From d75945f94587ac1b87ce26149eb6a1848993ed6e Mon Sep 17 00:00:00 2001 From: gruebel <33207684+gruebel@users.noreply.github.com> Date: Tue, 4 Nov 2025 23:02:09 +0000 Subject: [PATCH 01/10] chore: update release notes --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9d6d1c8022..d30327b90f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # CHANGELOG -## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.489...HEAD) +## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.490...HEAD) + +## [3.2.490](https://github.com/bridgecrewio/checkov/compare/3.2.489...3.2.490) - 2025-11-04 + +### Feature + +- **general:** Fix downloading of the external modules when ref is a shortened Git hash - [#7278](https://github.com/bridgecrewio/checkov/pull/7278) ## [3.2.489](https://github.com/bridgecrewio/checkov/compare/3.2.488...3.2.489) - 2025-10-29 From 62914bc0dff3f6b676f4eafd5be540372b517a5a Mon Sep 17 00:00:00 2001 From: Barak Fatal <35402131+bo156@users.noreply.github.com> Date: Sun, 9 Nov 2025 13:55:01 +0200 Subject: [PATCH 02/10] fix(terraform): Graph report tags should be dict (#7363) Made sure that graph report tags are using the same func as the regular report + added handling for google tags (same as gcp) --- checkov/terraform/base_runner.py | 3 ++- checkov/terraform/tag_providers/__init__.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/checkov/terraform/base_runner.py b/checkov/terraform/base_runner.py index bdd1bec3a6..c42860b324 100644 --- a/checkov/terraform/base_runner.py +++ b/checkov/terraform/base_runner.py @@ -31,6 +31,7 @@ from checkov.terraform.graph_builder.local_graph import TerraformLocalGraph from checkov.terraform.graph_manager import TerraformGraphManager from checkov.terraform.image_referencer.manager import TerraformImageReferencerManager +from checkov.terraform.tag_providers import get_resource_tags from checkov.terraform.tf_parser import TFParser from checkov.common.util.env_vars_config import env_vars_config @@ -187,7 +188,7 @@ def get_graph_checks_report( entity_context.get("end_line", 1), ], resource=resource, - entity_tags=entity.get("tags", {}), + entity_tags=get_resource_tags(resource, entity_config), evaluations=None, check_class=check.__class__.__module__, file_abs_path=os.path.abspath(full_file_path), diff --git a/checkov/terraform/tag_providers/__init__.py b/checkov/terraform/tag_providers/__init__.py index ddbd5b33cb..2ebf68b19a 100644 --- a/checkov/terraform/tag_providers/__init__.py +++ b/checkov/terraform/tag_providers/__init__.py @@ -4,7 +4,8 @@ from checkov.terraform.tag_providers import azure from checkov.terraform.tag_providers import gcp -provider_tag_mapping = {"aws": aws.get_resource_tags, "azure": azure.get_resource_tags, "gcp": gcp.get_resource_tags} +provider_tag_mapping = {"aws": aws.get_resource_tags, "azure": azure.get_resource_tags, "gcp": gcp.get_resource_tags, + "google": gcp.get_resource_tags} def get_resource_tags(resource_type: str, entity_config: Dict[str, Any]) -> Optional[Dict[str, Any]]: From 4674635a5f06638759285a90a197ecb5513ce957 Mon Sep 17 00:00:00 2001 From: Barak Fatal Date: Sun, 9 Nov 2025 13:31:49 +0200 Subject: [PATCH 03/10] Made sure that graph report tags are using the same func as the regular report + added handling for google tags (same as gcp) --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 321f8b1561..c23f56e16d 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '3.2.490' +version = '3.2.491' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index e7c999c61c..3487b12b9a 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==3.2.490 +checkov==3.2.491 From 83670ad08d78fabffe4e68c09d06ec85b8a88db8 Mon Sep 17 00:00:00 2001 From: gruebel <33207684+gruebel@users.noreply.github.com> Date: Sun, 9 Nov 2025 23:01:57 +0000 Subject: [PATCH 04/10] chore: update release notes --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d30327b90f..5dffde9ddf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # CHANGELOG -## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.490...HEAD) +## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.491...HEAD) + +## [3.2.491](https://github.com/bridgecrewio/checkov/compare/3.2.490...3.2.491) - 2025-11-09 + +### Bug Fix + +- **terraform:** Graph report tags should be dict - [#7363](https://github.com/bridgecrewio/checkov/pull/7363) ## [3.2.490](https://github.com/bridgecrewio/checkov/compare/3.2.489...3.2.490) - 2025-11-04 From 042aa54f884197b60a3a68d1c75fadee28af72e6 Mon Sep 17 00:00:00 2001 From: Barak Fatal <35402131+bo156@users.noreply.github.com> Date: Mon, 10 Nov 2025 16:41:21 +0200 Subject: [PATCH 05/10] fix(terraform): get_resource_tags handles more cases (#7365) Updated get_resource_tags to handle more cases --- checkov/terraform/tag_providers/__init__.py | 17 +++++++++++++---- tests/terraform/test_provider_tags.py | 13 +++++++++++++ 2 files changed, 26 insertions(+), 4 deletions(-) create mode 100644 tests/terraform/test_provider_tags.py diff --git a/checkov/terraform/tag_providers/__init__.py b/checkov/terraform/tag_providers/__init__.py index 2ebf68b19a..173240dc4b 100644 --- a/checkov/terraform/tag_providers/__init__.py +++ b/checkov/terraform/tag_providers/__init__.py @@ -12,11 +12,20 @@ def get_resource_tags(resource_type: str, entity_config: Dict[str, Any]) -> Opti if not isinstance(entity_config, dict): return None - if "_" not in resource_type: - return None # probably not a resource block - provider = resource_type[: resource_type.index("_")] - provider_tag_function = provider_tag_mapping.get(provider) + provider_tag = get_provider_tag(resource_type) + provider_tag_function = provider_tag_mapping.get(provider_tag) if provider_tag else None if provider_tag_function: return provider_tag_function(entity_config) else: return None + + +def get_provider_tag(resource_type: str) -> Optional[str]: + provider_tag = None + if 'aws' in resource_type: + provider_tag = "aws" + elif 'azure' in resource_type: + provider_tag = "azure" + elif 'gcp' in resource_type or 'google' in resource_type: + provider_tag = "gcp" + return provider_tag diff --git a/tests/terraform/test_provider_tags.py b/tests/terraform/test_provider_tags.py new file mode 100644 index 0000000000..84f989cb71 --- /dev/null +++ b/tests/terraform/test_provider_tags.py @@ -0,0 +1,13 @@ +import pytest + +from checkov.terraform.tag_providers import get_provider_tag + + +@pytest.mark.parametrize("resource_type, expected", [ + ("aws_instance.example", "aws"), + ("module.test.aws_instance.example", "aws"), + ("azure_instance.example", "azure"), + ("google_instance.example", "gcp"), +]) +def test_get_provider_tag(resource_type, expected) -> None: + assert get_provider_tag(resource_type) == expected From 2c70bfe395123e06972c2a3276d225dc47f84018 Mon Sep 17 00:00:00 2001 From: Barak Fatal <35402131+bo156@users.noreply.github.com> Date: Mon, 10 Nov 2025 16:41:21 +0200 Subject: [PATCH 06/10] fix(terraform): get_resource_tags handles more cases (#7365) Updated get_resource_tags to handle more cases --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index c23f56e16d..7fa419854d 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '3.2.491' +version = '3.2.492' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 3487b12b9a..616e6ab57e 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==3.2.491 +checkov==3.2.492 From 185ce8ab66cbd96b10d9b9194e1b28e4a12cef19 Mon Sep 17 00:00:00 2001 From: gruebel <33207684+gruebel@users.noreply.github.com> Date: Mon, 10 Nov 2025 23:02:12 +0000 Subject: [PATCH 07/10] chore: update release notes --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5dffde9ddf..f6178b680f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # CHANGELOG -## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.491...HEAD) +## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.492...HEAD) + +## [3.2.492](https://github.com/bridgecrewio/checkov/compare/3.2.491...3.2.492) - 2025-11-10 + +### Bug