Skip to main content

IaC Changelog

Note

This changelog shows updates made to Checkmarx IaC engine. Please note that the dates below reflect when this changelog was updated, not when the change was implemented in the platform.

Version 2.1.20 | March 17, 2026

New Queries

Terraform — Azure

  • Beta - Azure Container Registry With Broad Permissions

  • Beta - Storage Account Without CMK

  • Beta - AKS Without Audit Logs

  • Beta - Ensure TLS encryption version is set to 1.2 or higher

  • Ensure Managed Identity is enabled

Terraform — GKE

  • Ensure alpha clusters are not enabled for Google Kubernetes Engine

  • Ensure GKE version management is automated using Release Channels

  • Ensure Integrity Monitoring for Shielded GKE Nodes is enabled

  • Ensure Kubernetes Web UI is disabled

Terraform — Google Cloud Platform

  • Beta - Cluster Without Network Policy Support

Improvements

  • Updated SimilarityID transition type from 2 to 1 in beta query YAML files

  • Upgraded OPA to v1.12.3

  • Fixed duplicated Similarity IDs in results from Helm chart rendering

  • Increased session creation timeout

  • Improved logs in CreateAuditSession endpoint

Bug Fixes

  • Fixed missing 'clone' field check in google_sql_database_instance beta queries

  • Fixed results for queries with unhandled %s values

  • Fixed policy evaluation discrepancies when scanning Terraform plan vs HCL files

  • Fixed vhd_containers handling on azurerm_virtual_machine_scale_set resource

  • Fixed channel drain issue in analyzer causing incorrect line counts

  • Fixed Helm scanning for empty files and duplicated results

  • Fixed incorrect resource type mentioned in Secret Without Expiration Date query

  • Fixed Web App Not Using TLS Last Version to support Microsoft.Web/sites/config on Azure Resource Manager

  • Fixed GCP query interpreter for better result accuracy

  • Updated log level from error to warning on analyzer

  • Fixed UI not recovering from failed deletion of custom states

  • Fixed result state changes getting stuck in Results Predicates

  • Fixed false positive: Bicep — Web App Not Using TLS Last Version

  • Fixed scroll-to-top behavior when opening results tabs

  • Fixed different results between main.tf files and plan.json

  • Fixed KICS job reaching OOM in production

  • Fixed SAST and KICS scans getting stuck (ST-TLS)

  • Fixed unhandled %s in query Expected and Actual values

  • Fixed KICS web audit sessions timing out

  • Fixed misleading description in Secret Without Expiration Date query

  • Fixed grouping filter dropdowns remaining open while scrolling on IaC Results page

Version 2.1.19 | January 19, 2026

New Features and Enhancements

  • Added a new query to ensure container instances use private virtual networks in Terraform/Azure.

  • Improved TFPlan file parsing and updated the query for “Encryption on Managed Disk Disabled.”

  • Updated query naming convention by replacing “unconfigured” with “not configured.”

  • Added missing "Ingress/Egress" resource support for several CloudFormation queries.

Bug Fixes

Query fixes

  • Added support for CloudFormation queries missing ingress/egress resources (Part 3).

  • Corrected regex for Security Group Not Used (Terraform/AWS).

  • Fixed parent–child handling for server-level auditing in SQL Server Database Without Auditing.

  • Improved password and secret handling in Avoiding TF Resource Access allow rules.

False positives

  • Security Group Not Used

  • Storage Account Allows Default Network Access

  • SQL Server Database Without Auditing

False negatives

  • Encryption On Managed Disk Disabled

Terraform Plan Scanning improvements

  • Azure Windows VM does not enable encryption.

  • Key vault key is not backed by HSM.

  • Managed disks do not use a specific set of disk encryption sets for customer-managed key encryption.

  • Windows VM Without Automatic Updates.

  • Virtual Machine extensions are installed.

  • Linux VM Without SSH Key.

In this section: