Releases: Checkmarx/kics
v1.5.1
🚀 New features and improvements
added 18 new queries (Google Deployment Manager, CloudFormation, Buildah, and Terraform)
feat(analyzer): added support to Cloud Development Kit for Terraform (CDKTF) (#4770)
feat(buildah): added initial Buildah support (#4740)
🐛 Bug fixes
fix(query): fix terraform query for ingress/egress description (#4736)
fix(golang): fixed golang data races and make file (#4741)
fix(version): fixed bug with version checking (#4675) (#4760)
fix(parser): added type handler to Terraform convertBody function (#4768)
fix(parser): added YAML alias as string (#4767)
fix(query): limited "IAM Access Analyzer Undefined" only for AWS (#4772)
fix(query): service should match containerPort using targetPort (#4762)
fix(report): fixed CycloneDX report for compressed files (#4761)
fix(report): fixed null ASFF report (#4756)
📦 Dependency updates bumps
build(deps): bump github.com/hashicorp/hcl/v2 from 2.10.1 to 2.11.1 (#4716)
build(deps): bump github.com/spf13/cobra from 1.2.1 to 1.3.0 (#4717)
build(deps): bump github.com/BurntSushi/toml from 0.4.1 to 1.0.0 (#4718)
build(deps): bump github.com/aws/aws-sdk-go from 1.37.0 to 1.42.44 (#4765)
build(deps): bump github.com/johnfercher/maroto from 0.33.0 to 0.34.0 (#4746)
build(deps): bump helm.sh/helm/v3 from 3.7.2 to 3.8.0 (#4747)
build(deps): bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#4745)
build(deps): bump github.com/tdewolff/minify/v2 from 2.9.29 to 2.10.0 (#4778)
build(deps): bump github.com/emicklei/proto from 1.9.1 to 1.9.2 (#4777)
build(deps): bump github.com/open-policy-agent/opa from 0.34.2 to 0.37.1 (#4776)
ci(deps): bump peter-evans/create-pull-request from 3.12.0 to 3.12.1 (#4769)
ci(deps): bump docker/build-push-action from 2.8.0 to 2.9.0 (#4775)
👻 Maintenance
update(report): updated gitlab sast report schema version (#4720)
update(terraformer): added timestamp to generated import folder (#4733)
build(env): added dev build tag (#4729)
docs(kics.io): removed references to binaries usage and changed all cmds to Docker cmds (#4757)
💔 Deprecation
Please be notified that KICS is deprecating the availability of binaries in the GitHub releases assets as of 1.5.0.
We intend to stop publishing the binaries along with KICS 1.5.2 (scheduled for Mid of February).
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
v1.5.0
🚀 New features and improvements
feat(terraformer): added terraformer integration (#4686)
added 10 AWS SAM queries for CloudFormation
added 31 new queries (AWS SAM, Ansible, Cloudformation, Terraform, Google Deployment Manager)
feat(SAM): added support to AWS Serverless Application Model
feat(report): added ASFF report (#4684)
feat(parser): support of YAML alias (#4659)
feat(secrets inspector): consideration of kics-scan enable/disabled comment commands (#4654)
feat(cli): added chars limit on vulnerable line display (#4668)
feat(cli): added contribution appeal when the user includes external queries (#4669)
feat(bom): added SQS Queue Policy (#4619)
feat(bom): split encryption from accessibility (#4632)
🐛 Bug fixes
fix(yaml): ignore lines by comments (#4662)
fix(core): Fixed bug when trying to read encrypted zip file (#4639)
fix(parser): fixed KICS panic in getLastElementLine (#4651)
fix(detector): fixed KICS panic in getKeyWithCurlyBrackets (#4673)
fix(parser): fixed KICS panic in empty fifo value access (#4658)
fix: deleted extraction folder after KICS scan (#4638)
fix(bom): corrected get_accessibility for aws_bucket (#4664)
fix(query): deleting searchLine in "Resource Not Using Tags" for Terraform (#4618)
fix(query): updated "S3 Bucket Without Enabled MFA Delete" for Terraform (#4635)
fix(query): updated "CloudFront Without Minimum Protocol TLS 1.2" for Ansible, CloudFormation, and Terraform (#4636)
fix(query): refactored "DB Security Group Has Public IP" for Ansible, CloudFormation, and Terraform (#4665)
fix(report): added space between description and results in pdf report (#4637)
📦 Dependency updates bumps
ci(deps): bump golang from 1.17.5-alpine to 1.18beta1-alpine (#4670)
ci(deps): bump golang from 1.17.5-alpine to 1.17.6-alpine (#4674)
ci(deps): bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (#4687)
ci(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#4621)
ci(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#4702)
build(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 (#4681)
build(deps): bump github.com/tidwall/gjson from 1.11.0 to 1.13.0 (#4696)
build(deps): bump helm.sh/helm/v3 from 3.7.1 to 3.7.2 (#4680)
build(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.1 (#4679)
build(deps): forced 'github.com/containerd/containerd' version to v1.5.9 (#4671)
build(deps): bump github.com/getsentry/sentry-go from 0.11.0 to 0.12.0 (#4677)
build(deps): bump github.com/tdewolff/minify/v2 from 2.9.22 to 2.9.29 (#4678) (#4703)
build(deps): forced github.com/docker/cli version to v20.10.12+incompatible (#4666)
👻 Maintenance
update(docs): add example in docs for config setting exclude paths (#4624)
feat(queries): update terraform registry data on commons.json (#4629)
feat(docs): updated docs of azure pipelines integrations for old KICS versions (#4683)
update(secrets & passwords): add allow rule for mysql password hashes (#4627)
💔 Deprecation
Please be notified that KICS is deprecating the availability of binaries in the GitHub releases assets as of 1.5.0.
