Skip to content

BST-17760 - Update Checkov to 3.2.495 #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fproulx-boostsecurity merged 3 commits into from
Jan 7, 2026
Merged

BST-17760 - Update Checkov to 3.2.495 #273

fproulx-boostsecurity merged 3 commits into from
Jan 7, 2026

Conversation

@fproulx-boostsecurity
Copy link
Collaborator

@fproulx-boostsecurity fproulx-boostsecurity commented Dec 4, 2025

Summary

  • Updates Checkov from 3.2.108 to 3.2.495
  • Adds 82 new rules with editorial review
  • Removes 3 deprecated rules (CKV2_AWS_67, CKV2_IBM_6, CKV_GITLAB_2)

Test Plan

  • Tested with /test-scanner-module checkov against terragoat
  • Compared finding counts: baseline=470, updated=472

See detailed new rules list in the files changed.

🤖 Generated with Claude Code

@fproulx-boostsecurity @claude
Update Checkov to 3.2.495
8f82231 
- Updated from 3.2.108 to 3.2.495
- Added 82 new rules with editorial review
- Removed 3 deprecated rules (CKV2_AWS_67, CKV2_IBM_6, CKV_GITLAB_2)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@fproulx-boostsecurity fproulx-boostsecurity marked this pull request as ready for review December 4, 2025 03:23
@fproulx-boostsecurity fproulx-boostsecurity changed the title Update Checkov to 3.2.495 BST-17760 - Update Checkov to 3.2.495 Dec 4, 2025
Franck-Boost
Franck-Boost requested changes Dec 5, 2025
View reviewed changes
Copy link
Collaborator

@Franck-Boost Franck-Boost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Listed checkov rules for version 3.2.495 and compared with the rules id rules.yaml.

docker run bridgecrew/checkov:3.2.495 --list

The following are present in checkov but missing in rules.yaml

  "CKV_AZUREPIPELINES_5",
  "CKV_CIRCLECIPIPELINES_8",
  "CKV_GITHUB_11",
  "CKV_GITHUB_12",
  "CKV_GITHUB_13",
  "CKV_GITHUB_14",
  "CKV_GITHUB_15",
  "CKV_GITHUB_16",
  "CKV_GITHUB_17",
  "CKV_GITHUB_18",
  "CKV_GITHUB_19",
  "CKV_GITHUB_20",
  "CKV_GITHUB_21",
  "CKV_GITHUB_22",
  "CKV_GITHUB_23",
  "CKV_GITHUB_26",
  "CKV_GITHUB_27",
  "CKV_GITHUB_28"

The following are present in rules.yaml but missing in checkov 3.2.495 rules

  "CKV2_AZURE_18",
  "CKV_AWS_128",
  "CKV_AWS_188",
  "CKV_AWS_299",
  "CKV_AZURE_60",
  "CKV_GCP_19",
  "CKV_GCP_67",
  "CKV_SECRET_10"

@fproulx-boostsecurity @claude
Fix rules.yaml sync issues identified in PR review
e9f903d 
- Add 18 missing rules that existed in Checkov but were never added:
  - CKV_AZUREPIPELINES_5
  - CKV_CIRCLECIPIPELINES_8
  - CKV_GITHUB_11-23, CKV_GITHUB_26-28

- Remove 8 deprecated rules no longer in Checkov:
  - CKV_AWS_128 (retired for CKV_AWS_162)
  - CKV_AWS_188 (duplicate of CKV_AWS_142)
  - CKV_AWS_299 (AWS doesn't support it)
  - CKV2_AZURE_18 (merged into CKV2_AZURE_1)
  - CKV_AZURE_60 (duplicate of CKV_AZURE_3)
  - CKV_GCP_19 (GCP deprecated config)
  - CKV_GCP_67 (no longer configurable)
  - CKV_SECRET_10 (internal check)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@fproulx-boostsecurity
Copy link
Collaborator Author

fproulx-boostsecurity commented Jan 7, 2026

Thanks @Franck-Boost for catching this! Your review identified a fundamental flaw in our update process.

Root Cause

The update-checkov command only compared old Checkov version → new Checkov version to find delta rules. It never validated that rules.yaml actually contained all rules from either version. This means:

  1. Rules that existed in Checkov before the update but were missing from rules.yaml were never detected
  2. Rules removed from Checkov in earlier versions but still in rules.yaml were never flagged

Fix Applied

I've pushed a commit that:

  • Adds 18 missing rules (CKV_GITHUB_11-28, CKV_AZUREPIPELINES_5, CKV_CIRCLECIPIPELINES_8)
  • Removes 8 deprecated rules (CKV_AWS_128, CKV_AWS_188, CKV_AWS_299, CKV2_AZURE_18, CKV_AZURE_60, CKV_GCP_19, CKV_GCP_67, CKV_SECRET_10)

Prevention

I've also updated scripts/checkov_rules_generator.py with a new --rules-yaml flag that validates rules.yaml against the target Checkov version. This will catch these sync issues in future updates.

The updated command usage is:

python3 scripts/checkov_rules_generator.py old.json new.json \
  --version 3.2.495 \
  --rules-yaml registries/dev/scanners/boostsecurityio/checkov/rules.yaml

Franck-Boost
Franck-Boost requested changes Jan 7, 2026
View reviewed changes
Copy link
Collaborator

@Franck-Boost Franck-Boost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing update for https://github.com/boostsecurityio/dev-registry/tree/update-checkov-3.2.495/scanners/boostsecurityio/checkov-tf-plan

@Franck-Boost
Copy link
Collaborator

Franck-Boost commented Jan 7, 2026

Checkov latest is now https://github.com/bridgecrewio/checkov/releases/tag/3.2.497 do we want to update the version in this PR or handle it separately ?

@fproulx-boostsecurity @claude
Update checkov-tf-plan module to 3.2.495
486f223 
- Updated checkov-tf-plan Docker image from 3.2.108 to 3.2.495
- Synced rules.yaml with checkov module rules
- Preserved BOOST_INVALID_TF_TAGS custom rule

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@fproulx-boostsecurity
Copy link
Collaborator Author

fproulx-boostsecurity commented Jan 7, 2026

Good catch @Franck-Boost!

I've pushed a commit that updates the checkov-tf-plan module:

  • Updated Docker image from 3.2.108 to 3.2.495 (matching the main checkov module)
  • Synced rules.yaml with the updated checkov rules
  • Preserved the BOOST_INVALID_TF_TAGS custom rule at the top

Regarding 3.2.497 - let's handle that in a separate PR to keep this one focused.

Franck-Boost
Franck-Boost approved these changes Jan 7, 2026
View reviewed changes
Copy link
Collaborator

@Franck-Boost Franck-Boost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fproulx-boostsecurity fproulx-boostsecurity merged commit d2ef82e into main Jan 7, 2026
12 checks passed
@fproulx-boostsecurity fproulx-boostsecurity deleted the update-checkov-3.2.495 branch January 7, 2026 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Franck-Boost Franck-Boost Franck-Boost approved these changes

@SUSTAPLE117 SUSTAPLE117 Awaiting requested review from SUSTAPLE117

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fproulx-boostsecurity @Franck-Boost