Merge branch 'main' into bump-secrets-26jan25

CHANGELOG.md

@@ -1,6 +1,12 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.357...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.358...HEAD)
+
+## [3.2.358](https://github.com/bridgecrewio/checkov/compare/3.2.357...3.2.358) - 2025-01-28
+
+### Feature
+
+- **general:** Add env var for policy metadata - [#6979](https://github.com/bridgecrewio/checkov/pull/6979)
 
 ## [3.2.357](https://github.com/bridgecrewio/checkov/compare/3.2.355...3.2.357) - 2025-01-23
 

checkov/common/util/ext_argument_parser.py

@@ -471,6 +471,7 @@ def add_parser_args(self) -> None:
                  "See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for "
                  "information on allowed filters. Example: policy.label=label1,policy.label=label2,cloud.type=aws",
             default=None,
+            env_var="CKV_POLICY_METADATA_FILTER"
         )
         self.add(
             "--policy-metadata-filter-exception",
@@ -480,6 +481,7 @@ def add_parser_args(self) -> None:
                  "See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for "
                  "information on allowed filters. Example: policy.label=label1,policy.label=label2,cloud.type=aws",
             default=None,
+            env_var="CKV_POLICY_METADATA_FILTER_EXCEPTION"
         )
         self.add(
             "--secrets-scan-file-type",

checkov/version.py

@@ -1 +1 @@
-version = '3.2.357'
+version = '3.2.358'

docs/2.Basics/CLI Command Reference.md

@@ -54,7 +54,8 @@ nav_order: 2
 | `--baseline BASELINE`                                                                                                                                                                                                                                                                                                                                                      | Use a .checkov.baseline file to compare current results with a known baseline. Report will include only failed checks that are new with respect to the provided baseline                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `--output-baseline-as-skipped`                                                                                                                                                                                                                                                                                                                                             | Output checks that are skipped due to baseline file presence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | `--skip-cve-package SKIP_CVE_PACKAGE`                                                                                                                                                                                                                                                                                                                                      | Filter scan to run on all packages but a specific package identifier (deny list), You can specify this argument multiple times to skip multiple packages                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws. [env var: CKV_POLICY_METADATA_FILTER]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to exclude filtered policies based on Prisma Cloud policy metadata. When used with --policy-metadata-filter, the exceptions override any policies selected as a result of the --policy-metadata-filter flag. [env var: CKV_POLICY_METADATA_FILTER_EXCEPTION]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `--summary-position` {`top`, `bottom`}                                                                                                                                                                                                                                                                                                                                     | Choose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | `--no-fail-on-crash                            `                                                                                                                                                                                                                                                                                                                           | Return exit code 0 instead of 2 which indicates a failure in the integration with the platform                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `--enable-secret-scan-all-files CKV_SECRETS_SCAN_ENABLE_ALL`                                                                                                                                                                                                                                                                                                               | Enable secret scan to scan all type of file                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

kubernetes/requirements.txt

@@ -1 +1 @@
-checkov==3.2.357
+checkov==3.2.358