We intend to stop publishing the binaries along with KICS 1.5.2 (scheduled for Mid of February).
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
v1.4.9
🚀 New features and improvements
added 20 new queries (Terraform, Ansible, Cloudformation, gRPC, Google Deployment Manager)
feat(gdm): added support to Google Deployment Manager (#4530)
feat(grpc): added support to gRPC (#4532)
feat(report): added CycloneDX SBOM report (#4579)
feat(report): added JUnit report (#4568)
feat(ci): added KICS Scan workflow on PR to master (#4561)
🐛 Bug fixes
fix(query): fixed query Multiple RUN, ADD, COPY, Instructions Listed (#4567) (#4573)
fix(query): "Azure Container Registry With No Locks" for Ansible (#4610)
fix(core): fixed negative lines and terminal checking (#4583)
fix(logs): fixed log error messages polution (#4597)
fix(report): corrected scan end time in pdf report (#4607)
fix(parser): fixed dockerfile parser with wrong payload when using arguments (#4591) (#4613)
📦 Dependency updates
ci(deps): bump peter-evans/create-pull-request from 3.11.0 to 3.12.0 (#4592)
ci(deps): bump actions/setup-python from 2.3.0 to 2.3.1 (#4574)
ci(deps): bump golang from 1.17.3-alpine to 1.17.5-alpine (#4588)
👻 Maintenance
feat(query): add allow rule for ansible-vault (#4605)
refactor(query): policies for CloudFormation (#4540)
docs(queries): all query csv file downloads now come with the name kics-queries.csv (#4532)
🚨 Breaking Changes
KICS will now point to 1 instead of -1 in the reports when failing to find the line containing the vulnerability (#4583)
v1.4.8
🚀 Added
added 30 new queries (Terraform, Ansible and Cloudformation)
feat(report): added sonarqube report (#4418) (#4539)
feat(report): added expected value to PDF report (#4552)
feat(docs & passwords and secrets): consideration of kics-scan ignore command and LinesIgnore (#4485) (#4419) (#4503)
feat(ci): add pre-commit hook (#4520)
✨ Changed
refactor(core): changed tests to use a constants platforms (#4534)
🔧 Fixed
increased results accuracy
fix(scan): not reporting error when progress bar fails to close (#4551)
fix(parser): fixed YAML parser panic with wrong type for interface (#4536)
fix(password and secrets): fixed MS Teams regex hardcoded team_name (#4537)
💪 For The Bolder
build(deps): bump github.com/open-policy-agent/opa from 0.33.0 to 0.34.2 (#4469) (#4506)
build(deps): bump github.com/moby/buildkit from 0.9.2 to 0.9.3 (#4538)
v1.4.7
Added
added 11 terraform queries
feat(engine): added data source policy to terraform (#4409)
feat(parser): enabled parsers ignore comment by line (#4491) (#4420) (#4480) (#4486) (#4489) (#4497)
feat(passwords and secrets): validation of query ids in custom secrets regexes (#4478)
feat(docs): added MegaLinter in the list of integrations (#4488)
Changed
refactor(passwords and secrets mechanism): changed flags include-query, exclude-query mechanism for query password and secrets (#4444)
refactor(query): updated query Chown Flag Exists description (#3768) (#4466)
build(deps): bump github.com/tidwall/gjson from 1.10.2 to 1.11.0 (#4453)
build(deps): bump github.com/moby/buildkit from 0.9.1 to 0.9.2 (#4458)
build(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 (#4459)
build(deps): bump github.com/zclconf/go-cty from 1.9.1 to 1.10.0 (#4460)
Fixed
increased accuracy
fix(race): fix kics Golang data races (#4448)
fix(detector): fix panic with interpolated brackets in detector (#4415)
fix(source): fixed KICS panic when reading invalid metadata (#4413) (#4465)
fix(report): fixed bug with invalid startLine on sarif report (#4483)
fix(passwords and secrets): excluded TF file function reference in results (#4433)
v1.4.6-1
v1.4.6
Added
added 2 new queries
feat(e2e): added E2E Test for BoM (#4404)
feat(parser): removed resources with count set to 0 in payload (#4395)
