Kubernetes graph edges 🕸️

Checkov and Bridgecrew now support Kubernetes graph policies! Kubernetes graph policies make connections between two or more resources. This allows you to identify issues that are not misconfigurations unless they are combined.

Nested modules and multi-hop variable rendering 🔍

We’ve added a few more advanced Terraform capabilities to Checkov and the Bridgecrew platform!

Dependency trees in Checkov 🌲

Checkov software composition analysis (SCA) scans now build out a full dependency tree for supported package manager files. Before, only the root package was analyzed in the CLI, whereas full dependency trees were built in the platform. This lets users know about vulnerabilities in indirect dependencies locally and in CI/CD integrations.

CircleCI scanning 📏

Bridgecrew now scans CircleCI for misconfigurations from both Checkov and the platform. If public images are found in the configuration file, Bridgecrew will pull that image and scan it for vulnerabilities. The findings include checking that images use proper tags and avoiding the use of unstable Orbs.

Terraform dynamic block support 👥

Bridgecrew now supports dynamic blocks in Terraform. Dynamic blocks are a useful way to create multiple configurations for the same resource by writing a structure for the configuration and then using a list or object to fill in the gaps. For example, instead of writing out multiple ingress rules with the same CIDR block and different ports, you can define the CIDR block and then create a list of ports.

Build Integrity - Repository Level Findings 📝

Repository misconfigurations, such as only having one reviewer, can lead to supply chain attacks. With Bridgecrew, users can now detect those misconfigurations from the platform for GitHub and GitLab. The platform automatically surfaces these findings when a user adds a GitHub or GitLab VCS integration.

Unmanaged resource detection 🔍

Bridgecrew now identifies and provides fix suggestions in code for unmanaged Terraform and CloudFormation resources. Unmanaged resources are runtime resources that don’t have an equivalent build-time resource traced to them, which introduces cloud infrastructure drift.

Private modules platform support 🔒

Bridgecrew now automatically gathers templates and module blocks from onboarded GitHub repositories to scan them for compliance violations. Before, the platform only supported modules that were either public or local to a repository.

Terraform VCS Providers policies 🍴

Bridgecrew and Checkov can now identify misconfigurations in your version control system (VCS) provider using Terraform. Many of Checkov’s policies for VCS providers can now be applied to Terraform code that uses either GitHub or GitLab.

Info severity support ℹ️

Bridgecrew is bringing back “Info” severity support for both custom and out-of-the-box policies. This level of severity was briefly deprecated and is now back in the platform.