Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Madhu Akula
    @madhuakula

    Hey Team,

    Just wanted to say thank you so much for the awesome project. I maintain an OSS project called Kubernetes Goat, an intentionally vulnerable Kubernetes Cluster to learn and practice Kubernetes Security. I have recently scanned the resources of the project with KICS and the results are pretty amazing and useful.

    I have added them to the documentation as well for other users of Kubernetes Goat also get benefits with KICS.

    https://twitter.com/madhuakula/status/1391433852170776579

    3 replies
    Cadenus
    @Cadenus
    Thank you for the new version. Although you included it in the docs, it took me a while to fix the Azure DevOps integration. (my bad).
    I am running into a different problem though: Can i specify which file a scan call should take as an input? My Devs put various different Dockerfile-xyz into one folder and although they will need them to be renamed to Dockerfile-xyz.dockerfile to be taken up by kics, i do not necessarily want all of them to be scanned every time on every pipeline.
    4 replies
    Mukesh Pilaniya
    @mukeshpilaniya
    Hello KICS Community , I have wrote a simple KICS query for kubernetes platform but now I want to read a JSON data file inside rego query. my data file name is preknowledge.json and i want to read this data file inside rego query package. i have tried this thing on rego playground and it's working perfectly fine over there but inside KICS import a data file might be different so i'm unable to import preknowledge.json file.
    3 replies
      package Cx
      import data.preknowledge
      CxPolicy[result] {
    document := input.document[i]
    
    kind := document.kind
    k8sLib.checkKind(kind, listKinds)
    
    metadata = document.metadata
    metadata.namespace == "default"
    
    result := {
        "documentId": input.document[i].id,
        "issueType": "IncorrectValue",
        "searchKey": sprintf("metadata.name={{%s}}.namespace", [metadata.name]),
        "keyExpectedValue": "metadata.namespace is not default",
        "keyActualValue": "metadata.namespace is default",
    }
    }
    i have put this preknowledge.json file in same directory of rego query.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.1 version has been released, with the major highlight being +112 new queries and increased stability. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.1
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.2 version has been released, with the major highlight being +27 new queries and Gitlab SAST report integration. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.2
    RuncibleSpoon
    @RuncibleSpoon

    Hi KICS community - I'm trying to use the download / install script but it's getting a 404.

    I added some extra debug to the script

    KiCS Example>cat script.out | bash -s -- -d
    Checkmarx/kics info platform is linux/amd64
    Checkmarx/kics info checking GitHub for latest tag
    Checkmarx/kics debug http_download https://github.com/Checkmarx/kics/releases/latest
    Checkmarx/kics info tag is v1.3.2
    Checkmarx/kics info version is 1.3.2
    Checkmarx/kics info found version: 1.3.2 for v1.3.2/linux/amd64
    Checkmarx/kics debug downloading files into /tmp/tmp.Gsk8zYXfGC
    Checkmarx/kics debug http_download https://github.com/Checkmarx/kics/releases/download/v1.3.2/kics_1.3.2_linux_amd64.tar.gz
    Checkmarx/kics debug http_download_curl received HTTP status 404

    This is on an Ubuntu 18.04:

    `Linux kics-example 5.4.0-1041-gcp #44~18.04.1-Ubuntu SMP Mon Mar 29 19:16:50 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

    There isn't a kics_1.3.2_linux_amd64.tar.gz on github (but I notice the nightly ones have a linux_amd64.tar.gz variant.

    Should I log an issue?

    3 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.3 version has been released, with the major highlight being +89 new queries, bug fixes and a brand new PDF report. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.3 also checkout our new documentation theme in https://docs.kics.io/
    kics-new
    @kics-new:matrix.org
    [m]
    Hello good afternoon
    Want to know if Checkmarx provides any support for kics?
    1 reply
    kics-new
    @kics-new:matrix.org
    [m]
    great, thanks
    Lior Kaplan
    @kaplanlior_gitlab
    Yesterday we presented KICS at DevSecCon24: https://www.youtube.com/watch?v=eaD-tGMOKe8
    Gabor Pilsits
    @xqrt
    Hi, is there a way to test policies with the kics binary itself? not with the make test command? thanks
    2 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.4 version has been released, with the major highlight being +38 new queries, extract zip functionality and an extended query creation guide in the docs. Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.4
    Rogerio Peixoto
    @rogeriopeixotocx
    @mukeshpilaniya Hi Mukesh, we have worked on your feature suggestion. Take a look at this PR Checkmarx/kics#3808
    cbhat-ie
    @cbhat-ie
    Hi, I was wondering if there is a way to provide the kics output for every file rather than one consolidated output for all the files.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @cbhat-ie, it's great to have you here! Currently this feature is not supported. However, you can open a feature request with a detailed description of your use case. Also, any contributions are more than welcome!
    cbhat-ie
    @cbhat-ie
    Thanks @rogeriopeixotocx! I will create a feature request for this. Also, will see if I can make the required changes. Can you send me the link to the feature request page please?
    3 replies
    John R. Kelly III
    @JohnKeippel
    Is there any initial work being done to support Azure Bicep? Or json based ARM templates, though I think it might better to skip having to transpiring Bicep just to perform this check.
    John R. Kelly III
    @JohnKeippel
    Whoops, didn’t realize return was going to submit! Interested in working a bit on this, since it would be quite useful to be able to audit these templates prior to deployment time. I’m interested in working on this if anyone has a fork for Azure support.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @JohnKeippel, thank you for your engagement! ARM is currently on the roadmap, but we still have some milestones to complete before we get there. If you want to start working on it right away it would be much appreciated! Feel free to reach me here or in private for any questions and if you're comfortable enough just submit a pull request and we can work together.
    John R. Kelly III
    @JohnKeippel
    @rogeriopeixotocx - Thanks for the reply! I think I understand the layout of the project, the rego policy definitions, tests, etc. And matching the implementation of the Azure Terraform queries for Bicep would keep things in parity. I think the big question mark for me, and where I assume the majority of the work is at, is that each provider (TF, K8s, CF, etc) needs its own file parser. Is that accurate?
    Rogerio Peixoto
    @rogeriopeixotocx
    @JohnKeippel Yes. Ideally, we would need to implement a Golang parser for the BICEP DSL or we could start by supporting the ARM JSON template (product of az bicep build)
    dohnalv
    @dohnalv
    Hi, in one of your last talks, you mentioned that KICS contains over 1500 queries. However, on Github in the assets dir, I counted 1148 and on docs.kics.io 1216 (the CSV file with all queries). I am definitely missing something here - could you please point me in the right direction?
    Not that the exact number is that important - I was curious about their distribution (how many for Docker, how many for CloudFormation...) and wondered, why the total number is lower than expected...
    Rogerio Peixoto
    @rogeriopeixotocx

