From de17486618fc0495f1b53ce576d31b684ea1a449 Mon Sep 17 00:00:00 2001 From: Rory Kiefer Date: Mon, 25 Aug 2025 12:49:52 -0400 Subject: [PATCH 1/4] amended all lambda runtime deprecations thru Jun 30 2026 --- .../checks/resource/aws/DeprecatedLambdaRuntime.py | 9 ++++++++- .../checks/resource/aws/DeprecatedLambdaRuntime.py | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py index abbb7c2c0c..9dbaa07cd2 100644 --- a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py +++ b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py @@ -21,9 +21,16 @@ def get_forbidden_values(self) -> List[Any]: "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x", "nodejs16.x", "python3.8", "dotnet7", "dotnet6" + # , "java8.al2" # Uncomment on Jun 30, 2026 + # , "java11" # Uncomment on Jun 30, 2026 + # , "java17" # Uncomment on Jun 30, 2026 # , "nodejs18.x" # Uncomment on Sept 1, 2025 + # , "nodejs20.x" # Uncomment on Apr 30, 2026 # , "provided.al2" # Uncomment on Jun 30, 2026 - # , "python3.9" # Uncomment on Nov 3, 2025 + # , "python3.9" # Uncomment on Dec 15, 2025 + # , "python3.10" # Uncomment on Jun 30, 2026 + # , "python3.11" # Uncomment on Jun 30, 2026 + # , "ruby3.2" # Uncomment on Mar 31, 2026 ] diff --git a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py index b9aa3df880..14a7ffb0ef 100644 --- a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py +++ b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py @@ -21,9 +21,16 @@ def get_forbidden_values(self) -> List[Any]: "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x", "nodejs16.x", "python3.8", "dotnet7", "dotnet6" + # , "java8.al2" # Uncomment on Jun 30, 2026 + # , "java11" # Uncomment on Jun 30, 2026 + # , "java17" # Uncomment on Jun 30, 2026 # , "nodejs18.x" # Uncomment on Sept 1, 2025 + # , "nodejs20.x" # Uncomment on Apr 30, 2026 # , "provided.al2" # Uncomment on Jun 30, 2026 - # , "python3.9" # Uncomment on Nov 3, 2025 + # , "python3.9" # Uncomment on Dec 15, 2025 + # , "python3.10" # Uncomment on Jun 30, 2026 + # , "python3.11" # Uncomment on Jun 30, 2026 + # , "ruby3.2" # Uncomment on Mar 31, 2026 ] From 1a80e2a40d8519dae3481cccfd88baac97116a2f Mon Sep 17 00:00:00 2001 From: Rory Kiefer Date: Wed, 12 Nov 2025 14:46:35 -0500 Subject: [PATCH 2/4] appeasing linter --- .../checks/resource/aws/DeprecatedLambdaRuntime.py | 14 ++++++++------ .../checks/resource/aws/DeprecatedLambdaRuntime.py | 13 +++++++------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py index ad7bbfdb7a..2243644081 100644 --- a/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py +++ b/checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py @@ -21,10 +21,12 @@ def get_forbidden_values(self) -> List[Any]: "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x", "nodejs16.x", "python3.8", "dotnet7", "dotnet6", "nodejs18.x"] - # , "python3.9" # Uncomment on Dec 15, 2025 - # , "ruby3.2" # Uncomment on Mar 31, 2026 - # , "nodejs20.x" # Uncomment on Apr 30, 2026 - # , "provided.al2" # Uncomment on Jun 30, 2026 - # , "python3.10" # Uncomment on Jun 30, 2026 - # , "python3.11" # Uncomment on Jun 30, 2026 + # , "python3.9" # Uncomment on Dec 15, 2025 + # , "ruby3.2" # Uncomment on Mar 31, 2026 + # , "nodejs20.x" # Uncomment on Apr 30, 2026 + # , "provided.al2" # Uncomment on Jun 30, 2026 + # , "python3.10" # Uncomment on Jun 30, 2026 + # , "python3.11" # Uncomment on Jun 30, 2026 + + check = DeprecatedLambdaRuntime() diff --git a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py index ca19505061..ecba4066b0 100644 --- a/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py +++ b/checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py @@ -21,11 +21,12 @@ def get_forbidden_values(self) -> List[Any]: "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0", "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x", "nodejs16.x", "python3.8", "dotnet7", "dotnet6", "nodejs18.x"] - # , "python3.9" # Uncomment on Dec 15, 2025 - # , "ruby3.2" # Uncomment on Mar 31, 2026 - # , "nodejs20.x" # Uncomment on Apr 30, 2026 - # , "provided.al2" # Uncomment on Jun 30, 2026 - # , "python3.10" # Uncomment on Jun 30, 2026 - # , "python3.11" # Uncomment on Jun 30, 2026 + # , "python3.9" # Uncomment on Dec 15, 2025 + # , "ruby3.2" # Uncomment on Mar 31, 2026 + # , "nodejs20.x" # Uncomment on Apr 30, 2026 + # , "provided.al2" # Uncomment on Jun 30, 2026 + # , "python3.10" # Uncomment on Jun 30, 2026 + # , "python3.11" # Uncomment on Jun 30, 2026 + check = DeprecatedLambdaRuntime() From 8892e19b1d271c58fa6bb684353db6c85282ca85 Mon Sep 17 00:00:00 2001 From: Rory Kiefer Date: Mon, 17 Nov 2025 11:01:08 -0500 Subject: [PATCH 3/4] fixing unit tests --- .../resource/aws/example_DeprecatedLambdaRuntime/example.yaml | 