From 30b58aadd09dafbe281af27ee21b0e6a0a10c7f0 Mon Sep 17 00:00:00 2001
From: Taylor <28880387+tsmithv11@users.noreply.github.com>
Date: Tue, 28 Jan 2025 11:29:19 -0800
Subject: [PATCH 1/3] feat(general): Add env var for policy metadata (#6979)

* Add env var for policy metadata

* Update CLI Command Reference.md
---
 checkov/common/util/ext_argument_parser.py | 2 ++
 docs/2.Basics/CLI Command Reference.md     | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/checkov/common/util/ext_argument_parser.py b/checkov/common/util/ext_argument_parser.py
index 907380bfb06..233de2bc356 100644
--- a/checkov/common/util/ext_argument_parser.py
+++ b/checkov/common/util/ext_argument_parser.py
@@ -471,6 +471,7 @@ def add_parser_args(self) -> None:
                  "See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for "
                  "information on allowed filters. Example: policy.label=label1,policy.label=label2,cloud.type=aws",
             default=None,
+            env_var="CKV_POLICY_METADATA_FILTER"
         )
         self.add(
             "--policy-metadata-filter-exception",
@@ -480,6 +481,7 @@ def add_parser_args(self) -> None:
                  "See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for "
                  "information on allowed filters. Example: policy.label=label1,policy.label=label2,cloud.type=aws",
             default=None,
+            env_var="CKV_POLICY_METADATA_FILTER_EXCEPTION"
         )
         self.add(
             "--secrets-scan-file-type",
diff --git a/docs/2.Basics/CLI Command Reference.md b/docs/2.Basics/CLI Command Reference.md
index 52c09f9ab9c..0be8607a267 100644
--- a/docs/2.Basics/CLI Command Reference.md	
+++ b/docs/2.Basics/CLI Command Reference.md	
@@ -54,7 +54,8 @@ nav_order: 2
 | `--baseline BASELINE`                                                                                                                                                                                                                                                                                                                                                      | Use a .checkov.baseline file to compare current results with a known baseline. Report will include only failed checks that are new with respect to the provided baseline                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `--output-baseline-as-skipped`                                                                                                                                                                                                                                                                                                                                             | Output checks that are skipped due to baseline file presence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | `--skip-cve-package SKIP_CVE_PACKAGE`                                                                                                                                                                                                                                                                                                                                      | Filter scan to run on all packages but a specific package identifier (deny list), You can specify this argument multiple times to skip multiple packages                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
-| `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `--policy-metadata-filter POLICY_METADATA_FILTER`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to filter policies based on Prisma Cloud policy metadata. See https://prisma.pan.dev/api/cloud/cspm/policy#operation/get-policy-filters-and-options for information on allowed filters. Format: policy.label=test,cloud.type=aws. [env var: CKV_POLICY_METADATA_FILTER]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| `--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION`                                                                                                                                                                                                                                                                                                                          | Comma separated key:value string to exclude filtered policies based on Prisma Cloud policy metadata. When used with --policy-metadata-filter, the exceptions override any policies selected as a result of the --policy-metadata-filter flag. [env var: CKV_POLICY_METADATA_FILTER_EXCEPTION]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | `--summary-position` {`top`, `bottom`}                                                                                                                                                                                                                                                                                                                                     | Choose whether the summary will be appended on top (before the checks results) or on bottom (after check results), default is on top.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | `--no-fail-on-crash                            `                                                                                                                                                                                                                                                                                                                           | Return exit code 0 instead of 2 which indicates a failure in the integration with the platform                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | `--enable-secret-scan-all-files CKV_SECRETS_SCAN_ENABLE_ALL`                                                                                                                                                                                                                                                                                                               | Enable secret scan to scan all type of file                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

From 1ce6669e718d30c42de506d0f78fb7b59e6512e0 Mon Sep 17 00:00:00 2001
From: Taylor <28880387+tsmithv11@users.noreply.github.com>
Date: Tue, 28 Jan 2025 11:29:19 -0800
Subject: [PATCH 2/3] feat(general): Add env var for policy metadata (#6979)

* Add env var for policy metadata

* Update CLI Command Reference.md
---
 checkov/version.py          | 2 +-
 kubernetes/requirements.txt | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/checkov/version.py b/checkov/version.py
index 49e65a8351e..3c827d851b1 100644
--- a/checkov/version.py
+++ b/checkov/version.py
@@ -1 +1 @@
-version = '3.2.357'
+version = '3.2.358'
diff --git a/kubernetes/requirements.txt b/kubernetes/requirements.txt
index 0a5b4f588e7..1a5368aad6c 100644
--- a/kubernetes/requirements.txt
+++ b/kubernetes/requirements.txt
@@ -1 +1 @@
-checkov==3.2.357
+checkov==3.2.358

From 5a01124de81ebabe85a8d913eb8ebcb8b05a333b Mon Sep 17 00:00:00 2001
From: gruebel <gruebel@users.noreply.github.com>
Date: Tue, 28 Jan 2025 23:01:42 +0000
Subject: [PATCH 3/3] chore: update release notes

---
 CHANGELOG.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77116fd12d7..eaf7f83b025 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,12 @@
 # CHANGELOG
 
-## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.357...HEAD)
+## [Unreleased](https://github.com/bridgecrewio/checkov/compare/3.2.358...HEAD)
+
+## [3.2.358](https://github.com/bridgecrewio/checkov/compare/3.2.357...3.2.358) - 2025-01-28
+
+### Feature
+
+- **general:** Add env var for policy metadata - [#6979](https://github.com/bridgecrewio/checkov/pull/6979)
 
 ## [3.2.357](https://github.com/bridgecrewio/checkov/compare/3.2.355...3.2.357) - 2025-01-23