Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Nuno Oliveira
    @nunoocx
    Hi! Welcome to KICS community on gitter. :wave:
    We are thrilled to talk with KICS users, answer your questions, get your feedback and suggestions, and discuss new ideas!
    Igor Markov
    @IgorMarkov
    Excited to check out the kics.io tool!
    What IaC solutions/platforms code can be scanned by KICS?
    1 reply
    Ori Bendet
    @oribendetcx
    Hi, @IgorMarkov
    KICS currently supports Terraform, K8S, Docker, Ansible and AWS Cloud Formation. Regarding IaaC - we support AWS, Azure, GCP.
    We plan to add more IaC tools and other cloud vendors in the future. Feel free to check our roadmap: https://github.com/Checkmarx/kics/blob/master/docs/roadmap.md
    David Tissot
    @david.tissot_gitlab
    Hi, I have checked the documentation, and I can see nowhere a functionality to skip files in the scan. Indeed we have some files in the source for local development only that we don't want to scan. Like a ".gitignore" file to list the exceptions in order to have a proper result report ?
    4 replies
    blakeduffey
    @blakeduffey
    Where can we direct general support questions? Was excited to hear about this tool from our Checkmarx CSM - but having trouble running it against a valid AWS Cloud Formation file.
    blakeduffey
    @blakeduffey
    Keep getting 'Error: failed to read sources: invalid file format'
    Mark Mishaev
    @markmishaevcx
    @blakeduffey Could you please provide your cloud formation file so we can check it out?
    Mark Mishaev
    @markmishaevcx
    @blakeduffey One quick other question: what extension your AWS Cloud Formation file has?
    blakeduffey
    @blakeduffey
    I've tried with a .json extension and without. I've tried two sample files. How can I provide a sample?
    Ori Bendet
    @oribendetcx
    @blakeduffey you can open an issue and attached the file or you can send it to kics@checkmarx.com and we'll take a look
    2 replies
    blakeduffey
    @blakeduffey
    sure thing - will be in your inbox - feel free to correspond in that channel :)
    Ori Bendet
    @oribendetcx
    @blakeduffey on it. I'll update you
    Sam Stepanyan
    @securestep9
    looking forward to Microsoft ARM template support
    2 replies
    chendarb
    @chendarb
    Hi ,wish to know if you have plan to add support for Podma and Kaniko
    3 replies
    Patrick Moreno
    @PatrickOSM
    Hi, someone already integrated KICS with Azure DevOps? The integration that I want to do is get the KICS report, and place each detected problem as a comment in the opened Pull Request, then the team needs to solve the comment for the PR approval.
    4 replies
    Rui Gomes
    @ruigomescx
    Hi! KICS 1.2.1 version has been released, with major features being support to Helm files and results report in HTML. Checkout these new features with the latest release: https://github.com/Checkmarx/kics/releases/tag/v1.2.1
    RuncibleSpoon
    @RuncibleSpoon
    Hi, can someone help me with debugging my query? - I've put all the source files here: https://github.com/RuncibleSpoon/KiCS-query-example . I'm trying to spot a privileged container that's part of a deployment - so the existing query doesn't find it as there are two levels of the 'spec' field. I've tried modifying the rego to account for this, and it works in the rego playgound test environment - but not in my KiCS deployment.
    6 replies
    prasad-clouduser
    @prasad-clouduser
    hi, I am new to kics. Do we have any videos to understand how to implement the rego custom queries and implementation of kics in CI/CD. Appreciate your help guys
    6 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.2.2 version has been release, with the major feature being the support of terraform variables. Checkout the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.2.2
    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]

    Hi! Just discovered KICS two days ago and love it.

    Quick question though - is there a way to call kics and only scan the commits within a PR - e.g. between two git hashes?

    I saw that we can set the path - however, I was unable to just scan the files that have been updated within the PR.

    So I wasn't sure if I then just have to call KICS multiple times for each file that has changed?

    1 reply
    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]

    Thanks for the feedback!

    So my team isn't really using github actions, and instead concourse.

    As a quick fix I added something like 

    cat pull-request/.git/resource/changed_files | while read changedfile 
          do
            echo "./kics scan -p pull-request/$changedfile -t Kubernetes -o .--report-formats "json,sarif,html" --ci"
            ./kics scan -p pull-request/$changedfile -t Kubernetes -o . --report-formats "json,sarif,html" --ci
            cat results.sarif >> final_results.sarif
          done

    Does that make sense? or is there a way to call kics once and point it to multiple files?

