Ignore test 2

[fproulx-boostsecurity]

Summary

• Updates Checkov from 3.2.108 to 3.2.495
• Adds 82 new rules with editorial review
• 3 rules removed by upstream (kept in rules.yaml for policy compatibility)

Editorial Notes

• CMK-only rules (CKV2_AWS_73, CKV_AWS_367-373, CKV_AWS_381, CKV_AZURE_240) marked as boost-hardened only (not baseline) - CMK is too prescriptive
• High-value public access rules (CKV_AWS_387, 389, 390, 392, 375, 388, CKV_AZURE_251) added to boost-baseline
• Logging/monitoring and WAF rules kept as boost-hardened only

New Rules

• CKV2_AWS_68: Ensure SageMaker notebook instance IAM policy is not overly permissive
• CKV2_AWS_69: Ensure AWS RDS database instance configured with encryption in transit
• CKV2_AWS_70: Ensure API gateway method has authorization or API key set
• CKV2_AWS_71: Ensure AWS ACM Certificate domain name does not include wildcards
• CKV2_AWS_72: Ensure AWS CloudFront origin protocol policy enforces HTTPS-only
• CKV2_AWS_73: Ensure AWS SQS uses CMK not AWS default keys for encryption
• CKV2_AWS_74: Ensure AWS Load Balancers use strong ciphers
• CKV2_AWS_75: Ensure no open CORS policy
• CKV2_AWS_76: Ensure AWS ALB attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
• CKV2_AWS_77: Ensure AWS API Gateway Rest API attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
• CKV2_AWS_78: Ensure AWS AppSync attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability
• CKV2_AZURE_49: Ensure that Azure Machine learning workspace is not configured with overly permissive network access
• CKV2_AZURE_50: Ensure Azure Storage Account storing Machine Learning workspace high business impact data is not publicly accessible
• CKV2_AZURE_51: Ensure Synapse SQL Pool has a security alert policy
• CKV2_AZURE_52: Ensure Synapse SQL Pool has vulnerability assessment attached
• CKV2_AZURE_53: Ensure Azure Synapse Workspace has extended audit logs
• CKV2_AZURE_54: Ensure log monitoring is enabled for Synapse SQL Pool
• CKV2_AZURE_55: Ensure Azure Spring Cloud app end-to-end TLS is enabled
• CKV2_AZURE_56: Ensure Azure MySQL Flexible Server is configured with private endpoint
• CKV2_AZURE_57: Ensure PostgreSQL Flexible Server is configured with private endpoint
• CKV2_GCP_37: Ensure GCP compute regional forwarding rule does not use HTTP proxies with EXTERNAL load balancing scheme
• CKV2_GCP_38: Ensure GCP compute global forwarding rule does not use HTTP proxies with EXTERNAL load balancing scheme
• CKV_AWS_367: Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts
• CKV_AWS_368: Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume
• CKV_AWS_369: Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs
• CKV_AWS_370: Ensure Amazon SageMaker model uses network isolation
• CKV_AWS_371: Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2
• CKV_AWS_372: Ensure Amazon SageMaker Flow Definition uses KMS for output configurations
• CKV_AWS_373: Ensure Bedrock Agent is encrypted with a CMK
• CKV_AWS_374: Ensure AWS CloudFront web distribution has geo restriction enabled
• CKV_AWS_375: Ensure AWS S3 bucket does not have global view ACL permissions enabled
• CKV_AWS_376: Ensure AWS Elastic Load Balancer listener uses TLS/SSL
• CKV_AWS_377: Ensure Route 53 domains have transfer lock protection
• CKV_AWS_378: Ensure AWS Load Balancer doesn't use HTTP protocol
• CKV_AWS_379: Ensure AWS S3 bucket is configured with secure data transport policy
• CKV_AWS_380: Ensure AWS Transfer Server uses latest Security Policy
• CKV_AWS_381: Make sure that aws_codegurureviewer_repository_association has a CMK
• CKV_AWS_382: Ensure no security groups allow egress from 0.0.0.0:0 to port -1
• CKV_AWS_383: Ensure AWS Bedrock agent is associated with Bedrock guardrails
• CKV_AWS_384: Ensure no hard-coded secrets exist in Parameter Store values
• CKV_AWS_385: Ensure AWS SNS topic policies do not allow cross-account access
