feat(general): upgrade checkov python version 3.9

.github/workflows/build.yml

@@ -97,7 +97,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9"]
+        python: ["3.9"]
         os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -149,7 +149,7 @@ jobs:
   prisma-tests:
     runs-on: [ self-hosted, public, linux, x64 ]
     env:
-      PYTHON_VERSION: "3.8"
+      PYTHON_VERSION: "3.9"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
       - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
@@ -220,7 +220,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.8", "3.9"]
+        python: ["3.9"]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     continue-on-error: true # for now it is ok to fail
@@ -260,7 +260,7 @@ jobs:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     env:
-      PYTHON_VERSION: "3.8"
+      PYTHON_VERSION: "3.9"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
       - name: Set up Python ${{ env.PYTHON_VERSION }}
@@ -298,7 +298,7 @@ jobs:
       id-token: write
     timeout-minutes: 30
     env:
-      PYTHON_VERSION: "3.8"
+      PYTHON_VERSION: "3.9"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:

.github/workflows/coverage.yaml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     environment: release
     env:
-      PYTHON_VERSION: "3.8"
+      PYTHON_VERSION: "3.9"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:

.github/workflows/nightly.yml

@@ -88,7 +88,7 @@ jobs:
     permissions:
       contents: write
     env:
-      PYTHON_VERSION: "3.8"
+      PYTHON_VERSION: "3.9"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:
@@ -135,7 +135,7 @@ jobs:
     if: needs.github-release.outputs.upload_url != ''
     runs-on: [self-hosted, public, linux, arm64]
     container:
-      image: arm64v8/python:3.8
+      image: arm64v8/python:3.9
     permissions:
       contents: write
     steps:

.github/workflows/pr-test.yml

@@ -46,8 +46,12 @@ jobs:
       - name: Filter YAML and JSON files
         if: steps.changed-files-specific.outputs.any_changed == 'true'
         id: filter-files
-        run: |
-          YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} | tr ' ' '\n' | grep -E '\.ya?ml$|\.json$' | tr '\n' ' ')
+        run:  |
+          YAML_JSON_FILES=$(echo ${{ steps.changed-files-specific.outputs.all_changed_files }} \
+            | tr ' ' '\n' \
+            | grep -E '\.ya?ml$|\.json$' \
+            | grep -v 'sam\.yaml$' \
+            | tr '\n' ' ')
           if [ -n "$YAML_JSON_FILES" ]; then
             echo "YAML_JSON_FILES=$YAML_JSON_FILES" >> "$GITHUB_ENV"
           fi
@@ -222,7 +226,7 @@ jobs:
           PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
         run: |
           # Just making sure the API key tests don't run on PRs
-          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.8'
+          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
       - name: Run integration tests
         run: |
           pipenv run pytest integration_tests -k 'not api_key'

cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py

@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             self, 'MyServerlessFunction',
             code_uri='lambda/',  # Replace 'lambda/' with your function code directory
             handler='index.handler',
-            runtime='python3.8',
+            runtime='python3.9',
             environment={
                 'MY_VARIABLE': 'pass'
             }

cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py

@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
             self, 'MyServerlessFunction',
             code_uri='lambda/',  # Replace 'lambda/' with your function code directory
             handler='index.handler',
-            runtime='python3.8',
+            runtime='python3.9',
             environment={
                 'MY_VARIABLE': {'a':'b'}
             }

cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py

@@ -30,7 +30,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
         my_sam_function = sam.CfnFunction(
             self, 'MySAMFunction',
             handler='index.handler',
-            runtime='python3.8',
+            runtime='python3.9',
             code_uri='./path/to/your/function/code',
             environment={
                 'MY_VARIABLE_1': 'Value1',

cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py

@@ -31,7 +31,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
         my_sam_function = sam.CfnFunction(
             self, 'MySAMFunction',
             handler='index.handler',
-            runtime='python3.8',
+            runtime='python3.9',
             code_uri='./path/to/your/function/code',
             environment={
                 'MY_VARIABLE_1': 'Value1',

checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py

@@ -20,7 +20,7 @@ def get_forbidden_values(self) -> List[Any]:
         return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5",
                 "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0",
                 "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x",
-                "nodejs16.x", "python3.8", "dotnet7", "dotnet6"
+                "nodejs16.x", "python3.9", "dotnet7", "dotnet6"
                 # , "nodejs18.x" # Uncomment on Sept 1, 2025
                 # , "provided.al2" # Uncomment on Jun 30, 2026
                 # , "python3.9" # Uncomment on Nov 3, 2025

checkov/common/variables/context.py

@@ -4,9 +4,6 @@
 from typing import Any
 
 
-# NOTE: These would be better as TypedDict, but that requires python 3.8 :-(
-
-
 @dataclass
 class VarReference:
     definition_name: str               # Example: 'region'

checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py

@@ -20,7 +20,7 @@ def get_forbidden_values(self) -> List[Any]:
         return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5",
                 "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0",
                 "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x",
-                "nodejs16.x", "python3.8", "dotnet7", "dotnet6"
+                "nodejs16.x", "python3.9", "dotnet7", "dotnet6"
                 # , "nodejs18.x" # Uncomment on Sept 1, 2025
                 # , "provided.al2" # Uncomment on Jun 30, 2026
                 # , "python3.9" # Uncomment on Nov 3, 2025

integration_tests/prepare_data.sh

@@ -29,7 +29,7 @@ else
 
 fi
 
-if [[ "$2" == "3.8" && "$1" == "ubuntu-latest" ]]
+if [[ "$2" == "3.9" && "$1" == "ubuntu-latest" ]]
 then
   pipenv run checkov -s -f terragoat/terraform/aws/s3.tf --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_s3_singlefile_api_key_terragoat.txt
   pipenv run checkov -s -d terragoat/terraform/azure/ --repo-id checkov/integration_test --bc-api-key $BC_KEY > checkov_report_azuredir_api_key_terragoat.txt

tests/cloudformation/checks/resource/aws/example_IAMRoleAllowAssumeFromAccount/example_IAMRoleAllowAssumeFromAccount-PASSED-2.yml

@@ -756,5 +756,5 @@ Resources:
 
       Handler: index.lambda_handler
       Role: !GetAtt ScalingLambdaRole.Arn
-      Runtime: python3.8
+      Runtime: python3.9
       Timeout: 10

tests/cloudformation/checks/resource/aws/example_LambdaDLQConfigured/FAIL.yaml

@@ -8,4 +8,4 @@ Resources:
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
-      Runtime: python3.8
+      Runtime: python3.9

tests/cloudformation/checks/resource/aws/example_LambdaDLQConfigured/PASS.yaml

@@ -8,6 +8,6 @@ Resources:
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
-      Runtime: python3.8
+      Runtime: python3.9
       DeadLetterConfig:
         TargetArn: arn:aws:sqs:eu-central-1:123456789012:dlq

tests/cloudformation/checks/resource/aws/example_LambdaDLQConfigured/sam.yaml

@@ -6,7 +6,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       DeadLetterQueue:
         TargetArn: arn:aws:sqs:eu-central-1:123456789012:dlq
         Type: SQS
@@ -15,4 +15,4 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9

tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentCredentials/sam.yaml

@@ -4,14 +4,14 @@ Transform: AWS::Serverless-2016-10-31
 Globals:
   Function:
     Handler: app.lambdaHandler
-    Runtime: python3.8
+    Runtime: python3.9
 
 Resources:
   NoSecret:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       Environment:
         Variables:
           key: value
@@ -20,7 +20,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
 
   NoProperties:
     Type: AWS::Serverless::Function
@@ -29,7 +29,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       Environment:
         Variables:
           key: value

tests/cloudformation/checks/resource/aws/example_LambdaEnvironmentEncryptionSettings/sam.yaml

@@ -6,7 +6,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       Environment:
         Variables:
           key: value
@@ -16,13 +16,13 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
 
   EnvAndNoKey:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       Environment:
         Variables:
           key: value

tests/cloudformation/checks/resource/aws/example_LambdaFunctionLevelConcurrentExecutionLimit/FAIL.yaml

@@ -8,4 +8,4 @@ Resources:
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
-      Runtime: python3.8
+      Runtime: python3.9

tests/cloudformation/checks/resource/aws/example_LambdaFunctionLevelConcurrentExecutionLimit/PASS.yaml

@@ -8,5 +8,5 @@ Resources:
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
-      Runtime: python3.8
+      Runtime: python3.9
       ReservedConcurrentExecutions: 100

tests/cloudformation/checks/resource/aws/example_LambdaFunctionLevelConcurrentExecutionLimit/sam.yaml

@@ -6,11 +6,11 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       ReservedConcurrentExecutions: 100
 
