feat(general): amended all lambda runtime deprecations thru Jun 30 2026

20251117-111144_container_images.csv

@@ -0,0 +1,2 @@
+Package,Version,Path,Line(s),Git Org,Git Repository,Vulnerability,Severity,Description,Licenses,Fix Version,Registry URL,Root Package,Root Version
+"SCA, image and runtime findings are only available with a Prisma Cloud subscription."

20251117-111144_iac.csv

@@ -0,0 +1,8 @@
+Resource,Path,Git Org,Git Repository,Misconfigurations,Severity,Policy title,Guideline
+aws_s3_bucket.test,/main.tf,,,CKV2_AWS_62,,Ensure S3 buckets should have event notifications enabled,
+aws_s3_bucket.test,/main.tf,,,CKV2_AWS_6,,Ensure that S3 bucket has a Public Access block,
+aws_s3_bucket.test,/main.tf,,,CKV_AWS_21,,Ensure all data stored in the S3 bucket have versioning enabled,
+aws_s3_bucket.test,/main.tf,,,CKV_AWS_18,,Ensure the S3 bucket has access logging enabled,
+aws_s3_bucket.test,/main.tf,,,CKV2_AWS_61,,Ensure that an S3 bucket has a lifecycle configuration,
+aws_s3_bucket.test,/main.tf,,,CKV_AWS_144,,Ensure that S3 bucket has cross-region replication enabled,
+aws_s3_bucket.test,/main.tf,,,CKV_AWS_145,,Ensure that S3 buckets are encrypted with KMS by default,

20251117-111144_oss_packages.csv

@@ -0,0 +1,2 @@
+Package,Version,Path,Line(s),Git Org,Git Repository,Vulnerability,Severity,Description,Licenses,Fix Version,Registry URL,Root Package,Root Version
+"SCA, image and runtime findings are only available with a Prisma Cloud subscription."

checkov/cloudformation/checks/resource/aws/DeprecatedLambdaRuntime.py

@@ -20,11 +20,13 @@ def get_forbidden_values(self) -> List[Any]:
         return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5",
                 "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0",
                 "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x",
-                "nodejs16.x", "python3.9", "dotnet7", "dotnet6"
-                # , "nodejs18.x" # Uncomment on Sept 1, 2025
-                # , "provided.al2" # Uncomment on Jun 30, 2026
-                # , "python3.9" # Uncomment on Nov 3, 2025
-                ]
+                "nodejs16.x", "python3.8", "dotnet7", "dotnet6", "nodejs18.x"]
+        # , "python3.9"    # Uncomment on Dec 15, 2025
+        # , "ruby3.2"      # Uncomment on Mar 31, 2026
+        # , "nodejs20.x"   # Uncomment on Apr 30, 2026
+        # , "provided.al2" # Uncomment on Jun 30, 2026
+        # , "python3.10"   # Uncomment on Jun 30, 2026
+        # , "python3.11"   # Uncomment on Jun 30, 2026
 
 
 check = DeprecatedLambdaRuntime()

checkov/terraform/checks/resource/aws/DeprecatedLambdaRuntime.py

@@ -20,11 +20,13 @@ def get_forbidden_values(self) -> List[Any]:
         return ["dotnetcore3.1", "nodejs12.x", "python3.6", "python2.7", "dotnet5.0", "dotnetcore2.1", "ruby2.5",
                 "nodejs10.x", "nodejs8.10", "nodejs4.3", "nodejs6.10", "dotnetcore1.0", "dotnetcore2.0",
                 "nodejs4.3-edge", "nodejs", "java8", "python3.7", "go1.x", "provided", "ruby2.7", "nodejs14.x",
-                "nodejs16.x", "python3.9", "dotnet7", "dotnet6"
-                # , "nodejs18.x" # Uncomment on Sept 1, 2025
-                # , "provided.al2" # Uncomment on Jun 30, 2026
-                # , "python3.9" # Uncomment on Nov 3, 2025
-                ]
+                "nodejs16.x", "python3.8", "dotnet7", "dotnet6", "nodejs18.x"]
+        # , "python3.9"    # Uncomment on Dec 15, 2025
+        # , "ruby3.2"      # Uncomment on Mar 31, 2026
+        # , "nodejs20.x"   # Uncomment on Apr 30, 2026
+        # , "provided.al2" # Uncomment on Jun 30, 2026
+        # , "python3.10"   # Uncomment on Jun 30, 2026
+        # , "python3.11"   # Uncomment on Jun 30, 2026
 
 
 check = DeprecatedLambdaRuntime()

tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/example.yaml

@@ -4,11 +4,11 @@ Resources:
     Properties:
       Handler: 'index.handler'
       Role: 'arn:aws:iam::123456789012:role/execution_role'
-      FunctionName: 'MyFunction'
+      FunctionName: 'MyFunctionPass'
       Code:
         S3Bucket: 'myBucket'
         S3Key: 'code/myLambda.zip'
-      Runtime: 'nodejs18.x'
+      Runtime: 'python3.13'
   Fail:
     Type: 'AWS::Lambda::Function'
     Metadata:
@@ -20,7 +20,7 @@ Resources:
     Properties:
       Handler: 'index.handler'
       Role: 'arn:aws:iam::123456789012:role/execution_role'
-      FunctionName: 'MyFunction'
+      FunctionName: 'MyFunctionFailure'
       Code:
         S3Bucket: 'myBucket'
         S3Key: 'code/myLambda.zip'

tests/cloudformation/checks/resource/aws/example_DeprecatedLambdaRuntime/exampleSAM.yaml

@@ -32,7 +32,7 @@ Resources:
     Type: 'AWS::Serverless::Function'
     Properties:
       Handler: 'index.handler'
-      Runtime: 'python3.11'
+      Runtime: 'python3.14'
       CodeUri: './code/' # This should be the directory path where your Lambda code is.
       Events:
         MyApi:

tests/terraform/checks/resource/aws/example_DeprecatedLambdaRuntime/main.tf

@@ -3,7 +3,7 @@ resource "aws_lambda_function" "pass" {
   function_name = "lambda_function_name"
   role          = aws_iam_role.iam_for_lambda.arn
   handler       = "index.test"
-  runtime       = "nodejs18.x"
+  runtime       = "nodejs22.x"
 
   ephemeral_storage {
     size = 10240 # Min 512 MB and the Max 10240 MB