Releases: Checkmarx/kics
v1.5.0
🚀 New features and improvements
feat(terraformer): added terraformer integration (#4686)
added 10 AWS SAM queries for CloudFormation
added 31 new queries (AWS SAM, Ansible, Cloudformation, Terraform, Google Deployment Manager)
feat(SAM): added support to AWS Serverless Application Model
feat(report): added ASFF report (#4684)
feat(parser): support of YAML alias (#4659)
feat(secrets inspector): consideration of kics-scan enable/disabled comment commands (#4654)
feat(cli): added chars limit on vulnerable line display (#4668)
feat(cli): added contribution appeal when the user includes external queries (#4669)
feat(bom): added SQS Queue Policy (#4619)
feat(bom): split encryption from accessibility (#4632)
🐛 Bug fixes
fix(yaml): ignore lines by comments (#4662)
fix(core): Fixed bug when trying to read encrypted zip file (#4639)
fix(parser): fixed KICS panic in getLastElementLine (#4651)
fix(detector): fixed KICS panic in getKeyWithCurlyBrackets (#4673)
fix(parser): fixed KICS panic in empty fifo value access (#4658)
fix: deleted extraction folder after KICS scan (#4638)
fix(bom): corrected get_accessibility for aws_bucket (#4664)
fix(query): deleting searchLine in "Resource Not Using Tags" for Terraform (#4618)
fix(query): updated "S3 Bucket Without Enabled MFA Delete" for Terraform (#4635)
fix(query): updated "CloudFront Without Minimum Protocol TLS 1.2" for Ansible, CloudFormation, and Terraform (#4636)
fix(query): refactored "DB Security Group Has Public IP" for Ansible, CloudFormation, and Terraform (#4665)
fix(report): added space between description and results in pdf report (#4637)
📦 Dependency updates bumps
ci(deps): bump golang from 1.17.5-alpine to 1.18beta1-alpine (#4670)
ci(deps): bump golang from 1.17.5-alpine to 1.17.6-alpine (#4674)
ci(deps): bump goreleaser/goreleaser-action from 2.8.0 to 2.8.1 (#4687)
ci(deps): bump docker/login-action from 1.10.0 to 1.12.0 (#4621)
ci(deps): bump docker/build-push-action from 2.7.0 to 2.8.0 (#4702)
build(deps): bump github.com/rs/zerolog from 1.26.0 to 1.26.1 (#4681)
build(deps): bump github.com/tidwall/gjson from 1.11.0 to 1.13.0 (#4696)
build(deps): bump helm.sh/helm/v3 from 3.7.1 to 3.7.2 (#4680)
build(deps): bump github.com/spf13/viper from 1.9.0 to 1.10.1 (#4679)
build(deps): forced 'github.com/containerd/containerd' version to v1.5.9 (#4671)
build(deps): bump github.com/getsentry/sentry-go from 0.11.0 to 0.12.0 (#4677)
build(deps): bump github.com/tdewolff/minify/v2 from 2.9.22 to 2.9.29 (#4678) (#4703)
build(deps): forced github.com/docker/cli version to v20.10.12+incompatible (#4666)
👻 Maintenance
update(docs): add example in docs for config setting exclude paths (#4624)
feat(queries): update terraform registry data on commons.json (#4629)
feat(docs): updated docs of azure pipelines integrations for old KICS versions (#4683)
update(secrets & passwords): add allow rule for mysql password hashes (#4627)
💔 Deprecation
Please be notified that KICS is deprecating the availability of binaries in the GitHub releases assets as of 1.5.0.
We intend to stop publishing the binaries along with KICS 1.5.2 (scheduled for Mid of February).
