Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    prasad-clouduser
    @prasad-clouduser
    hi, I am new to kics. Do we have any videos to understand how to implement the rego custom queries and implementation of kics in CI/CD. Appreciate your help guys
    6 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.2.2 version has been release, with the major feature being the support of terraform variables. Checkout the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.2.2
    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]

    Hi! Just discovered KICS two days ago and love it.

    Quick question though - is there a way to call kics and only scan the commits within a PR - e.g. between two git hashes?

    I saw that we can set the path - however, I was unable to just scan the files that have been updated within the PR.

    So I wasn't sure if I then just have to call KICS multiple times for each file that has changed?

    1 reply
    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]

    Thanks for the feedback!

    So my team isn't really using github actions, and instead concourse.

    As a quick fix I added something like

    cat pull-request/.git/resource/changed_files | while read changedfile 
              do
                echo "./kics scan -p pull-request/$changedfile -t Kubernetes -o .--report-formats "json,sarif,html" --ci"
                ./kics scan -p pull-request/$changedfile -t Kubernetes -o . --report-formats "json,sarif,html" --ci
                cat results.sarif >> final_results.sarif
              done

    Does that make sense? or is there a way to call kics once and point it to multiple files?

    Also, I attempted to upload the sarif to github and got an error and was wondering if you if an enterprise edition is required to view the results in github?

    curl \
    >             -X POST \
    >             -H 'Authorization: token ${TOKEN}' \
    >             -H "Accept: application/vnd.github.v3+json" \
    >             https://api.github.com/repos/${GIT_ORG}/${GIT_REPO}/code-scanning/sarifs \
    >             -d '{"commit_sha":"$COMMIT_SHA","ref":"${REF}","sarif":"${KICS_SARIF}"},"tool_name":"KICS"'
    {
      "message": "Advanced Security must be enabled for this repository to use code scanning.",
      "documentation_url": "https://docs.github.com/rest/reference/code-scanning#upload-a-sarif-file"
    }
    Rogerio Peixoto
    @rogeriopeixotocx

    Regarding your first question, we want to enhance our -p flag to support the user to provide it multiple times, or in a comma-separated string. You're invited to contribute to our project.

    Regarding the second question, Github enterprise edition is required for private repositories. Github docs

    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]
    Awesome stuff, thanks for the help @rogeriopeixotocx and I'll definitely try to check out the -p flag and see what I can contribute
    Lior Kaplan
    @kaplanlior_gitlab
    Hi everyone, I would like to invite you to a thread we started about the Semantic exit codes PR (Checkmarx/kics#2726) you're welcome to talk about it here or on Github. In both cases, we'll be happy to get your feedback before we implement the feature and merge the PR.
    Jonnathan Griffin
    @jonnyg:matrix.org
    [m]
    Hi question, are the common queries https://github.com/Checkmarx/kics/tree/master/assets/queries/common run if you specify only say terraform rules to run?
    1 reply
    Rogerio Peixoto
    @rogeriopeixotocx
    @jonnyg:matrix.org Hi Johnnathan, thank you for your question, I've just tested here and common queries should be running if you specify a platform type. If you find that the password query is not running in your environment please report it as a bug. Perhaps we should make this information explicit in our documentation. I need clarification on what you mean by supporting "slack keys". Again, thank you for your engagement.
    4 replies
    Cadenus
    @Cadenus

    Good Morning
    I was just introduced to kics this week and since we started trying out moving stuff to terraform or in some places use terraform on Azure to begin with, i gave it a try. Now i ran into a high severity issue that i cannot wrap my head around, either because i may lack the knowledge on Azure or because i simply do not understand the meaning of the heuristic query.
    The query in question is "Trusted Microsoft Services Not Enabled" and the documentation leads me to the network rules section of the azure storage module here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass

    I tried some combinations like "default: deny" and "bypass: AzureServices", but i do not want to just try and error my way around and but understand, what is going on. Is there someone here who may give me a pointer?

