deps): bump k8s.io/client-go from 0.24.3 to 0.25.1 (#5804)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.91 to 1.44.101 (#5809)
build(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 (#5777)
ci(deps): bump actions/upload-artifact from 2 to 3 (#5764)
ci(deps): bump golang from 1.19.0-alpine to 1.19.1-alpine (#5767)
ci(deps): bump docker/setup-buildx-action from 1 to 2 (#5770)
👻 Maintenance
chore(gitlab-ci): add --ci flag to gitlab examples (#5682) by @sluetze
update(docs): correct the GH action name (#5818) by @konstruktoid
update(docs): improve information in the configuration docs (#5829) by @VladMasarik
update(docs): update remediate docs (#5794)
update(docs): docker hub docs information update (#5800)
update(docs): community tab added into the docs.kics.io website (#5806)
update(docs): update information about github action versions (#5842)
update(workflows): gh action tag update for 1.6 kics version (#5841)
update(workflows): delete branching process for major versions (#5812)
Contributors
Assets 2
v1.6.0
🚀 New features and improvements
feat(knative&crossplane): add support to knative and crossplane (#5634)
feat(report): hide secrets in report results (#5504)
feat(scan): consider .gitignore to automatically exclude paths by default (#5506)
feat(pulumi): add support to Pulumi yaml parsing (#5648)
queries(pulumi): add pulumi gcp security queries (#5654)
queries(pulumi): add pulumi aws security queries (#5653)
queries(pulumi): add pulumi azure security queries (#5658)
feat(serverlessfw): add support to serverless fw yml file parsing (#5670)
feat(knative): add knative security query and k8's pod queries interoperability (#5692)
feat(queires): add serverless framework queries (#5679)
feat(serverless): initial cloudformation security queries refactoring (#5697)
feat(engine): Kubernetes API support for runtime k8s clusters scan (#5651)
🐛 Bug fixes
fix(resolver): exclude resolve path call for the same path reference (#5511) (#5514)
📦 Dependency updates bumps
build(deps): bump github.com/zclconf/go-cty from 1.10.0 to 1.11.0
build(deps): bump github.com/aws/aws-sdk-go from 1.44.78 to 1.44.82
build(deps): bump github.com/moby/buildkit from 0.10.3 to 0.10.4
build(deps): bump helm.sh/helm/v3 from 3.9.3 to 3.9.4
ci(deps): bump goreleaser/goreleaser-action from 3.0.0 to 3.1.0
build(deps): bump github.com/mackerelio/go-osstat from 0.2.2 to 0.2.3
build(deps): bump github.com/hashicorp/hcl/v2 from 2.13.0 to 2.14.0
build(deps): bump github.com/tdewolff/minify/v2 from 2.12.0 to 2.12.1
build(deps): bump github.com/gookit/color from 1.5.1 to 1.5.2
build(deps): bump github.com/aws/aws-sdk-go from 1.44.82 to 1.44.90
build(deps): bump github.com/aws/aws-sdk-go from 1.44.90 to 1.44.91
👻 Maintenance
docs(kicsbot): update images digest
Contributors:
v1.5.15
🚀 New features and improvements
feat(queries): add new aws iam privilege escalation queries (#5423) by @gafnit-lightspin
feat(query): added App Service Without Latest Python Version query for Terraform
🐛 Bug fixes
fix(queries): add missing check in ec2 instance has public ip (#5720)
fix(queries): add additional check in iam database auth not enabled (#5719)
fix(keyExpectedValue): cloudformation-aws queries convert to a recomm… (#5646) by @liorj-orca
fix(keyExpectedValue): cloudformation-aws queries convert to a recommendation rather than a current status - stage 2 (#5647) by @liorj-orca
fix(queries): align queries cross different platforms (#5539) by @roi-orca
fix(terraform): remove resource reference in dependent policies (#5684)
fix(memory consumption): improved SplitLines function calls (#5680)
fix(resolver): consider comments in YAML resolver (#5735)
📦 Dependency updates bumps
ci(deps): bump golang from 1.18.4-alpine to 1.19.0-alpine (#5665)
ci(deps): bump docker/build-push-action from 3.1.0 to 3.1.1 (#5676)
build(deps): bump helm.sh/helm/v3 from 3.9.2 to 3.9.3 (#5691)
build(deps): bump github.com/johnfercher/maroto from 0.37.0 to 0.38.0 (#5701)
build(deps): bump github.com/tidwall/gjson from 1.14.1 to 1.14.3 (#5704)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.70 to 1.44.78 (#5705)
ci(deps): bump alpine from 3.16.1 to 3.16.2 (#5687)
Contributors: @gafnit-lightspin, @liorj-orca, @roi-orca
v1.5.14
🐛 Bug fixes
fix(query): change approach in api_gateway_with_cloudwatch_logging_disabled security query for terraform aws (#5693)
fix(queries): change queries metadata to remove the inconsistency (#5702)
fix(query): improve RegEx rule in curl_or_wget_instead_of_add (#5706)
fix(query): update_instruction_alone (#5707)
fix(docker parser): added resolver for args (#5696)