It is advised to update all systems (pipelines, integrations, etc.) to use KICS Docker Images.
v1.4.9
🚀 New features and improvements
added 20 new queries (Terraform, Ansible, Cloudformation, gRPC, Google Deployment Manager)
feat(gdm): added support to Google Deployment Manager (#4530)
feat(grpc): added support to gRPC (#4532)
feat(report): added CycloneDX SBOM report (#4579)
feat(report): added JUnit report (#4568)
feat(ci): added KICS Scan workflow on PR to master (#4561)
🐛 Bug fixes
fix(query): fixed query Multiple RUN, ADD, COPY, Instructions Listed (#4567) (#4573)
fix(query): "Azure Container Registry With No Locks" for Ansible (#4610)
fix(core): fixed negative lines and terminal checking (#4583)
fix(logs): fixed log error messages polution (#4597)
fix(report): corrected scan end time in pdf report (#4607)
fix(parser): fixed dockerfile parser with wrong payload when using arguments (#4591) (#4613)
📦 Dependency updates
ci(deps): bump peter-evans/create-pull-request from 3.11.0 to 3.12.0 (#4592)
ci(deps): bump actions/setup-python from 2.3.0 to 2.3.1 (#4574)
ci(deps): bump golang from 1.17.3-alpine to 1.17.5-alpine (#4588)
👻 Maintenance
feat(query): add allow rule for ansible-vault (#4605)
refactor(query): policies for CloudFormation (#4540)
docs(queries): all query csv file downloads now come with the name kics-queries.csv (#4532)
🚨 Breaking Changes
KICS will now point to 1 instead of -1 in the reports when failing to find the line containing the vulnerability (#4583)
v1.4.8
🚀 Added
added 30 new queries (Terraform, Ansible and Cloudformation)
feat(report): added sonarqube report (#4418) (#4539)
feat(report): added expected value to PDF report (#4552)
feat(docs & passwords and secrets): consideration of kics-scan ignore command and LinesIgnore (#4485) (#4419) (#4503)
feat(ci): add pre-commit hook (#4520)
✨ Changed
refactor(core): changed tests to use a constants platforms (#4534)
🔧 Fixed
increased results accuracy
fix(scan): not reporting error when progress bar fails to close (#4551)
fix(parser): fixed YAML parser panic with wrong type for interface (#4536)
fix(password and secrets): fixed MS Teams regex hardcoded team_name (#4537)
💪 For The Bolder
build(deps): bump github.com/open-policy-agent/opa from 0.33.0 to 0.34.2 (#4469) (#4506)
build(deps): bump github.com/moby/buildkit from 0.9.2 to 0.9.3 (#4538)
v1.4.7
Added
added 11 terraform queries
feat(engine): added data source policy to terraform (#4409)
feat(parser): enabled parsers ignore comment by line (#4491) (#4420) (#4480) (#4486) (#4489) (#4497)
feat(passwords and secrets): validation of query ids in custom secrets regexes (#4478)
feat(docs): added MegaLinter in the list of integrations (#4488)
Changed
refactor(passwords and secrets mechanism): changed flags include-query, exclude-query mechanism for query password and secrets (#4444)
refactor(query): updated query Chown Flag Exists description (#3768) (#4466)
build(deps): bump github.com/tidwall/gjson from 1.10.2 to 1.11.0 (#4453)
build(deps): bump github.com/moby/buildkit from 0.9.1 to 0.9.2 (#4458)
build(deps): bump github.com/rs/zerolog from 1.25.0 to 1.26.0 (#4459)
build(deps): bump github.com/zclconf/go-cty from 1.9.1 to 1.10.0 (#4460)
Fixed
increased accuracy
fix(race): fix kics Golang data races (#4448)
fix(detector): fix panic with interpolated brackets in detector (#4415)
fix(source): fixed KICS panic when reading invalid metadata (#4413) (#4465)
fix(report): fixed bug with invalid startLine on sarif report (#4483)
fix(passwords and secrets): excluded TF file function reference in results (#4433)
v1.4.6-1
v1.4.6
Added
added 2 new queries
feat(e2e): added E2E Test for BoM (#4404)
feat(parser): removed resources with count set to 0 in payload (#4395)
feat(kics): add version checking (#4414)
feat(integration): added Terraform Cloud integration (#4427)
Changed
fix(query): correcting severity and category for 'Default Azure Storage Account Network Access Is Too Permissive' (#4401)
build(deps): bump goreleaser/goreleaser-action from 2.7.0 to 2.8.0 (#4400)
build(deps): bump github.com/gookit/color from 1.4.2 to 1.5.0 (#4406)
