The latest release of Checkov includes an important policy update. The new default behavior when you use an API key is to only have policies that are in Bridgecrew/Code. This makes it a more consistent, integrated experience from Checkov to the platform. The previous behavior was that Checkov has more policies than the platform, leading to confusion about missing policies. You can still show all policies in Checkov scans using --include-all-checkov-policies.

This new capability allows users of GitHub Enterprise to fork repos that have Bridgecrew and automatically get insights (PR comments, Projects page information, etc.). Additionally, this feature allows users to:

We’ve added a new page to Bridgecrew called Supply Chain Security to visualize the components of your supply chain and quickly see the posture of your application and infrastructure code.

Now when you run Checkov with an API key, it will display severities. In addition, you can use severities as a filter in the --check and --skip-check options, as well as in the --hard-fail-on and --soft-fail-on options.

Boost your tagging strategy using Bridgecrew's IaC auto-tagging and centralized management

You can now clone both out-of-the-box (OOTB) and custom policies from the Policies screen. Go to the menu of the policy and select Clone. Cloned policies will be renamed with the copy number appended (i.e. test policy (1) ).

Suppression rules originating from CI/CD now behave the same as standard platform suppressions:

Kustomize makes templatizing and reusing Kubernetes manifests easier without having to recreate entire manifests. To ensure your Kustomize configuration and the resulting environments are secure from the start, Bridgecrew and Checkov now support Kustomize scanning.

Checkov has been added to Fig, a visual autocomplete utility for iTerm, Hyper, VSCode, and macOS Terminal. For Fig users, this addition makes it even easier and faster to use Checkov in the command line with completions as you type.

Smar Fixes will now show up as suggestions for PR comments and can be viewed on the Projects page for PR branches.