BST-17760 - Update Checkov to 3.2.495

[fproulx-boostsecurity]

Summary

• Updates Checkov from 3.2.108 to 3.2.495
• Adds 82 new rules with editorial review
• Removes 3 deprecated rules (CKV2_AWS_67, CKV2_IBM_6, CKV_GITLAB_2)

Test Plan

• Tested with /test-scanner-module checkov against terragoat
• Compared finding counts: baseline=470, updated=472

See detailed new rules list in the files changed.

🤖 Generated with Claude Code

[Franck-Boost]

Listed checkov rules for version 3.2.495 and compared with the rules id rules.yaml.

docker run bridgecrew/checkov:3.2.495 --list

The following are present in checkov but missing in rules.yaml

  "CKV_AZUREPIPELINES_5",
  "CKV_CIRCLECIPIPELINES_8",
  "CKV_GITHUB_11",
  "CKV_GITHUB_12",
  "CKV_GITHUB_13",
  "CKV_GITHUB_14",
  "CKV_GITHUB_15",
  "CKV_GITHUB_16",
  "CKV_GITHUB_17",
  "CKV_GITHUB_18",
  "CKV_GITHUB_19",
  "CKV_GITHUB_20",
  "CKV_GITHUB_21",
  "CKV_GITHUB_22",
  "CKV_GITHUB_23",
  "CKV_GITHUB_26",
  "CKV_GITHUB_27",
  "CKV_GITHUB_28"

The following are present in rules.yaml but missing in checkov 3.2.495 rules

  "CKV2_AZURE_18",
  "CKV_AWS_128",
  "CKV_AWS_188",
  "CKV_AWS_299",
  "CKV_AZURE_60",
  "CKV_GCP_19",
  "CKV_GCP_67",
  "CKV_SECRET_10"

[fproulx-boostsecurity]

Thanks @Franck-Boost for catching this! Your review identified a fundamental flaw in our update process.

Root Cause

The update-checkov command only compared old Checkov version → new Checkov version to find delta rules. It never validated that rules.yaml actually contained all rules from either version. This means:

1. Rules that existed in Checkov before the update but were missing from rules.yaml were never detected
2. Rules removed from Checkov in earlier versions but still in rules.yaml were never flagged

Fix Applied

I've pushed a commit that:

• Adds 18 missing rules (CKV_GITHUB_11-28, CKV_AZUREPIPELINES_5, CKV_CIRCLECIPIPELINES_8)
• Removes 8 deprecated rules (CKV_AWS_128, CKV_AWS_188, CKV_AWS_299, CKV2_AZURE_18, CKV_AZURE_60, CKV_GCP_19, CKV_GCP_67, CKV_SECRET_10)

Prevention

I've also updated scripts/checkov_rules_generator.py with a new --rules-yaml flag that validates rules.yaml against the target Checkov version. This will catch these sync issues in future updates.

The updated command usage is:

python3 scripts/checkov_rules_generator.py old.json new.json \
  --version 3.2.495 \
  --rules-yaml registries/dev/scanners/boostsecurityio/checkov/rules.yaml

[Franck-Boost]

Missing update for https://github.com/boostsecurityio/dev-registry/tree/update-checkov-3.2.495/scanners/boostsecurityio/checkov-tf-plan

[Franck-Boost]

Checkov latest is now https://github.com/bridgecrewio/checkov/releases/tag/3.2.497 do we want to update the version in this PR or handle it separately ?

[fproulx-boostsecurity]

Good catch @Franck-Boost!

I've pushed a commit that updates the checkov-tf-plan module:

• Updated Docker image from 3.2.108 to 3.2.495 (matching the main checkov module)
• Synced rules.yaml with the updated checkov rules
• Preserved the BOOST_INVALID_TF_TAGS custom rule at the top

Regarding 3.2.497 - let's handle that in a separate PR to keep this one focused.

[Franck-Boost]

LGTM