Hi! KICS 1.3.1 version has been released, with the major highlight being +112 new queries and increased stability. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.1
Hi! KICS 1.3.2 version has been released, with the major highlight being +27 new queries and Gitlab SAST report integration. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.2
Hi KICS community - I'm trying to use the download / install script but it's getting a 404.
I added some extra debug to the script
KiCS Example>cat script.out | bash -s -- -d
Checkmarx/kics info platform is linux/amd64
Checkmarx/kics info checking GitHub for latest tag
Checkmarx/kics debug http_download https://github.com/Checkmarx/kics/releases/latest
Checkmarx/kics info tag is v1.3.2
Checkmarx/kics info version is 1.3.2
Checkmarx/kics info found version: 1.3.2 for v1.3.2/linux/amd64
Checkmarx/kics debug downloading files into /tmp/tmp.Gsk8zYXfGC
Checkmarx/kics debug http_download https://github.com/Checkmarx/kics/releases/download/v1.3.2/kics_1.3.2_linux_amd64.tar.gz
Checkmarx/kics debug http_download_curl received HTTP status 404This is on an Ubuntu 18.04:
`Linux kics-example 5.4.0-1041-gcp #44~18.04.1-Ubuntu SMP Mon Mar 29 19:16:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
There isn't a kics_1.3.2_linux_amd64.tar.gz on github (but I notice the nightly ones have a linux_amd64.tar.gz variant.
Should I log an issue?
3 replies
Hi! KICS 1.3.3 version has been released, with the major highlight being +89 new queries, bug fixes and a brand new PDF report. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.3 also checkout our new documentation theme in https://docs.kics.io/
Want to know if Checkmarx provides any support for kics?
1 reply
Hi! KICS 1.3.4 version has been released, with the major highlight being +38 new queries, extract zip functionality and an extended query creation guide in the docs. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.4
@mukeshpilaniya Hi Mukesh, we have worked on your feature suggestion. Take a look at this PR Checkmarx/kics#3808
Hi @JohnKeippel, thank you for your engagement! ARM is currently on the roadmap, but we still have some milestones to complete before we get there. If you want to start working on it right away it would be much appreciated! Feel free to reach me here or in private for any questions and if you're comfortable enough just submit a pull request and we can work together.
@rogeriopeixotocx - Thanks for the reply! I think I understand the layout of the project, the rego policy definitions, tests, etc. And matching the implementation of the Azure Terraform queries for Bicep would keep things in parity. I think the big question mark for me, and where I assume the majority of the work is at, is that each provider (TF, K8s, CF, etc) needs its own file parser. Is that accurate?
@JohnKeippel Yes. Ideally, we would need to implement a Golang parser for the BICEP DSL or we could start by supporting the ARM JSON template (product of
az bicep build)
Hi, in one of your last talks, you mentioned that KICS contains over 1500 queries. However, on Github in the assets dir, I counted 1148 and on docs.kics.io 1216 (the CSV file with all queries). I am definitely missing something here - could you please point me in the right direction?
Not that the exact number is that important - I was curious about their distribution (how many for Docker, how many for CloudFormation...) and wondered, why the total number is lower than expected...
Not that the exact number is that important - I was curious about their distribution (how many for Docker, how many for CloudFormation...) and wondered, why the total number is lower than expected...
Hi @dohnalv, thank you for the question.
In some instances, we have different queries (rules) grouped into a single rego file.
The reason for this is to enable us to reuse boilerplate rego code for different rules we're trying to catch.
Example:
-> API spec query "Invalid Schema External Documentation URL" for Swagger and OpenAPI 3.0. Are grouped in this same rego file
-> Several query ports that are being scanned are grouped into a single file
You can get the queries distribution list by running:
pip3 install -r .github/scripts/metrics/requirements.txt
python3 .github/scripts/metrics/get-metrics.pyCurrently, these are our numbers:
::group::Queries Metrics
| Platform | Count |
|------------------------+---------|
| total | 1704 |
| cloudformation_queries | 465 |
| openapi_queries | 288 |
| ansible_queries | 235 |
| k8s_queries | 80 |
| common_queries | 2 |
| dockerfile_queries | 53 |
| terraform_queries | 581 |
::endgroup::
::set-output name=total_queries::1704
::group::Rego File Metrics
| Platform | Count |
|---------------------+---------|
| total | 1148 |
| cloudformation_rego | 223 |
| openapi_rego | 197 |
| ansible_rego | 201 |
| k8s_rego | 80 |
| common_rego | 2 |
| dockerfile_rego | 53 |
| terraform_rego | 392 |Let me know if you have any more questions.