feat(kics): add version checking (#4414)
feat(integration): added Terraform Cloud integration (#4427)
Changed
fix(query): correcting severity and category for 'Default Azure Storage Account Network Access Is Too Permissive' (#4401)
build(deps): bump goreleaser/goreleaser-action from 2.7.0 to 2.8.0 (#4400)
build(deps): bump github.com/gookit/color from 1.4.2 to 1.5.0 (#4406)
build(deps): bump github.com/tidwall/gjson from 1.9.4 to 1.10.2 (#4425)
refactor(scan & printer): implementation of a new approach (#4322)
refactor(report): if no files to scan are found kics will no longer create report files (#4322)
Fixed
increased accuracy
fix(ci): fixed wrong path to common.json (#4407)
fix(helm): fixed helm only excluding template files (#4393)
fix(inspector): KICS panicking when using KICS repo with -q flag (#4397) (#4394)
fix(parser): parsers now stringify the original content in a formatted way (#4396)
v1.4.5
Added
9 new queries
feat(engine): support Azure Blueprint (#4386) (#4358) (#4356)
query(bom): add mvp queries storage, queue, in-memory data structure (#4381)
feat(bom): add new flag --bom to enable Bill of Materials in results.json (#4375)
feat(parser): added support to parse and scan terraform plans (#4362)
feat(parser): added terraform ternary parser resolution (#4370)
feat(docker): add ubi7 based image for redhat's openshift (#4326)
Changed
feat(query): refactored arm queries to use walk (#4354)
build(deps): bump github.com/tidwall/gjson from 1.9.1 to 1.9.4 (#4374)
build(deps): bump helm.sh/helm/v3 from 3.7.0 to 3.7.1 (#4383)
build(deps): bump containerd to v1.5.7 to solve depandabot warning (#4341)
build(deps): bump github.com/hashicorp/go-getter from 1.5.8 to 1.5.9 (#4337)
build(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.33.0 (#4332)
build(deps): bump github.com/moby/buildkit from 0.8.3 to 0.9.1 (#4334)
Fixed
increased accuracy
fix(helm): failed to parse invalid yaml for helm (#4380)
fix(helm): fixed helms payload should only print payload lines when the flag is activated (#4382)
fix(parser): fixed json parser with incorrect kics_line (#4327) (#4328)
fix(engine): handle regexp compilation errors (#4347)
fix(analyzer): fixed k8s overriding analyzer match for arm sample (#4353)
fix(report): fixed missing/cut off descriptions (#4344)
v1.4.4
Added
17 new queries
add support to AWS JSON filter pattern expressions for CIS benchmark rules related with alarms (#4204)
add support to terraform verified modules (62 queries updated) (#4203)
add teamcity integration example (#4259)
add E2E tests to cover new flags (#4313)
Changed
removing progress bar when --log-level=debug (#4246)
passwords and secrets detection now looks into .tfvars (#4291)
Fixed
improved queries accuracy (#4254) (#4317) (#4319) (#4318)
improved passwords and secrets accuracy (#4207) (#4209)
fix respect http_proxy environment variable (#4283)
fix issue with parser returning panic #4223 (#4224)
fix yaml parser not returning invalid yaml error (#4226)
fix terraform parser returning null instead of empty array (#4248)
fix secrets inspector to remove queries (#4309)
v1.4.3
Changelog
New
20 new queries
Rewrite passwords and secrets query to use regex based strategy (#4166)
Add flag --disable-secrets to disable passwords and secrets query (#4166)
Add flag --secrets-regexes-path to override password and secrets query configuration rules (#4166)
--libraries-path supports git repositories and compressed files (#4156)
Add TravisCI example and docs (#4186)
Using docker image for bitbucket pipelines (#4169)
Fixed
Moving custom library not provided warning to debug level (#4182)
Fixed getLibraries to execute once, instead of multiple times for every query (#4155)
Fix cloudwatch_metrics_disabled check correct resource and field (#4184)