    Cadenus
    @Cadenus

    ah, okay, so after going through the code and the tests for that query i found what i did wrong.
    Here is my original section of the main.tf :

    resource "azurerm_storage_account" "infra_storage_account" {
      depends_on                = [azurerm_resource_group.infra_resource_group]
    
    # ...
    
      network_rules {
        default_action = "Deny"
        bypass = "AzureServices"
      }
    }

    where it should have been

    resource "azurerm_storage_account" "infra_storage_account" {
      depends_on                = [azurerm_resource_group.infra_resource_group]
    
    # ...
    
      network_rules {
        default_action = "Deny"
        bypass = ["AzureServices"]
      }
    }

    Agreed: This is rather a syntax error in Terraform than a security finding and i could probably have found it earlier had i not run kics first.
    It would have helped me to have a more talkative issue description. Like "Ok, this is wrong here because ... a is missing or b is configured wrong".

    Rogerio Peixoto
    @rogeriopeixotocx
    Hey @Cadenus, it's great to hear some feedback from you. Regarding the query in question, I can see that the documentation for this provider is not making clear in this item, the type that the "bypass" field should receive. In my local tests not even terraform validate nor tflint could point out to type mismatch in the variable attribution even when I placed an integer for example, which makes sense since those parameters are provider dependant. I strongly recommend running terraform plan before so that we get the validation from Azure API. You're welcome to open a bug if you confirm this is an issue. Meanwhile, we'll try to improve our remediation texts in the following sprints. Also, you're more than welcome to contribute if you feel like helping us.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.2.4 version has been release, with the major feature being the support of OpenAPI 3.0 specifications. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.2.4
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @jonnyg:matrix.org the feature you requested is going to be merged soon for the next release! Checkmarx/kics#3017
    Cadenus
    @Cadenus
    Hey @rogeriopeixotocx , Thank you for the clarification and looking into this. I am afraid my energy is already distributed beyond its boundaries so my only contributions can come from using kics and pointing out stuff (for now).
    Miles Florence
    @milesflo
    Hello. Please merge this PR as soon as possible. Checkmarx/kics-github-action#12 @rogeriopeixotocx
    1 reply
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.0 version has been released, with the major highlight being performance improvements. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.0
    Madhu Akula
    @madhuakula

    Hey Team,

    Just wanted to say thank you so much for the awesome project. I maintain an OSS project called Kubernetes Goat, an intentionally vulnerable Kubernetes Cluster to learn and practice Kubernetes Security. I have recently scanned the resources of the project with KICS and the results are pretty amazing and useful.

    I have added them to the documentation as well for other users of Kubernetes Goat also get benefits with KICS.

    https://twitter.com/madhuakula/status/1391433852170776579

    3 replies
    Cadenus
    @Cadenus
    Thank you for the new version. Although you included it in the docs, it took me a while to fix the Azure DevOps integration. (my bad).
    I am running into a different problem though: Can i specify which file a scan call should take as an input? My Devs put various different Dockerfile-xyz into one folder and although they will need them to be renamed to Dockerfile-xyz.dockerfile to be taken up by kics, i do not necessarily want all of them to be scanned every time on every pipeline.
    4 replies
    Mukesh Pilaniya
    @mukeshpilaniya
    Hello KICS Community , I have wrote a simple KICS query for kubernetes platform but now I want to read a JSON data file inside rego query. my data file name is preknowledge.json and i want to read this data file inside rego query package. i have tried this thing on rego playground and it's working perfectly fine over there but inside KICS import a data file might be different so i'm unable to import preknowledge.json file.
    3 replies
      package Cx
      import data.preknowledge
      CxPolicy[result] {
    document := input.document[i]
    
    kind := document.kind
    k8sLib.checkKind(kind, listKinds)
    
    metadata = document.metadata
    metadata.namespace == "default"
    
    result := {
        "documentId": input.document[i].id,
        "issueType": "IncorrectValue",
        "searchKey": sprintf("metadata.name={{%s}}.namespace", [metadata.name]),
        "keyExpectedValue": "metadata.namespace is not default",
        "keyActualValue": "metadata.namespace is default",
    }
    }
    i have put this preknowledge.json file in same directory of rego query.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.1 version has been released, with the major highlight being +112 new queries and increased stability. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.1
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.2 version has been released, with the major highlight being +27 new queries and Gitlab SAST report integration. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.2
    RuncibleSpoon
    @RuncibleSpoon

