feat(general): upgrade checkov python version to 3.10 and urllib3 to 2.5.0

.github/workflows/build.yml

@@ -93,63 +93,10 @@ jobs:
         run: |
           pipenv run pytest integration_tests
 
-  integration-tests-old-python:
-    strategy:
-      fail-fast: true
-      matrix:
-        python: ["3.9"]
-        os: [ubuntu-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
-        with:
-          python-version: ${{ matrix.python }}
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e  # v3
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
-        if: ${{ runner.os != 'windows' }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Install pipenv
-        run: |
-          python -m pip install --no-cache-dir --upgrade pipenv
-      - name: Build & install checkov package
-        run: |
-          # remove venv, if exists
-          pipenv --rm || true
-          pipenv --python ${{ matrix.python }}
-          pipenv run pip install pytest pytest-xdist setuptools wheel
-          pipenv run python setup.py sdist bdist_wheel
-          bash -c 'pipenv run pip install dist/checkov-*.whl'
-      - name: Clone Terragoat - vulnerable terraform
-        run: git clone https://github.com/bridgecrewio/terragoat
-      - name: Clone Cfngoat - vulnerable cloudformation
-        run: git clone https://github.com/bridgecrewio/cfngoat
-      - name: Clone Kubernetes-goat - vulnerable kubernetes
-        run: git clone https://github.com/madhuakula/kubernetes-goat
-      - name: Clone kustomize-goat - vulnerable kustomize
-        run: git clone https://github.com/bridgecrewio/kustomizegoat
-      - name: Create checkov reports
-        run: |
-          # Just making sure the API key tests don't run on PRs
-          bash -c './integration_tests/prepare_data.sh "${{ matrix.os }}" "${{ matrix.python }}"'
-        env:
-          LOG_LEVEL: INFO
-          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
-          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
-          TF_REGISTRY_TOKEN: ${{ secrets.TFC_TOKEN }}
-          GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run integration tests
-        run: |
-          pipenv run pytest integration_tests
-
   prisma-tests:
     runs-on: [ self-hosted, public, linux, x64 ]
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
       - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
@@ -216,51 +163,11 @@ jobs:
         run: |
           pipenv run pytest sast_integration_tests
 
-  sast-integration-tests-old-python:
-    strategy:
-      fail-fast: true
-      matrix:
-        python: ["3.9"]
-        os: [ubuntu-latest]
-    runs-on: ${{ matrix.os }}
-    continue-on-error: true # for now it is ok to fail
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
-        with:
-          python-version: ${{ matrix.python }}
-      - name: Install pipenv
-        run: |
-          python -m pip install --no-cache-dir --upgrade pipenv
-      - name: Build & install checkov package
-        run: |
-          # remove venv, if exists
-          pipenv --rm || true
-          pipenv --python ${{ matrix.python }}
-          pipenv run pip install pytest pytest-xdist setuptools wheel
-          pipenv run python setup.py sdist bdist_wheel
-          bash -c 'pipenv run pip install dist/checkov-*.whl'
-      - name: Clone flask - Python repo for SAST
-        run: git clone https://github.com/pallets/flask
-      - name: Clone WebGoat - Java repo for SAST
-        run: git clone https://github.com/WebGoat/WebGoat
-      - name: Clone axios - JavaScript repo for SAST
-        run: git clone https://github.com/axios/axios
-      - name: Create checkov reports
-        env:
-          LOG_LEVEL: INFO
-          BC_API_KEY: ${{ secrets.PRISMA_KEY_API2 }}
-          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
-        run: bash -c './sast_integration_tests/prepare_data.sh'
-      - name: Run integration tests
-        run: |
-          pipenv run pytest sast_integration_tests
-
   unit-tests:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
       - name: Set up Python ${{ env.PYTHON_VERSION }}
@@ -298,7 +205,7 @@ jobs:
       id-token: write
     timeout-minutes: 30
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:

.github/workflows/coverage.yaml

@@ -15,7 +15,7 @@ jobs:
       contents: write
     environment: release
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:

.github/workflows/nightly.yml

@@ -88,7 +88,7 @@ jobs:
     permissions:
       contents: write
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:
@@ -135,7 +135,7 @@ jobs:
     if: needs.github-release.outputs.upload_url != ''
     runs-on: [self-hosted, public, linux, arm64]
     container:
-      image: arm64v8/python:3.9
+      image: arm64v8/python:3.10
     permissions:
       contents: write
     steps:

.github/workflows/pipenv-update.yml

@@ -14,7 +14,7 @@ jobs:
       contents: write
       pull-requests: write
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
         with:

.github/workflows/pr-test.yml

@@ -9,7 +9,7 @@ jobs:
   lint:
     uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main
     with:
-      python-version: "3.9"
+      python-version: "3.10"
 
   danger-check:
     runs-on: [ self-hosted, public, linux, x64 ]
@@ -32,7 +32,7 @@ jobs:
   cfn-lint:
     runs-on: ubuntu-latest
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
       - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
@@ -66,13 +66,13 @@ jobs:
   mypy:
     uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main
     with:
-      python-version: "3.9"
+      python-version: "3.10"
 
   unit-tests:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python: ["3.10", "3.11", "3.12", "3.13"]
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
@@ -120,7 +120,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: pipenv run python -m pytest tests
-
   integration-tests:
     strategy:
       fail-fast: true
@@ -171,62 +170,7 @@ jobs:
           PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
         run: |
           # Just making sure the API key tests don't run on PRs
-          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
-      - name: Run integration tests
-        run: |
-          pipenv run pytest integration_tests -k 'not api_key'
-
-  integration-tests-old-python:
-    strategy:
-      fail-fast: true
-      matrix:
-        python: ["3.9"]
-        os: [ubuntu-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3
-      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
-        with:
-          python-version: ${{ matrix.python }}
-          allow-prereleases: true
-          cache: "pipenv"
-          cache-dependency-path: "Pipfile.lock"
-      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e  # v4
-      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
-        if: ${{ runner.os != 'windows' }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Install pipenv
-        run: |
-          python -m pip install --no-cache-dir --upgrade pipenv
-      - name: Build & install checkov package
-        shell: bash
-        run: |
-          # remove venv, if exists
-          pipenv --rm || true
-          pipenv --python ${{ matrix.python }}
-          pipenv run pip install pytest pytest-xdist setuptools wheel
-          pipenv run python setup.py sdist bdist_wheel
-          bash -c 'pipenv run pip install dist/checkov-*.whl'
-      - name: Clone Terragoat - vulnerable terraform
-        run: git clone https://github.com/bridgecrewio/terragoat
-      - name: Clone Cfngoat - vulnerable cloudformation
-        run: git clone https://github.com/bridgecrewio/cfngoat
-      - name: Clone Kubernetes-goat - vulnerable kubernetes
-        run: git clone https://github.com/madhuakula/kubernetes-goat
-      - name: Clone kustomize-goat - vulnerable kustomize
-        run: git clone https://github.com/bridgecrewio/kustomizegoat
-      - name: Create checkov reports
-        env:
-          LOG_LEVEL: INFO
-          BC_KEY: ${{ secrets.PRISMA_KEY_API2 }}
-          PRISMA_API_URL: ${{ secrets.PRISMA_API_URL_2 }}
-        run: |
-          # Just making sure the API key tests don't run on PRs
-          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.9'
+          bash -c './integration_tests/prepare_data.sh ${{ matrix.os }} 3.10'
       - name: Run integration tests
         run: |
           pipenv run pytest integration_tests -k 'not api_key'
@@ -283,7 +227,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.9"]
+        python: ["3.10"]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -373,7 +317,7 @@ jobs:
     strategy:
       fail-fast: true
       matrix:
-        python: ["3.9"]
+        python: ["3.10"]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
@@ -413,7 +357,7 @@ jobs:
 
   performance-tests:
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
       working-directory: ./performance_tests
     runs-on: [self-hosted, public, linux, x64]
     steps:
@@ -469,7 +413,7 @@ jobs:
   dogfood-tests:
     runs-on: ubuntu-latest
     env:
-      PYTHON_VERSION: "3.9"
+      PYTHON_VERSION: "3.10"
       WORKING_DIRECTORY: ./dogfood_tests
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v3

.pre-commit-config.yaml

@@ -7,7 +7,7 @@ repos:
     rev: 6.1.0
     hooks:
       - id: flake8
-        language_version: python3.9
+        language_version: python3.10
         additional_dependencies:
           - dlint
           - flake8-bugbear
@@ -16,7 +16,7 @@ repos:
     rev: 0.4.3
     hooks:
       - id: teyit
-        language_version: python3.9
+        language_version: python3.10
   - repo: https://github.com/rhysd/actionlint
     rev: v1.6.26
     hooks:
@@ -27,7 +27,7 @@ repos:
     rev: v3.2.0
     hooks:
       - id: pipenv-setup
-        language_version: python3.9
+        language_version: python3.10
         entry: pipenv-setup check
         args: []
         additional_dependencies:
@@ -37,5 +37,5 @@ repos:
     rev: v1.12.1
     hooks:
       - id: import-linter
-        language_version: python3.9
+        language_version: python3.10
         args: ["--show-timings"]

Pipfile

@@ -54,7 +54,7 @@ termcolor=">=1.1.0,<2.4.0"
 junit-xml = ">=1.9,<2.0"
 dpath = "==2.1.3"
 pyyaml = ">=6.0.0,<7.0.0"
-boto3 = "==1.35.49"
+boto3 = "==1.38.27"
 gitpython = ">=3.1.30,<4.0.0"
 jmespath = ">=1.0.0,<2.0.0"
 tqdm = ">=4.65.0,<5.0.0"
@@ -88,8 +88,8 @@ rustworkx = ">=0.13.0,<1.0.0"
 pydantic = ">=2.0.0,<3.0.0"
 asteval = "==1.0.6"
 bc-detect-secrets = "==1.5.45"
-urllib3 = "==1.26.20"
+urllib3 = "==2.5.0"
 bc-python-hcl2 = "==0.4.3"
 
 [requires]
-python_version = "3.9"
+python_version = "3.10"