build(deps): bump github.com/tidwall/gjson from 1.9.4 to 1.10.2 (#4425)
refactor(scan & printer): implementation of a new approach (#4322)
refactor(report): if no files to scan are found kics will no longer create report files (#4322)
Fixed
increased accuracy
fix(ci): fixed wrong path to common.json (#4407)
fix(helm): fixed helm only excluding template files (#4393)
fix(inspector): KICS panicking when using KICS repo with -q flag (#4397) (#4394)
fix(parser): parsers now stringify the original content in a formatted way (#4396)
v1.4.5
Added
9 new queries
feat(engine): support Azure Blueprint (#4386) (#4358) (#4356)
query(bom): add mvp queries storage, queue, in-memory data structure (#4381)
feat(bom): add new flag --bom to enable Bill of Materials in results.json (#4375)
feat(parser): added support to parse and scan terraform plans (#4362)
feat(parser): added terraform ternary parser resolution (#4370)
feat(docker): add ubi7 based image for redhat's openshift (#4326)
Changed
feat(query): refactored arm queries to use walk (#4354)
build(deps): bump github.com/tidwall/gjson from 1.9.1 to 1.9.4 (#4374)
build(deps): bump helm.sh/helm/v3 from 3.7.0 to 3.7.1 (#4383)
build(deps): bump containerd to v1.5.7 to solve depandabot warning (#4341)
build(deps): bump github.com/hashicorp/go-getter from 1.5.8 to 1.5.9 (#4337)
build(deps): bump github.com/open-policy-agent/opa from 0.28.0 to 0.33.0 (#4332)
build(deps): bump github.com/moby/buildkit from 0.8.3 to 0.9.1 (#4334)
Fixed
increased accuracy
fix(helm): failed to parse invalid yaml for helm (#4380)
fix(helm): fixed helms payload should only print payload lines when the flag is activated (#4382)
fix(parser): fixed json parser with incorrect kics_line (#4327) (#4328)
fix(engine): handle regexp compilation errors (#4347)
fix(analyzer): fixed k8s overriding analyzer match for arm sample (#4353)
fix(report): fixed missing/cut off descriptions (#4344)
v1.4.4
Added
17 new queries
add support to AWS JSON filter pattern expressions for CIS benchmark rules related with alarms (#4204)
add support to terraform verified modules (62 queries updated) (#4203)
add teamcity integration example (#4259)
add E2E tests to cover new flags (#4313)
Changed
removing progress bar when --log-level=debug (#4246)
passwords and secrets detection now looks into .tfvars (#4291)
Fixed
improved queries accuracy (#4254) (#4317) (#4319) (#4318)
improved passwords and secrets accuracy (#4207) (#4209)
fix respect http_proxy environment variable (#4283)
fix issue with parser returning panic #4223 (#4224)
fix yaml parser not returning invalid yaml error (#4226)
fix terraform parser returning null instead of empty array (#4248)
fix secrets inspector to remove queries (#4309)
v1.4.3
Changelog
New
20 new queries
Rewrite passwords and secrets query to use regex based strategy (#4166)
Add flag --disable-secrets to disable passwords and secrets query (#4166)
Add flag --secrets-regexes-path to override password and secrets query configuration rules (#4166)
--libraries-path supports git repositories and compressed files (#4156)
Add TravisCI example and docs (#4186)
Using docker image for bitbucket pipelines (#4169)
Fixed
Moving custom library not provided warning to debug level (#4182)
Fixed getLibraries to execute once, instead of multiple times for every query (#4155)
Fix cloudwatch_metrics_disabled check correct resource and field (#4184)
v1.4.2
Changelog
New
11 new queries
Add line information to the payload increasing detect line precision (#3977)
Add flag --exclude-severities to filter by severities (#4114)
Integrated --queries-path flag with go-getter enabling to get queries from archived files and git repos (#4119)
Rego libraries are now embedded in the binary, --libraries-path can be provided to override them (#4115)
Refactored flags definition and added flags validation (#4091)
Fixed
Broken PDF report style #4129 (#4135)
Bug in finding libraries path in Windows (#4082)
Treated unhandled errors in printer.go, detector/helper.go (#4102)
KICS integrations docs and examples (#4087)
Improved several queries (accuracy, samples and metadata)
Fixed documentation typos