2 +- .../aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml | 2 +- .../checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml index 5e4fd40144..f5b1a3cd35 100644 --- a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml +++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml @@ -8,7 +8,7 @@ Resources: Code: S3Bucket: 'myBucket' S3Key: 'code/myLambda.zip' - Runtime: 'nodejs18.x' + Runtime: 'python3.14' Fail: Type: 'AWS::Lambda::Function' Metadata: diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml index c95da23695..80a4a5217a 100644 --- a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml +++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml @@ -32,7 +32,7 @@ Resources: Type: 'AWS::Serverless::Function' Properties: Handler: 'index.handler' - Runtime: 'python3.11' + Runtime: 'python3.14' CodeUri: './code/' # This should be the directory path where your Lambda code is. Events: MyApi: diff --git a/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf b/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf index 4c23bf0135..56ef3a0223 100644 --- a/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf +++ b/tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf @@ -3,7 +3,7 @@ resource "aws_lambda_function" "pass" { function_name = "lambda_function_name" role = aws_iam_role.iam_for_lambda.arn handler = "index.test" - runtime = "nodejs18.x" + runtime = "python3.14" ephemeral_storage { size = 10240 # Min 512 MB and the Max 10240 MB From f823ac0bcbd681a08f00eb57619e7efbf48351fd Mon Sep 17 00:00:00 2001 From: Rory Kiefer Date: Tue, 18 Nov 2025 19:30:45 -0500 Subject: [PATCH 4/4] fixing cfn-lint --- 20251117-111144_container_images.csv | 2 ++ 20251117-111144_iac.csv | 8 ++++++++ 20251117-111144_oss_packages.csv | 2 ++ console | 0 .../aws/example_DeprecatedLambdaRuntime/example.yaml | 6 +++--- 5 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 20251117-111144_container_images.csv create mode 100644 20251117-111144_iac.csv create mode 100644 20251117-111144_oss_packages.csv create mode 100644 console diff --git a/20251117-111144_container_images.csv b/20251117-111144_container_images.csv new file mode 100644 index 0000000000..9534a025e2 --- /dev/null +++ b/20251117-111144_container_images.csv @@ -0,0 +1,2 @@ +Package,Version,Path,Line(s),Git Org,Git Repository,Vulnerability,Severity,Description,Licenses,Fix Version,Registry URL,Root Package,Root Version +"SCA, image and runtime findings are only available with a Prisma Cloud subscription." diff --git a/20251117-111144_iac.csv b/20251117-111144_iac.csv new file mode 100644 index 0000000000..8667d64965 --- /dev/null +++ b/20251117-111144_iac.csv @@ -0,0 +1,8 @@ +Resource,Path,Git Org,Git Repository,Misconfigurations,Severity,Policy title,Guideline +aws_s3_bucket.test,/main.tf,,,CKV2_AWS_62,,Ensure S3 buckets should have event notifications enabled, +aws_s3_bucket.test,/main.tf,,,CKV2_AWS_6,,Ensure that S3 bucket has a Public Access block, +aws_s3_bucket.test,/main.tf,,,CKV_AWS_21,,Ensure all data stored in the S3 bucket have versioning enabled, +aws_s3_bucket.test,/main.tf,,,CKV_AWS_18,,Ensure the S3 bucket has access logging enabled, +aws_s3_bucket.test,/main.tf,,,CKV2_AWS_61,,Ensure that an S3 bucket has a lifecycle configuration, +aws_s3_bucket.test,/main.tf,,,CKV_AWS_144,,Ensure that S3 bucket has cross-region replication enabled, +aws_s3_bucket.test,/main.tf,,,CKV_AWS_145,,Ensure that S3 buckets are encrypted with KMS by default, diff --git a/20251117-111144_oss_packages.csv b/20251117-111144_oss_packages.csv new file mode 100644 index 0000000000..9534a025e2 --- /dev/null +++ b/20251117-111144_oss_packages.csv @@ -0,0 +1,2 @@ +Package,Version,Path,Line(s),Git Org,Git Repository,Vulnerability,Severity,Description,Licenses,Fix Version,Registry URL,Root Package,Root Version +"SCA, image and runtime findings are only available with a Prisma Cloud subscription." diff --git a/console b/console new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml index f5b1a3cd35..4399df767b 100644 --- a/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml +++ b/tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml @@ -4,11 +4,11 @@ Resources: Properties: Handler: 'index.handler' Role: 'arn:aws:iam::123456789012:role/execution_role' - FunctionName: 'MyFunction' + FunctionName: 'MyFunctionPass' Code: S3Bucket: 'myBucket' S3Key: 'code/myLambda.zip' - Runtime: 'python3.14' + Runtime: 'python3.13' Fail: Type: 'AWS::Lambda::Function' Metadata: @@ -20,7 +20,7 @@ Resources: Properties: Handler: 'index.handler' Role: 'arn:aws:iam::123456789012:role/execution_role' - FunctionName: 'MyFunction' + FunctionName: 'MyFunctionFailure' Code: S3Bucket: 'myBucket' S3Key: 'code/myLambda.zip'