    Also, I attempted to upload the sarif to github and got an error and was wondering if you if an enterprise edition is required to view the results in github? 

    curl \
>             -X POST \
>             -H 'Authorization: token ${TOKEN}' \
>             -H "Accept: application/vnd.github.v3+json" \
>             https://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/code-scanning/sarifs \
>             -d '{"commit_sha":"$COMMIT_SHA","ref":"${REF}","sarif":"${KICS_SARIF}"},"tool_name":"KICS"'
{
  "message": "Advanced Security must be enabled for this repository to use code scanning.",
  "documentation_url": "https://docs.github.com/rest/reference/code-scanning#upload-a-sarif-file"
}
    Rogerio Peixoto
    @rogeriopeixotocx

    Regarding your first question, we want to enhance our -p flag to support the user to provide it multiple times, or in a comma-separated string. You're invited to contribute to our project.

    Regarding the second question, Github enterprise edition is required for private repositories. Github docs

    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]
    Awesome stuff, thanks for the help @rogeriopeixotocx and I'll definitely try to check out the -p flag and see what I can contribute
    Lior Kaplan
    @kaplanlior_gitlab
    Hi everyone, I would like to invite you to a thread we started about the Semantic exit codes PR (Checkmarx/kics#2726) you're welcome to talk about it here or on Github. In both cases, we'll be happy to get your feedback before we implement the feature and merge the PR.
    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]
    Hi question, are the common queries https://github.com/Checkmarx/kics/tree/master/assets/queries/common run if you specify only say terraform rules to run?
    1 reply
    Rogerio Peixoto
    @rogeriopeixotocx
    @jonnyg:matrix.org Hi Johnnathan, thank you for your question, I've just tested here and common queries should be running if you specify a platform type. If you find that the password query is not running in your environment please report it as a bug. Perhaps we should make this information explicit in our documentation. I need clarification on what you mean by supporting "slack keys". Again, thank you for your engagement.
    4 replies
    Cadenus
    @Cadenus

    Good Morning
    I was just introduced to kics this week and since we started trying out moving stuff to terraform or in some places use terraform on Azure to begin with, i gave it a try. Now i ran into a high severity issue that i cannot wrap my head around, either because i may lack the knowledge on Azure or because i simply do not understand the meaning of the heuristic query.
    The query in question is "Trusted Microsoft Services Not Enabled" and the documentation leads me to the network rules section of the azure storage module here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass

    I tried some combinations like "default: deny" and "bypass: AzureServices", but i do not want to just try and error my way around and but understand, what is going on. Is there someone here who may give me a pointer?

    Cadenus
    @Cadenus

    ah, okay, so after going through the code and the tests for that query i found what i did wrong.
    Here is my original section of the main.tf : 

    resource "azurerm_storage_account" "infra_storage_account" {
  depends_on                = [azurerm_resource_group.infra_resource_group]

# ...

  network_rules {
    default_action = "Deny"
    bypass = "AzureServices"
  }
}

    where it should have been

    resource "azurerm_storage_account" "infra_storage_account" {
  depends_on                = [azurerm_resource_group.infra_resource_group]

# ...

  network_rules {
    default_action = "Deny"
    bypass = ["AzureServices"]
  }
}

    Agreed: This is rather a syntax error in Terraform than a security finding and i could probably have found it earlier had i not run kics first.
    It would have helped me to have a more talkative issue description. Like "Ok, this is wrong here because ... a is missing or b is configured wrong".

    Rogerio Peixoto
    @rogeriopeixotocx
    Hey @Cadenus, it's great to hear some feedback from you. Regarding the query in question, I can see that the documentation for this provider is not making clear in this item, the type that the "bypass" field should receive. In my local tests not even terraform validate nor tflint could point out to type mismatch in the variable attribution even when I placed an integer for example, which makes sense since those parameters are provider dependant. I strongly recommend running terraform plan before so that we get the validation from Azure API. You're welcome to open a bug if you confirm this is an issue. Meanwhile, we'll try to improve our remediation texts in the following sprints. Also, you're more than welcome to contribute if you feel like helping us.