    Hi KICS community - I'm trying to use the download / install script but it's getting a 404.

    I added some extra debug to the script

    KiCS Example>cat script.out | bash -s -- -d
    Checkmarx/kics info platform is linux/amd64
    Checkmarx/kics info checking GitHub for latest tag
    Checkmarx/kics debug http_download https://github.com/Checkmarx/kics/releases/latest
    Checkmarx/kics info tag is v1.3.2
    Checkmarx/kics info version is 1.3.2
    Checkmarx/kics info found version: 1.3.2 for v1.3.2/linux/amd64
    Checkmarx/kics debug downloading files into /tmp/tmp.Gsk8zYXfGC
    Checkmarx/kics debug http_download https://github.com/Checkmarx/kics/releases/download/v1.3.2/kics_1.3.2_linux_amd64.tar.gz
    Checkmarx/kics debug http_download_curl received HTTP status 404

    This is on an Ubuntu 18.04:

    `Linux kics-example 5.4.0-1041-gcp #44~18.04.1-Ubuntu SMP Mon Mar 29 19:16:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

    There isn't a kics_1.3.2_linux_amd64.tar.gz on github (but I notice the nightly ones have a linux_amd64.tar.gz variant.

    Should I log an issue?

    3 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.3 version has been released, with the major highlight being +89 new queries, bug fixes and a brand new PDF report. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.3 also checkout our new documentation theme in https://docs.kics.io/
    kics-new
    @kics-new:matrix.org
    [m]
    Hello good afternoon
    Want to know if Checkmarx provides any support for kics?
    1 reply
    kics-new
    @kics-new:matrix.org
    [m]
    great, thanks
    Lior Kaplan
    @kaplanlior_gitlab
    Yesterday we presented KICS at DevSecCon24: https://www.youtube.com/watch?v=eaD-tGMOKe8
    Gabor Pilsits
    @xqrt
    Hi, is there a way to test policies with the kics binary itself? not with the make test command? thanks
    2 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.4 version has been released, with the major highlight being +38 new queries, extract zip functionality and an extended query creation guide in the docs. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.4
    Rogerio Peixoto
    @rogeriopeixotocx
    @mukeshpilaniya Hi Mukesh, we have worked on your feature suggestion. Take a look at this PR Checkmarx/kics#3808
    cbhat-ie
    @cbhat-ie
    Hi, I was wondering if there is a way to provide the kics output for every file rather than one consolidated output for all the files.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @cbhat-ie, it's great to have you here! Currently this feature is not supported. However, you can open a feature request with a detailed description of your use case. Also, any contributions are more than welcome!
    cbhat-ie
    @cbhat-ie
    Thanks @rogeriopeixotocx! I will create a feature request for this. Also, will see if I can make the required changes. Can you send me the link to the feature request page please?
    3 replies
    John R. Kelly III
    @JohnKeippel
    Is there any initial work being done to support Azure Bicep? Or json based ARM templates, though I think it might better to skip having to transpiring Bicep just to perform this check.
    John R. Kelly III
    @JohnKeippel
    Whoops, didn’t realize return was going to submit! Interested in working a bit on this, since it would be quite useful to be able to audit these templates prior to deployment time. I’m interested in working on this if anyone has a fork for Azure support.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @JohnKeippel, thank you for your engagement! ARM is currently on the roadmap, but we still have some milestones to complete before we get there. If you want to start working on it right away it would be much appreciated! Feel free to reach me here or in private for any questions and if you're comfortable enough just submit a pull request and we can work together.
    John R. Kelly III
    @JohnKeippel
    @rogeriopeixotocx - Thanks for the reply! I think I understand the layout of the project, the rego policy definitions, tests, etc. And matching the implementation of the Azure Terraform queries for Bicep would keep things in parity. I think the big question mark for me, and where I assume the majority of the work is at, is that each provider (TF, K8s, CF, etc) needs its own file parser. Is that accurate?
    Rogerio Peixoto
    @rogeriopeixotocx
    @JohnKeippel Yes. Ideally, we would need to implement a Golang parser for the BICEP DSL or we could start by supporting the ARM JSON template (product of az bicep build)
    dohnalv
    @dohnalv
    Hi, in one of your last talks, you mentioned that KICS contains over 1500 queries. However, on Github in the assets dir, I counted 1148 and on docs.kics.io 1216 (the CSV file with all queries). I am definitely missing something here - could you please point me in the right direction?
    Not that the exact number is that important - I was curious about their distribution (how many for Docker, how many for CloudFormation...) and wondered, why the total number is lower than expected...
    Rogerio Peixoto
    @rogeriopeixotocx

