Upgrade to Python 3.11 (#46)

.github/workflows/pr.yml

@@ -6,17 +6,17 @@ on:
 permissions: read-all
 
 env:
-  MIN_PYTHON_VERSION: "3.10"
+  MIN_PYTHON_VERSION: "3.11"
 
 jobs:
   lint:
     uses: bridgecrewio/gha-reusable-workflows/.github/workflows/pre-commit.yaml@main
     with:
-      python-version: "3.10"  # can't leverage env vars here
+      python-version: "3.11"  # can't leverage env vars here
   mypy:
     uses: bridgecrewio/gha-reusable-workflows/.github/workflows/mypy.yaml@main
     with:
-      python-version: "3.10"  # can't leverage env vars here
+      python-version: "3.11"  # can't leverage env vars here
 
   unit-tests:
     timeout-minutes: 5

.github/workflows/release.yml

@@ -16,7 +16,7 @@ on:
 permissions: read-all
 
 env:
-  PYTHON_VERSION: "3.10"
+  PYTHON_VERSION: "3.11"
 
 jobs:
   update-checkov:

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: check-json
       - id: check-toml
@@ -11,11 +11,11 @@ repos:
         args: ["--django"]
       - id: trailing-whitespace
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 23.10.0
     hooks:
       - id: black
   - repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: v0.0.206
+    rev: v0.1.0
     hooks:
       - id: ruff
         args:

Dockerfile

@@ -1,8 +1,8 @@
-FROM python:3.10-slim
+FROM python:3.11-slim
 
 # mention "admissionController" as the source of integration to bridgecrew.cloud
 ENV BC_SOURCE=admissionController
-ENV PIP_ENV_VERSION="2022.11.25"
+ENV PIP_ENV_VERSION="2023.7.23"
 ENV RUN_IN_DOCKER=True
 
 RUN set -eux; \
@@ -16,10 +16,10 @@ WORKDIR /app
 COPY Pipfile Pipfile.lock ./
 
 RUN set -eux; \
-    pip install pipenv==${PIP_ENV_VERSION}; \
+    pip install --no-deps pipenv==${PIP_ENV_VERSION}; \
     pipenv requirements > requirements.txt; \
     pip install -r requirements.txt --no-deps; \
-    rm -f requirements.txt; \
+    rm -f requirements.txt Pipfile Pipfile.lock; \
     pip uninstall -y pipenv
 
 COPY wsgi.py ./

Pipfile

@@ -5,10 +5,10 @@ name = "pypi"
 
 [packages]
 checkov = "==2.5.17"
-flask = "==2.2.2"
-flask-apscheduler = "==1.12.4"
-python-dotenv = "==0.21.0"
-gunicorn = "==20.1.0"
+flask = "==2.3.3"
+flask-apscheduler = "==1.13.0"
+python-dotenv = "==1.0.0"
+gunicorn = "==21.2.0"
 
 [dev-packages]
 mypy = "*"
@@ -18,4 +18,4 @@ pytest-mock = "*"
 types-pyyaml = "*"
 
 [requires]
-python_version = "3.10"
+python_version = "3.11"

app/checkov_whorf.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import os.path
 from typing import TYPE_CHECKING, Literal
 
 import yaml
@@ -12,6 +13,7 @@
     from logging import Logger
 
     from checkov.common.output.baseline import Baseline
+    from checkov.common.output.report import Report
     from checkov.common.runners.runner_registry import RunnerRegistry
 
 
@@ -24,18 +26,20 @@ def __init__(self, logger: Logger, argv: list[str]) -> None:
     def upload_results(
         self,
         root_folder: str,
+        absolute_root_folder: str,
         files: list[str] | None = None,
         excluded_paths: list[str] | None = None,
         included_paths: list[str] | None = None,
         git_configuration_folders: list[str] | None = None,
+        sca_supported_ir_report: Report | None = None,
     ) -> None:
         # don't upload results with every run
         return
 
     def upload_results_periodically(self, root_folder: str) -> None:
         """Used to upload results on a periodic basis"""
 
-        super().upload_results(root_folder=root_folder)
+        super().upload_results(root_folder=root_folder, absolute_root_folder=os.path.abspath(root_folder))
 
     def print_results(
         self,

app/consts.py

@@ -5,7 +5,7 @@
 LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO").upper()
 
 CHECKOV_CONFIG_PATH = Path("config/.checkov.yaml")
-MANIFEST_ROOT_PATH = Path("/tmp")
+MANIFEST_ROOT_PATH = Path("/tmp")  # noqa: S108
 WHORF_CONFIG_PATH = Path("config/whorf.yaml")
 
 DEFAULT_CHECKOV_ARGS = ["--framework", "kubernetes", "--repo-id", "k8s_ac/cluster"]

app/utils.py

@@ -66,9 +66,9 @@ def to_dict(obj: Any) -> Any:
             if val is not None:
                 result[v] = to_dict(val)
         return result
-    elif type(obj) == list:
+    elif isinstance(obj, list):
         return [to_dict(x) for x in obj]
-    elif type(obj) == datetime:
+    elif isinstance(obj, datetime):
         return str(obj)
     else:
         return obj

app/validate.py

@@ -60,11 +60,10 @@ def process_failed_checks(ckv_whorf: CheckovWhorf, uid: str, obj_kind_name: str)
         try:
             for report in ckv_whorf.scan_reports:
                 for check in report.failed_checks:
-                    if check.check_id in ckv_whorf.config.hard_fail_on:
-                        hard_fails[check.check_id] = f"\n  Description: {check.check_name}"
-                        if check.guideline:
-                            hard_fails[check.check_id] += f"\n  Guidance: {check.guideline}"
-                    elif check.bc_check_id in ckv_whorf.config.hard_fail_on:
+                    if (
+                        check.check_id in ckv_whorf.config.hard_fail_on
+                        or check.bc_check_id in ckv_whorf.config.hard_fail_on
+                    ):
                         hard_fails[check.check_id] = f"\n  Description: {check.check_name}"
                         if check.guideline:
                             hard_fails[check.check_id] += f"\n  Guidance: {check.guideline}"

extra_stubs/flask_apscheduler/scheduler.pyi

@@ -1,6 +1,7 @@
-from typing import Callable, Any, ParamSpec, TypeVar, overload
+from collections.abc import Callable
+from typing import Any, ParamSpec, TypeVar, overload
 
-from apscheduler.schedulers.base import BaseScheduler  # type:ignore[import]
+from apscheduler.schedulers.base import BaseScheduler  # type:ignore[import-untyped]
 from flask import Flask
 
 _F = TypeVar("_F", bound=Callable[..., Any])

pyproject.toml

@@ -36,4 +36,8 @@ select = [
 ignore = ["ARG002", "E501"]
 per-file-ignores = { "tests/**/*" = ["S101"] }
 
-target-version = "py310"
+exclude = [
+    "extra_stubs",
+]
+
+target-version = "py311"