   Default:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9

tests/cloudformation/checks/resource/aws/example_LambdaInVPC/FAIL.yaml

@@ -8,4 +8,4 @@ Resources:
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
-      Runtime: python3.8
+      Runtime: python3.9

tests/cloudformation/checks/resource/aws/example_LambdaInVPC/PASS.yaml

@@ -8,10 +8,10 @@ Resources:
       Code:
         S3Bucket: my-bucket
         S3Key: function.zip
-      Runtime: python3.8
+      Runtime: python3.9
       VpcConfig:
         SecurityGroupIds:
-          - sg-12345
+          - sg-01234567
         SubnetIds:
-          - subnet-12345
-          - subnet-67890
+          - subnet-01234567
+          - subnet-34567890

tests/cloudformation/checks/resource/aws/example_LambdaInVPC/sam.yaml

@@ -6,7 +6,7 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.9
       VpcConfig:
         SecurityGroupIds:
           - sg-12345
@@ -18,4 +18,4 @@ Resources:
     Type: AWS::Serverless::Function
     Properties:
       Handler: app.lambdaHandler
-      Runtime: python3.8
+      Runtime: python3.

tests/cloudformation/graph/graph_builder/resources/sam/template.yaml

@@ -17,7 +17,7 @@ Globals:
   Function:
     Timeout: 5
     CodeUri: src/
-    Runtime: python3.8
+    Runtime: python3.9
     Tracing: Active
     Environment:
       Variables:

tests/cloudformation/graph/graph_builder/test_local_graph.py

@@ -199,7 +199,7 @@ def test_build_graph_with_sam_resource(self):
         self.assertEqual(['subnet-123', 'subnet-456'], function_1_vertex.attributes["VpcConfig"]["SubnetIds"])
 
         self.assertEqual("src/", function_2_vertex.attributes["CodeUri"])
-        self.assertEqual("python3.8", function_2_vertex.attributes["Runtime"])
+        self.assertEqual("python3.9", function_2_vertex.attributes["Runtime"])
         self.assertEqual(5, function_2_vertex.attributes["Timeout"])
         self.assertEqual("Active", function_2_vertex.attributes["Tracing"])
         self.assertEqual("Production", function_2_vertex.attributes["Environment"]["Variables"]["STAGE"])

tests/github_actions/test_graph_manager.py

@@ -247,7 +247,7 @@ def test_build_def_context_1():
                         {
                             "name": "Setup Python",
                             "uses": "actions/setup-python@v3",
-                            "with": {"python-version": "3.8", "__startline__": 14, "__endline__": 15},
+                            "with": {"python-version": "3.9", "__startline__": 14, "__endline__": 15},
                             "__startline__": 11,
                             "__endline__": 15,
                         },
@@ -315,7 +315,7 @@ def test_build_def_context_1():
             (11, "      - name: Setup Python\n"),
             (12, "        uses: actions/setup-python@v3\n"),
             (13, "        with:\n"),
-            (14, "          python-version: '3.8'\n"),
+            (14, "          python-version: '3.9'\n"),
             (15, "      - name: Setup Poetry\n"),
             (16, "        uses: Green/setup-poetry@v7\n"),
             (17, "      - name: Install Python Dependencies\n"),
@@ -360,7 +360,7 @@ def test_build_def_context_1():
                         (11, "      - name: Setup Python\n"),
                         (12, "        uses: actions/setup-python@v3\n"),
                         (13, "        with:\n"),
-                        (14, "          python-version: '3.8'\n"),
+                        (14, "          python-version: '3.9'\n"),
                         (15, "      - name: Setup Poetry\n"),
                         (16, "        uses: Green/setup-poetry@v7\n"),
                         (17, "      - name: Install Python Dependencies\n"),

tests/sca_image/examples/.github/workflows/vulnerable_container.yaml

@@ -5,7 +5,7 @@ name: unsecure-worfklow
 jobs:
   my_job:
     container:
-      image: python:3.8-alpine
+      image: python:3.9-alpine
       env:
         NODE_ENV: development
       ports:

tests/terraform/checks/resource/aws/example_LambdaCodeSigningConfigured/main.tf

@@ -3,7 +3,7 @@
 resource "aws_lambda_function" "pass" {
   function_name = "test-env"
   role          = ""
-  runtime       = "python3.8"
+  runtime       = "python3.9"
   code_signing_config_arn = "123123123"
 }
 
@@ -12,5 +12,5 @@ resource "aws_lambda_function" "pass" {
 resource "aws_lambda_function" "fail" {
   function_name = "stest-env"
   role          = ""
-  runtime       = "python3.8"
+  runtime       = "python3.9"
 }