Hi! KICS 1.3.5 version has been released, with the major highlight being +11 new queries, integration of hashicorp/go-getter into KICS, and the support to provide input data to queries . Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.5
Hello again! I found this in the documentation. Could you please describe what data is being sent?
e.g. queries used or something like that? Is any of this data public (most used queries)?
Thanks for the question. I'm glad you asked, as this is a good opportunity to clarify. KICS uses sentry ( https://github.com/getsentry/sentry ) to track crashes of the software.
What is being tracked is the source go file and the line number the caused the crash. That's it. This gives the developers a lead to what they should investigate if/when a crash happens.
In this context, the environment variable you asked about is confusing and we'll change that. Do you want to report an issue or should I ?
Thanks for your answer! I think that the explanation that you gave me here would be enough even for the documentation. Environment variable name is not confusing at all imo, that's what it's usually called.
Issue is here: Checkmarx/kics#3876
Issue is here: Checkmarx/kics#3876
Hi, I have a finding on kics which states:
Passwords And Secrets In Infrastructure Code, Severity: HIGHAnd the actual code is a Kubernetes Helm chart which is pointing to a secret, and not the password itself:
existingSecret:
enabled: true
name: "bitwardensmtp"
userKey: "username"
passwordKey: "password"Is there a way to tell KICS to ignore this finding?
2 replies
I have a quick question regarding KICS - is there a comparison being done against tools such as checkov, terrascan against the policies/compliances covered? Checkov with BridgeCrew offers compliances checks for HIPAA, PCI, NIST. Is there something similar in KICS too?
1 reply
We are looking to adopt KiCS to implement a robust IaC auditing process both on a code & actual resource level (currently being done using ScoutSuite), what i'm hearing from people as a feedback is that KiCS is reporting a lot of false positives (like the one @prav10194 reported)..though i don't have the data with me at the moment (will publish here as soon as i get it) I want to understand if you guys are planning any updates in the future releases which can address this concern ? If the answer to this question is yes, it'll help me a great deal if you can provide me a list. Thanks !!!
IaC code : Cloudformation & Terraform , Platform : AWS
IaC code : Cloudformation & Terraform , Platform : AWS
1 reply
Hi! KICS 1.4.0 version has been released, with the major highlight being adding support to Azure Resource Manager, and CIS (Center for Internet Security) descriptions available in the reports. Check out the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.4.0
Hi @rogeriopeixotocx I've noticed that the github action is broken as of today Checkmarx/kics-github-action#18
Does it have something to do with the new release?
Does it have something to do with the new release?
2 replies
Hi! KICS 1.4.1 version has been released. The major highlight is the ability to ignore files and disable queries with comments in the scanned files. Check out the changes and new features in the latest release in our GitHub repository:
https://github.com/Checkmarx/kics/releases/tag/v1.4.1
https://github.com/Checkmarx/kics/releases/tag/v1.4.1
Hey guys, I wondered if it's possible to give KICS a github link or s3 bucket to pull queries from before each run?
1 reply
Hello friends! Does KICS has problems with $ref in OpenAPI? Many FPs for JSON Object Schema Without Properties/Type (v3)
Latest version v1.4.1
Also FPs for Parameter Object Without Schema
Hi, KICS 1.4.2 version has been released! The major highlights are: 11 new queries, improved vulnerability line detection, new
--exclude-severities flag, new --libraries-path flag and the --queries-path flag now fetches remote repositories with go-getter. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.2
Hi, I encountered error "fatal error: concurrent map read and map write" while executing a KICS scan with the provided Azure DevOps integration. Anyone has a clue.
Hi, KICS 1.4.3 version has been released! The major highlights are: 20 new queries, rewrite passwords and secrets query to use regex based strategy, new
--disable-secrets flag and new --secrets-regexes-path flag, also flag --libraries-path supports git repositories and compressed files. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.3