fix(tf parser): added parentheses expr to convertStringPart (#5695)
fix(query): reduced complexity of 'lambda_function_with_privileged_role' query (#5686)
📦 Dependency updates bumps
build(deps): bump golang.org/x/tools from 0.1.11 to 0.1.12 (#5640)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.59 to 1.44.70 (#5672)
build(deps): bump github.com/open-policy-agent/opa from 0.42.2 to 0.43.0 (#5655)
build(deps): bump helm.sh/helm/v3 from 3.9.1 to 3.9.2 (#5632)
👻 Maintenance
update(docs): update integrations_auto_scanning_visual_studio.md (#5673)
v1.5.13
🚀 New features and improvements
added 4 queries for CloudFormation
🐛 Bug fixes
fix(query): azure aks rbac-variable changed (#5652) by @rndmh3ro
fix(query): azure aks policies addon var changed (#5661) by @rndmh3ro
fix(query): add missing name check in S3Bucket for AWS CloudFormation (#5642)
fix(bom): change AWS BOM resource_accessibility output values (#5639)
fix(detector): fixed memory leak (#5626)
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.55 to 1.44.59 (#5613) (#5617) (#5624) (#5628)
build(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 (#5627)
ci(deps): bump alpine from 3.16.0 to 3.16.1 (#5618)
ci(deps): bump docker/build-push-action from 3.0.0 to 3.1.0 (#5623)
👻 Maintenance
update(docs): added KICS Auto Scanning Extension for Visual Studio documentation (#5662)
Contributors
Assets 2
v1.5.12
🚀 New features and improvements
feat(query): add new k8s rule to detect attach permission (RBAC) (#5491) by @Churro
feat(query): add query to check iam policy to invoke lambda (#5542) by @jplanckeel
🐛 Bug fixes
fix(query): add wafv2 to query incl. negative test (#5529) by @AlexEndris
fix(scan behavior): ignore broken synlink (#5533) by @liorj-orca
fix(keyExpectedValue): convert to a recommendation rather than a current status (#5574) (#5576) (#5575) by @liorj-orca
fix(keyExpectedValue): ansible-aws queries convert to a recommendation rather than a current status (#5589) by @liorj-orca
fix(keyExpectedValue): ansible-azure queries convert to a recommendation rather than a current status (#5590) by @liorj-orca
fix(keyExpectedValue): AzureResourceManager queries convert to a recommendation rather than a current status (#5592) by @liorj-orca
fix(keyExpectedValue): ansible-gcp queries convert to a recommendation rather than a current status (#5591) by @liorj-orca
fix(cloud provider flag): support alicloud in the cloud provider flag (#5561)
fix(query): add check for ALB use in Terraform AWS Security Query (#5593)
📦 Dependency updates bumps
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.10 to 2.12.0 (#5523) (#5563) (#5582)
build(deps): bump github.com/hashicorp/hcl/v2 from 2.12.0 to 2.13.0 (#5524)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.39 to 1.44.55 (#5525) (#5531) (#5538) (#5545) (#5548) (#5552) (#5557) (#5562) (#5566) (#5571) (#5581) (#5585) (#5595) (#5603)
build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.8.0 (#5530) (#5544)
build(deps): bump github.com/emicklei/proto from 1.10.0 to 1.11.0 (#5549)
build(deps): bump github.com/open-policy-agent/opa from 0.41.0 to 0.42.2 (#5555) (#5572) (#5596)
build(deps): bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (#5580)
build(deps): bump helm.sh/helm/v3 from 3.9.0 to 3.9.1 (#5597)
ci(deps): bump styfle/cancel-workflow-action from 0.9.1 to 0.10.0 (#5537)
ci(deps): bump golang from 1.18.3-alpine to 1.18.4-alpine (#5586)
Contributors
Assets 2
v1.5.11
🐛 Bug fixes
fix(query): uncomment cloud formation test sample (#5320) by @lipeavelar
fix(queries): align descriptionText to similar queries across different platforms #2 (#5460) by @roi-orca
fix(secrets inspector): added mutex to lock addVulnerability (#5503)
fix(analyzer): discard possible Dockerfile when they are not actually a Dockerfile (#5470)
update(dockerfile): fix CVE-2022-1586 and CVE-2022-29810 (#5492)
fix(resolver): exclude resolve path call for the same path reference (#5511)
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.39 (#5468) (#5472) (#5477) (#5490) (#5498) (#5508)
build(deps): bump github.com/gookit/color from 1.5.0 to 1.5.1 (#5469)
build(deps): bump golang.org/x/tools from 0.1.10 to 0.1.11 (#5467)
build(deps): bump github.com/hashicorp/go-getter from 1.6.1 to 1.6.2 (#5473)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.9 to 2.11.10 (#5476)
build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#5499)
build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#5507)
ci(deps): bump actions/setup-python from 3 to 4 (#5462)
👻 Maintenance
update(query): improved "Resource Not Using Tags" description (#5483)
