merge

CHANGELOG.md

@@ -1,6 +1,15 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.307...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.311...HEAD)
+
+## [3.2.311](https://github.com/bridgecrewio/checkov/compare/3.2.307...3.2.311) - 2024-11-21
+
+### Bug Fix
+
+- **cloudformation:** Fixed issue where Ref was not rendered correctly if the parameter name was identical to the default value - [#6856](https://github.com/bridgecrewio/checkov/pull/6856)
+- **secrets:** fix find line - [#6864](https://github.com/bridgecrewio/checkov/pull/6864)
+- **secrets:** masking test format - [#6859](https://github.com/bridgecrewio/checkov/pull/6859)
+- **secrets:** multiline matches show the secret and not the first line - [#6854](https://github.com/bridgecrewio/checkov/pull/6854)
 
 ## [3.2.307](https://github.com/bridgecrewio/checkov/compare/3.2.305...3.2.307) - 2024-11-20
 

Pipfile

@@ -43,7 +43,7 @@ types-colorama = "<0.5.0,>=0.4.3"
 # REMINDER: Update "install_requires" deps on setup.py when changing
 #
 bc-python-hcl2 = "==0.4.2"
-bc-detect-secrets = "==1.5.24"
+bc-detect-secrets = "==1.5.27"
 bc-jsonpath-ng = "==1.6.1"
 pycep-parser = "==0.5.1"
 tabulate = ">=0.9.0,<0.10.0"

checkov/secrets/plugins/custom_regex_detector.py

@@ -170,12 +170,13 @@ def _find_potential_secret(
                     continue
                 multiline_matches = multiline_regex.findall(file_content)
                 for mm in multiline_matches:
+                    line_num = find_line_number(file_content, mm, line_number)
                     quoted_mm = f"'{mm}'"
                     ps = PotentialSecret(
                         type=regex_data["Name"],
                         filename=filename,
                         secret=quoted_mm,
-                        line_number=find_line_number(file_content, mm, line_number),
+                        line_number=line_num,
                         is_verified=is_verified,
                         is_added=is_added,
                         is_removed=is_removed,
@@ -219,9 +220,12 @@ def analyze_string(self, string: str, **kwargs: Optional[Dict[str, Any]]) -> Gen
 
 
 def find_line_number(file_string: str, substring: str, default_line_number: int) -> int:
-    lines = file_string.splitlines()
-
-    for line_number, line in enumerate(lines, start=1):
-        if substring in line:
-            return line_number
-    return default_line_number
+    try:
+        lines = file_string.splitlines()
+
+        for line_number, line in enumerate(lines, start=1):
+            if substring in line:
+                return line_number
+        return default_line_number
+    except Exception:
+        return default_line_number

checkov/secrets/scan_git_history.py

@@ -209,7 +209,7 @@ def _run_scan_one_commit(commit: Commit) -> Tuple[List[RawStore], int]:
         for file_name, file_diff in commit.files.items():
             if len(file_diff) == 0:
                 continue
-            file_results = [*scan.scan_diff(file_diff)]
+            file_results = [*scan.scan_diff(file_diff, commit_hash)]
             if file_results:
                 logging.debug(
                     f"Found {len(file_results)} secrets in file path {file_name} in commit {commit_hash}")

checkov/version.py

@@ -1 +1 @@
-version = '3.2.309'
+version = '3.2.311'

kubernetes/requirements.txt

@@ -1 +1 @@
-checkov==3.2.309
+checkov==3.2.311

setup.py

@@ -66,7 +66,7 @@ def run(self) -> None:
     },
     install_requires=[
         "bc-python-hcl2==0.4.2",
-        "bc-detect-secrets==1.5.24",
+        "bc-detect-secrets==1.5.27",
         "bc-jsonpath-ng==1.6.1",
         "pycep-parser==0.5.1",
         "tabulate>=0.9.0,<0.10.0",

tests/secrets/masking_secrets/assets_report_with_pass.json

@@ -1 +1,22 @@
-{"reportIdentifier": "iac_assets", "items": [{"name": "aws_instance.web_host", "provider": "GitHub", "realm": "Github-terragoat", "typeId": "EC2_INSTANCE", "observationTime": 1730972043909, "strongId": "repo1//s3.tf:aws_instance.web_host", "groupId": "CKV_AWS_79", "normalizedFields": {"xdm.code.iac.resource_name": "web_host", "xdm.code.iac.resource_type": "aws_instance", "xdm.code.iac.framework": "TERRAFORM", "xdm.code.iac.code_block": "resource \"aws_instance\" \"web_host\" {\n  ami           = \"${var.ami}\"\n  instance_type = \"t2.nano\"\n\n  vpc_security_group_ids = [\n  \"${aws_security_group.web-node.id}\"]\n  subnet_id = \"${aws_subnet.web_subnet.id}\"\n  user_data = <<EOF\n#! /bin/bash\nsudo apt-get update\nsudo apt-get install -y apache2\nsudo systemctl start apache2\nsudo systemctl enable apache2\nexport AWS_ACCESS_KEY_ID=AKIAYNKRE4OV2LF6TC3N\nexport AWS_SECRET_ACCESS_KEY=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\nexport AWS_DEFAULT_REGION=us-west-2\necho \"<h1>Deployed via Terraform</h1>\" | sudo tee /var/www/html/index.html\nEOF\n}", "xdm.file.path": "/s3.tf", "xdm.file.position.start.line": 1, "xdm.file.position.end.line": 19, "xdm.code.iac.tags": {}, "xdm.repository.name": "terragoat", "xdm.repository.organization": "BC", "xdm.code.git.commit.hash": "abc123", "xdm.code.git.commit.time": "2024-09-16 12:10:00.45", "xdm.code.git.contributors": ["settinger"]}, "rawFields": {"cloud_provider": "AWS"}}]}
+{
+  "reportIdentifier": "iac_assets",
+  "items": [
+    {
+      "name": "aws_instance.web_host",
+      "provider": "GitHub",
+      "groupId": "CKV_AWS_79",
+      "fields": {
+        "resource_name": "web_host",
+        "resource_type": "aws_instance",
+        "framework": "TERRAFORM",
+        "code_block": "resource \"aws_instance\" \"web_host\" {\n  ami           = \"${var.ami}\"\n  instance_type = \"t2.nano\"\n\n  vpc_security_group_ids = [\n  \"${aws_security_group.web-node.id}\"]\n  subnet_id = \"${aws_subnet.web_subnet.id}\"\n  user_data = <<EOF\n#! /bin/bash\nsudo apt-get update\nsudo apt-get install -y apache2\nsudo systemctl start apache2\nsudo systemctl enable apache2\nexport AWS_ACCESS_KEY_ID=AKIAYNKRE4OV2LF6TC3N\nexport AWS_SECRET_ACCESS_KEY=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\nexport AWS_DEFAULT_REGION=us-west-2\necho \"<h1>Deployed via Terraform</h1>\" | sudo tee /var/www/html/index.html\nEOF\n}",
+        "path": "/s3.tf",
+        "start.line": 1,
+        "end.line": 19
+      },
+      "rawFields": {
+        "cloud_provider": "AWS"
+      }
+    }
+  ]
+}