Fix + +- **terraform:** get_resource_tags handles more cases - [#7365](https://github.com/bridgecrewio/checkov/pull/7365) ## [3.2.491](https://github.com/bridgecrewio/checkov/compare/3.2.490...3.2.491) - 2025-11-09 From 4dbc89ab731e97890fa7ac2d28b5699b07b81e50 Mon Sep 17 00:00:00 2001 From: Max Amelchenko Date: Wed, 12 Nov 2025 12:11:05 +0200 Subject: [PATCH 08/10] feat(general): support skips for module for_each and count (#7368) support skips for module for_each and count Co-authored-by: Max Amelchenko --- checkov/common/output/report.py | 4 ++++ .../runner_registry/test_runner_registry_plan_enrichment.py | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/checkov/common/output/report.py b/checkov/common/output/report.py index d8da7c3b85..51af285332 100644 --- a/checkov/common/output/report.py +++ b/checkov/common/output/report.py @@ -574,6 +574,10 @@ def handle_skipped_checks( if record.resource_address and record.resource_address.startswith("module."): module_path = record.resource_address[module_address_len:record.resource_address.index('.', module_address_len + 1)] + # For module with for_each or count, the module path will be module.module_name[(.*)]. We can + # ignore the index and the for_each value and just use the module name as it's not possible to + # skip checks for a specific instance of a module + module_path = module_path.split('[')[0] module_enrichments = enriched_resources.get(module_path, {}) for module_skip in module_enrichments.get("skipped_checks", []): if record.check_id in module_skip["id"]: diff --git a/tests/common/runner_registry/test_runner_registry_plan_enrichment.py b/tests/common/runner_registry/test_runner_registry_plan_enrichment.py index c591867858..84cdfecf7f 100644 --- a/tests/common/runner_registry/test_runner_registry_plan_enrichment.py +++ b/tests/common/runner_registry/test_runner_registry_plan_enrichment.py @@ -132,12 +132,11 @@ def test_enrichment_of_plan_report_with_for_each(self): report = runner_registry.run(repo_root_for_plan_enrichment=[repo_root], files=[str(valid_plan_path)])[0] - # TODO: after fixing module enrichment with skipped checks the failed checks will become skipped - self.assertEqual(len(report.failed_checks), 3) + self.assertEqual(len(report.failed_checks), 0) self.assertEqual(len(report.passed_checks), 0) - self.assertEqual(len(report.skipped_checks), 2) + self.assertEqual(len(report.skipped_checks), 5) def test_skip_check(self): From 0099d2c00fa195ba1d5045adde5957730f505f0e Mon Sep 17 00:00:00 2001 From: Max Amelchenko Date: Tue, 11 Nov 2025 09:51:13 +0200 Subject: [PATCH 09/10] support skips for module for_each and count --- checkov/version.py | 2 +- kubernetes/requirements.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/checkov/version.py b/checkov/version.py index 7fa419854d..1ade9a5b6c 100644 --- a/checkov/version.py +++ b/checkov/version.py @@ -1 +1 @@ -version = '3.2.492' +version = '3.2.493' diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt index 616e6ab57e..d26f47dc23 100644 --- a/kubernetes/requirements.txt +++ b/kubernetes/requirements.txt @@ -1 +1 @@ -checkov==3.2.492 +checkov==3.2.493 From 7674ea27a2b337dcad3009feae7363765f42f716 Mon Sep 17 00:00:00 2001 From: gruebel <33207684+gruebel@users.noreply.github.com> Date: Wed, 12 Nov 2025 23:02:19 +0000 Subject: [PATCH 10/10] chore: update release notes --- CHANGELOG.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f6178b680f..f72f723325 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # CHANGELOG -## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.492...HEAD) +## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.493...HEAD) + +## [3.2.493](https://github.com/bridgecrewio/checkov/compare/3.2.492...3.2.493) - 2025-11-12 + +### Feature + +- **general:** support skips for module for_each and count - [#7368](https://github.com/bridgecrewio/checkov/pull/7368) ## [3.2.492](https://github.com/bridgecrewio/checkov/compare/3.2.491...3.2.492) - 2025-11-10