Merge branch 'AST-126467-update-metric-log-filter-to-be-more-permissive' of https://github.com/Checkmarx/kics into AST-126467-update-metric-log-filter-to-be-more-permissive

Author: cx-ricardo-jesus

.github/scripts/report/go.mod

@@ -1,6 +1,6 @@
 module github.com/Checkmarx/e2e-report
 
-go 1.24.0
+go 1.25.7
 
 require (
 	github.com/rs/zerolog v1.31.0

.github/workflows/go-ci.yml

@@ -16,9 +16,9 @@ jobs:
           go-version-file: go.mod
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
-          version: v2.0.2
+          version: v2.9.0
           args: -c .golangci.yml --timeout 20m
   go-generate:
     name: go-generate
@@ -39,7 +39,7 @@ jobs:
     name: unit-tests
     strategy:
       matrix:
-        go-version: [1.24.x]
+        go-version: [1.25.x]
         os: [ubuntu-latest, windows-2022, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/go-e2e-debian.yaml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.24.x]
+        go-version: [1.25.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/go-e2e.yaml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.24.x]
+        go-version: [1.25.x]
         os: [ubuntu-latest]
         kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8", "docker/Dockerfile.alpine"]
     runs-on: ${{ matrix.os }}

.github/workflows/release-nightly.yml

@@ -51,7 +51,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.24.x
+          go-version: 1.25.x
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:

.golangci.yml

@@ -78,11 +78,19 @@ linters:
       rules:
         - name: package-comments
           disabled: true
-    nolintlint:
-      allow-leading-space: true # don't require machine-readable nolint directives (i.e. with no leading space)
-      allow-unused: false # report any unused nolint directives
-      require-explanation: false # don't require an explanation for nolint directives
-      require-specific: false # don't require nolint directives to be specific about which linter is being skipped
+  exclusions:
+    rules:
+    - path: _test\.go
+      linters:
+        - mnd
+        - scopelint
+    paths:
+      - assets
+      - docs
+      - vendor
+      - pkg/parser/jsonfilter/parser
+      - pkg/parser/bicep/antlr
+      
 formatters:
   enable:
     - gofmt
@@ -92,19 +100,6 @@ formatters:
       local-prefixes:
         - github.com/golangci/golangci-lint
 
-issues:
-  # Excluding configuration per-path, per-linter, per-text and per-source
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - mnd
-        - scopelint
-  exclude-dirs:
-    - assets
-    - docs
-    - vendor
-    - pkg/parser/jsonfilter/parser
-    - pkg/parser/bicep/antlr
 run:
   timeout: 5m
   tests: false

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.25.6-r0@sha256:8e7befa1320d506ee2e5511501196bc4afa0df731b54809a7404cdd766d3b940 AS build_env
+FROM checkmarx/go:1.25.7-r0@sha256:add1bea087fc0aee63a1849e3a54fe384776318d16db82af06d008ab90d2d395 AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.52.0-r2@sha256:02efaee67a44a711d858628a6c02b06ee3ef90ed42906c9c8d98ef054a6b7165
+FROM checkmarx/git:2.53.0-r0@sha256:b25d6ec8723a9b7b27460d21ce3d46df4cfca473840b468825582b7723b76af4
 
 ENV TERM xterm-256color
 

assets/queries/azureResourceManager/secret_without_expiration_date/query.rego

@@ -10,36 +10,35 @@ CxPolicy[result] {
 	[path, value] := walk(doc)
 
 	value.type == resourceTypes[_]
-	not common_lib.valid_key(value.properties, "attributes")
+	
+	res := get_res(value, path)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": value.type,
 		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}.properties", [common_lib.concat_path(path), value.name]),
+		"searchKey": res.sk,
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'attributes.exp' property id defined",
-		"keyActualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'attributes' property defined",
-		"searchLine": common_lib.build_search_line(path, ["properties"]),
+		"keyExpectedValue": res.kev,
+		"keyActualValue": res.kav,
+		"searchLine": res.sl,
 	}
 }
 
-CxPolicy[result] {
-	doc := input.document[i]
-
-	[path, value] := walk(doc)
-
-	value.type == resourceTypes[_]
+get_res(value, path) = res {
+	not common_lib.valid_key(value.properties, "attributes")
+	res := {
+		"sk": sprintf("%s.name={{%s}}.properties", [common_lib.concat_path(path), value.name]),
+		"kev": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined",
+		"kav": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined",
+		"sl": common_lib.build_search_line(path, ["properties"]),
+	}
+} else = res {
 	not common_lib.valid_key(value.properties.attributes, "exp")
-
-	result := {
-		"documentId": input.document[i].id,
-		"resourceType": value.type,
-		"resourceName": value.name,
-		"searchKey": sprintf("%s.name={{%s}}.properties.attributes", [common_lib.concat_path(path), value.name]),
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'attributes.exp' property id defined",
-		"keyActualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'attributes.exp' property defined",
-		"searchLine": common_lib.build_search_line(path, ["properties", "attributes"]),
+	res := {
+		"sk": sprintf("%s.name={{%s}}.properties.attributes", [common_lib.concat_path(path), value.name]),
+		"kev": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined",
+		"kav": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined",
+		"sl": common_lib.build_search_line(path, ["properties", "attributes"]),
 	}
-}
+}

assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/metadata.json

@@ -0,0 +1,14 @@
+{
+  "id": "4b5ee6a4-5682-4725-8a7a-d9e9a51986c8",
+  "queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "Enabling Integrity Monitoring for Shielded GKE Nodes is necessary to be notified of inconsistencies during the node boot sequence.",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool",
+  "platform": "Terraform",
+  "descriptionID": "4b5ee6a4",
+  "cloudProvider": "gcp",
+  "cwe": "353",
+  "riskScore": "3.0",
+  "experimental": "true"
+}

assets/queries/terraform/gcp/shielded_gke_node_do_not_have_integrity_monitoring_enabled/query.rego

@@ -0,0 +1,23 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+supported_resources := {"google_container_cluster", "google_container_node_pool"}
+
+CxPolicy[result] {
+    resource := input.document[i].resource[supported_resources[res_index]][name]
+
+    resource.node_config.shielded_instance_config.enable_integrity_monitoring == false
+
+    result := {
+        "documentId": input.document[i].id,
+        "resourceType": supported_resources[res_index],
+        "resourceName": tf_lib.get_resource_name(resource, name),
+        "searchKey": sprintf("%s[%s].node_config.shielded_instance_config.enable_integrity_monitoring", [supported_resources[res_index], name]),
+        "issueType": "IncorrectValue",
+        "keyExpectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'",
+        "keyActualValue":  "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'",
+        "searchLine": common_lib.build_search_line(["resource", supported_resources[res_index], name, "node_config", "shielded_instance_config", "enable_integrity_monitoring"], [])
+    }
+}