• CKV_AWS_386: Reduce potential for WhoAMI cloud image name confusion attack
• CKV_AWS_387: Ensure SQS policy does not allow public access through wildcards
• CKV_AWS_388: Ensure AWS Aurora PostgreSQL is not exposed to local file read vulnerability
• CKV_AWS_389: Ensure AWS Auto Scaling group launch configuration doesn't have public IP address assignment enabled
• CKV_AWS_390: Ensure AWS EMR block public access setting is enabled
• CKV_AWS_391: Avoid AWS Redshift cluster with commonly used master username and public access setting enabled
• CKV_AWS_392: Ensure AWS S3 access point block public access setting is enabled
• CKV_AZURE_236: Ensure that Cognitive Services accounts disable local authentication
• CKV_AZURE_238: Ensure that all Azure Cognitive Services accounts are configured with a managed identity
• CKV_AZURE_239: Ensure Azure Synapse Workspace administrator login password is not exposed
• CKV_AZURE_240: Ensure Azure Synapse Workspace is encrypted with a CMK
• CKV_AZURE_241: Ensure Synapse SQL pools are encrypted
• CKV_AZURE_242: Ensure isolated compute is enabled for Synapse Spark pools
• CKV_AZURE_243: Ensure Azure Machine learning workspace is configured with private endpoint
• CKV_AZURE_244: Avoid the use of local users for Azure Storage unless necessary
• CKV_AZURE_245: Ensure that Azure Container group is deployed into virtual network
• CKV_AZURE_246: Ensure Azure AKS cluster HTTP application routing is disabled
• CKV_AZURE_247: Ensure that Azure Cognitive Services account hosted with OpenAI is configured with data loss prevention
• CKV_AZURE_248: Ensure that if Azure Batch account public network access in case 'enabled' then its account access must be 'deny'
• CKV_AZURE_249: Ensure Azure GitHub Actions OIDC trust policy is configured securely
• CKV_AZURE_250: Ensure Storage Sync Service is not configured with overly permissive network access
• CKV_AZURE_251: Ensure Azure Virtual Machine disks are configured without public network access
• CKV_GCP_125: Ensure GCP GitHub Actions OIDC trust policy is configured securely
• CKV_GCP_126: Ensure Vertex AI Notebook instances are launched with Shielded VM enabled
• CKV_GCP_127: Ensure Integrity Monitoring for Shielded Vertex AI Notebook Instances is Enabled
• CKV_K8S_159: Limit the use of git-sync to prevent code injection
• CKV_OCI_23: Ensure OCI Data Catalog is configured without overly permissive network access
• CKV_TC_1: Ensure Tencent Cloud CBS is encrypted
• CKV_TC_10: Ensure Tencent Cloud MySQL instances intranet ports are not set to the default 3306
• CKV_TC_11: Ensure Tencent Cloud CLB has a logging ID and topic
• CKV_TC_12: Ensure Tencent Cloud CLBs use modern, encrypted protocols
• CKV_TC_13: Ensure Tencent Cloud CVM user data does not contain sensitive information
• CKV_TC_14: Ensure Tencent Cloud VPC flow logs are enabled
• CKV_TC_2: Ensure Tencent Cloud CVM instance does not allocate a public IP
• CKV_TC_3: Ensure Tencent Cloud CVM monitor service is enabled
• CKV_TC_4: Ensure Tencent Cloud CVM instances do not use the default security group
• CKV_TC_5: Ensure Tencent Cloud CVM instances do not use the default VPC
• CKV_TC_6: Ensure Tencent Cloud TKE clusters enable log agent
• CKV_TC_7: Ensure Tencent Cloud TKE cluster is not assigned a public IP address
• CKV_TC_8: Ensure Tencent Cloud VPC security group rules do not accept all traffic
• CKV_TC_9: Ensure Tencent Cloud mysql instances do not enable access from public networks

Removed Rules (by upstream)

• CKV2_AWS_67: Ensure AWS S3 bucket encrypted with Customer Managed Key (CMK) has regular rotation
• CKV2_IBM_6: Ensure Databases network access is restricted to a specific IP range
• CKV_GITLAB_2: Ensure all Gitlab groups require two factor authentication

Test Plan

• Tested with /test-scanner-module checkov against terragoat
• Compared finding counts: baseline=470, updated=472

🤖 Generated with Claude Code