Checkmarx · cx-diogo-rocha · Feb 20, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 19, 2026
@@ -3,7 +3,7 @@
 # and "Missing User Instruction" since 2ms container is stopped after scan
 
 # Builder image
-FROM checkmarx/go:1.25.3-r0-b47cbbc1194cd0@sha256:b47cbbc1194cd0d801fe7739fca12091d610117b0d30c32b52fc900217a0821a AS builder
+FROM checkmarx/go:1.25.7-r0-b270bc965b34b4@sha256:b270bc965b34b4ffec624413bc1f1830c58c0abb142580ca76d42116b3b06764 AS builder
 
 WORKDIR /app
 
@@ -20,7 +20,7 @@ COPY . .
 RUN GOOS=linux GOARCH=amd64 go build -buildvcs=false -ldflags="-s -w" -a -o /app/2ms .
 
 # Runtime image
-FROM checkmarx/git:2.49.0-r2-d7ebbe7c56dc47@sha256:d7ebbe7c56dc478c08aba611c35b30689090d28605d83130ce4d1e15a84f0389
+FROM checkmarx/git:2.53.0-r0-dadf19ec31d471@sha256:dadf19ec31d4711eeace2763e89511693b36ba0ea5c9e12a763978b4b29ddba0
 
 WORKDIR /app
 

@@ -372,7 +372,10 @@ Other fields are optional and can be seen in the example bellow of a file with a
   allowLists: # allowed values to ignore if matched
     - description: Allowlist for Custom Rule
       matchCondition: OR # Can be AND or OR. determines whether all criteria in the allowList must match. Defaults to OR if not specified
-      regexTarget: match - # Can be match or line. Determines whether the regexes in allowList are tested against the rule.Regex match or the full line being scanned. Defaults to "match" if not specified
+      regexTarget: match # Specifies what to test allowList regexes against. Options: 'match', 'line', or empty/omitted.
+                         # - 'match': test against the full rule.Regex match
+                         # - 'line': test against the entire line where the secret was found
+                         # - empty/omitted: test against the secret itself (which is the first capture group from rule.Regex, or the group specified by rule.secretGroup if defined) 
       regexes: # allowed regex patterns
         - (?i)(?:access(?:ibility|or)|access[_.-]?id|random[_.-]?access|api[_.-]?(?:id|name|version)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(?:credentials?[_.-]?id|withCredentials)|(?:25[0-5]|2[0-4]\d|1?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|1?\d?\d)){3}|(?:bucket|foreign|hot|idx|natural|primary|pub(?:lic)?|schema|sequence)[_.-]?key|(?:turkey)|key[_.-]?(?:alias|board|code|frame|id|length|mesh|name|pair|press(?:ed)?|ring|selector|signature|size|stone|storetype|word|up|down|left|right)|KeyVault(?:[A-Za-z]*?(?:Administrator|Reader|Contributor|Owner|Operator|User|Officer))\s*[:=]\s*['"]?[0-9a-f]{8}(?:-[0-9a-f]{4}){3}-[0-9a-f]{12}['"]?|key[_.-]?vault[_.-]?(?:id|name)|keyVaultToStoreSecrets|key(?:store|tab)[_.-]?(?:file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(?:secret)[_.-]?(?:length|name|size)|UserSecretsId|(?:csrf)[_.-]?token|(?:io\.jsonwebtoken[
           \t]?:[

@@ -69,6 +69,7 @@ func alibabaRequest(accessKey, secretKey string) (secrets.ValidationResult, erro
 	req.URL.RawQuery = params.Encode()
 
 	client := &http.Client{}
+	// #nosec G704 -- URL is hardcoded to Alibaba API, only query params contain credentials being validated
 	resp, err := client.Do(req)
 	if err != nil {
 		return secrets.UnknownResult, err

@@ -14,6 +14,7 @@ func sendValidationRequest(endpoint, authorization string) (*http.Response, erro
 
 	// TODO: do not recreate this client for each request
 	client := &http.Client{}
+	// #nosec G704 -- URL is hardcoded in both github and gitlab uses, only query params contain credentials being validated
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err

@@ -31,8 +31,8 @@ func validateGCP(s *secrets.Secret) (secrets.ValidationResult, string) {
 		log.Warn().Err(err).Msg("Failed to validate secret")
 		return secrets.UnknownResult, ""
 	}
-
 	client := &http.Client{}
+	// #nosec G704 -- URL is hardcoded to GCP API, only query params contain credentials being validated
 	resp, err := client.Do(req)
 	if err != nil {
 		log.Warn().Err(err).Msg("Failed to validate secret")

@@ -1,6 +1,6 @@
 module github.com/checkmarx/2ms/v5
 
-go 1.25.6
+go 1.25.7
 
 replace (
 	golang.org/x/oauth2 => golang.org/x/oauth2 v0.30.0

@@ -40,6 +40,7 @@ func HttpRequest(method, url string, authorization IAuthorizationHeader, retry R
 
 	// TODO: do not recreate this client for each request
 	client := &http.Client{}
+	// #nosec G704 -- URL is intentionally user-provided for plugin API calls to external services
 	response, err := client.Do(request)
 	if err != nil {
 		return nil, response, fmt.Errorf("unable to send http request %w", err)

@@ -190,6 +190,7 @@ func (c *httpConfluenceClient) discoverCloudID(ctx context.Context) (string, err
 	if err != nil {
 		return "", fmt.Errorf("build tenant_info request: %w", err)
 	}
+	// #nosec G704 -- URL is intentionally user-provided for plugin API calls to external services
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return "", ErrBaseURLInvalidOrUnreachable
@@ -475,6 +476,7 @@ func (c *httpConfluenceClient) getJSON(ctx context.Context, reqURL string) ([]by
 	}
 	req.Header.Set("Accept", "application/json")
 
+	// #nosec G704 -- URL is intentionally user-provided for plugin API calls to external services
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return nil, nil, fmt.Errorf("http get: %w", err)
@@ -525,7 +527,7 @@ func (c *httpConfluenceClient) getJSONStream(ctx context.Context, reqURL string)
 		req.SetBasicAuth(c.username, c.token)
 	}
 	req.Header.Set("Accept", "application/json")
-
+	// #nosec G704 -- URL is intentionally user-provided for plugin API calls to external services
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return nil, nil, fmt.Errorf("http get: %w", err)