Hi! Just discovered KICS two days ago and love it.
Quick question though - is there a way to call kics and only scan the commits within a PR - e.g. between two git hashes?
I saw that we can set the path - however, I was unable to just scan the files that have been updated within the PR.
So I wasn't sure if I then just have to call KICS multiple times for each file that has changed?
Thanks for the feedback!
So my team isn't really using github actions, and instead concourse.
As a quick fix I added something like
cat pull-request/.git/resource/changed_files | while read changedfile
do
echo "./kics scan -p pull-request/$changedfile -t Kubernetes -o .--report-formats "json,sarif,html" --ci"
./kics scan -p pull-request/$changedfile -t Kubernetes -o . --report-formats "json,sarif,html" --ci
cat results.sarif >> final_results.sarif
done
Does that make sense? or is there a way to call kics once and point it to multiple files?
Also, I attempted to upload the sarif to github and got an error and was wondering if you if an enterprise edition is required to view the results in github?
curl \
> -X POST \
> -H 'Authorization: token ${TOKEN}' \
> -H "Accept: application/vnd.github.v3+json" \
> https://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/code-scanning/sarifs \
> -d '{"commit_sha":"$COMMIT_SHA","ref":"${REF}","sarif":"${KICS_SARIF}"},"tool_name":"KICS"'
{
"message": "Advanced Security must be enabled for this repository to use code scanning.",
"documentation_url": "https://docs.github.com/rest/reference/code-scanning#upload-a-sarif-file"
}
Regarding your first question, we want to enhance our -p
flag to support the user to provide it multiple times, or in a comma-separated string. You're invited to contribute to our project.
Regarding the second question, Github enterprise edition is required for private repositories. Github docs
-p
flag and see what I can contribute
terraform
rules to run?
Good Morning
I was just introduced to kics this week and since we started trying out moving stuff to terraform or in some places use terraform on Azure to begin with, i gave it a try. Now i ran into a high severity issue that i cannot wrap my head around, either because i may lack the knowledge on Azure or because i simply do not understand the meaning of the heuristic query.
The query in question is "Trusted Microsoft Services Not Enabled" and the documentation leads me to the network rules section of the azure storage module here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass
I tried some combinations like "default: deny" and "bypass: AzureServices", but i do not want to just try and error my way around and but understand, what is going on. Is there someone here who may give me a pointer?
ah, okay, so after going through the code and the tests for that query i found what i did wrong.
Here is my original section of the main.tf :
resource "azurerm_storage_account" "infra_storage_account" {
depends_on = [azurerm_resource_group.infra_resource_group]
# ...
network_rules {
default_action = "Deny"
bypass = "AzureServices"
}
}
where it should have been
resource "azurerm_storage_account" "infra_storage_account" {
depends_on = [azurerm_resource_group.infra_resource_group]
# ...
network_rules {
default_action = "Deny"
bypass = ["AzureServices"]
}
}
Agreed: This is rather a syntax error in Terraform than a security finding and i could probably have found it earlier had i not run kics first.
It would have helped me to have a more talkative issue description. Like "Ok, this is wrong here because ... a is missing or b is configured wrong".
terraform validate
nor tflint
could point out to type mismatch in the variable attribution even when I placed an integer for example, which makes sense since those parameters are provider dependant. I strongly recommend running terraform plan
before so that we get the validation from Azure API. You're welcome to open a bug if you confirm this is an issue. Meanwhile, we'll try to improve our remediation texts in the following sprints. Also, you're more than welcome to contribute if you feel like helping us.