    Hi @dohnalv, thank you for the question.
    In some instances, we have different queries (rules) grouped into a single rego file.

    The reason for this is to enable us to reuse boilerplate rego code for different rules we're trying to catch.
    Example:
    -> API spec query "Invalid Schema External Documentation URL" for Swagger and OpenAPI 3.0. Are grouped in this same rego file
    -> Several query ports that are being scanned are grouped into a single file

    You can get the queries distribution list by running:

    pip3 install -r .github/scripts/metrics/requirements.txt
    python3 .github/scripts/metrics/get-metrics.py

    Currently, these are our numbers:

    ::group::Queries Metrics
    | Platform               |   Count |
    |------------------------+---------|
    | total                  |    1704 |
    | cloudformation_queries |     465 |
    | openapi_queries        |     288 |
    | ansible_queries        |     235 |
    | k8s_queries            |      80 |
    | common_queries         |       2 |
    | dockerfile_queries     |      53 |
    | terraform_queries      |     581 |
    ::endgroup::
    
    ::set-output name=total_queries::1704
    
    ::group::Rego File Metrics
    | Platform            |   Count |
    |---------------------+---------|
    | total               |    1148 |
    | cloudformation_rego |     223 |
    | openapi_rego        |     197 |
    | ansible_rego        |     201 |
    | k8s_rego            |      80 |
    | common_rego         |       2 |
    | dockerfile_rego     |      53 |
    | terraform_rego      |     392 |

    Let me know if you have any more questions.

    dohnalv
    @dohnalv
    I knew I was missing something! Thanks for the quick response, appreciated
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.5 version has been released, with the major highlight being +11 new queries, integration of hashicorp/go-getter into KICS, and the support to provide input data to queries . Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.5
    dohnalv
    @dohnalv
    image.png
    1 reply
    Hello again! I found this in the documentation. Could you please describe what data is being sent?
    e.g. queries used or something like that? Is any of this data public (most used queries)?
    Lior Kaplan
    @kaplanlior_gitlab

    Thanks for the question. I'm glad you asked, as this is a good opportunity to clarify. KICS uses sentry ( https://github.com/getsentry/sentry ) to track crashes of the software.

    What is being tracked is the source go file and the line number the caused the crash. That's it. This gives the developers a lead to what they should investigate if/when a crash happens.

    In this context, the environment variable you asked about is confusing and we'll change that. Do you want to report an issue or should I ?

    dohnalv
    @dohnalv
    Thanks for your answer! I think that the explanation that you gave me here would be enough even for the documentation. Environment variable name is not confusing at all imo, that's what it's usually called.
    Issue is here: Checkmarx/kics#3876