    Hi @dohnalv, thank you for the question.
    In some instances, we have different queries (rules) grouped into a single rego file.

    The reason for this is to enable us to reuse boilerplate rego code for different rules we're trying to catch.
    Example:
    -> API spec query "Invalid Schema External Documentation URL" for Swagger and OpenAPI 3.0. Are grouped in this same rego file
    -> Several query ports that are being scanned are grouped into a single file

    You can get the queries distribution list by running:

    pip3 install -r .github/scripts/metrics/requirements.txt
    python3 .github/scripts/metrics/get-metrics.py

    Currently, these are our numbers:

    ::group::Queries Metrics
    | Platform               |   Count |
    |------------------------+---------|
    | total                  |    1704 |
    | cloudformation_queries |     465 |
    | openapi_queries        |     288 |
    | ansible_queries        |     235 |
    | k8s_queries            |      80 |
    | common_queries         |       2 |
    | dockerfile_queries     |      53 |
    | terraform_queries      |     581 |
    ::endgroup::
    
    ::set-output name=total_queries::1704
    
    ::group::Rego File Metrics
    | Platform            |   Count |
    |---------------------+---------|
    | total               |    1148 |
    | cloudformation_rego |     223 |
    | openapi_rego        |     197 |
    | ansible_rego        |     201 |
    | k8s_rego            |      80 |
    | common_rego         |       2 |
    | dockerfile_rego     |      53 |
    | terraform_rego      |     392 |

    Let me know if you have any more questions.

    dohnalv
    @dohnalv
    I knew I was missing something! Thanks for the quick response, appreciated
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.5 version has been released, with the major highlight being +11 new queries, integration of hashicorp/go-getter into KICS, and the support to provide input data to queries . Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.5
    dohnalv
    @dohnalv
    image.png
    1 reply
    Hello again! I found this in the documentation. Could you please describe what data is being sent?
    e.g. queries used or something like that? Is any of this data public (most used queries)?
    Lior Kaplan
    @kaplanlior_gitlab

    Thanks for the question. I'm glad you asked, as this is a good opportunity to clarify. KICS uses sentry ( https://github.com/getsentry/sentry ) to track crashes of the software.

    What is being tracked is the source go file and the line number the caused the crash. That's it. This gives the developers a lead to what they should investigate if/when a crash happens.

    In this context, the environment variable you asked about is confusing and we'll change that. Do you want to report an issue or should I ?

    dohnalv
    @dohnalv
    Thanks for your answer! I think that the explanation that you gave me here would be enough even for the documentation. Environment variable name is not confusing at all imo, that's what it's usually called.
    Issue is here: Checkmarx/kics#3876
    Luander
    @luander

    Hi, I have a finding on kics which states:

    Passwords And Secrets In Infrastructure Code, Severity: HIGH

    And the actual code is a Kubernetes Helm chart which is pointing to a secret, and not the password itself:

    existingSecret:
              enabled: true
              name: "bitwardensmtp"
              userKey: "username"
              passwordKey: "password"

    Is there a way to tell KICS to ignore this finding?

    2 replies
    Pranav Bhatia
    @prav10194
    I have a quick question regarding KICS - is there a comparison being done against tools such as checkov, terrascan against the policies/compliances covered? Checkov with BridgeCrew offers compliances checks for HIPAA, PCI, NIST. Is there something similar in KICS too?
    1 reply
    Ameya Deshmukh
    @adeshmukh123
    We are looking to adopt KiCS to implement a robust IaC auditing process both on a code & actual resource level (currently being done using ScoutSuite), what i'm hearing from people as a feedback is that KiCS is reporting a lot of false positives (like the one @prav10194 reported)..though i don't have the data with me at the moment (will publish here as soon as i get it) I want to understand if you guys are planning any updates in the future releases which can address this concern ? If the answer to this question is yes, it'll help me a great deal if you can provide me a list. Thanks !!!
    IaC code : Cloudformation & Terraform , Platform : AWS
    1 reply
    Ameya Deshmukh
    @adeshmukh123
    Thanks @kaplanlior_gitlab. I have the evidence and following are the screenshots for your reference.
    7 replies
    Passwords_Secrets_IaC.jpg
    Memcached Disabled.jpg
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.4.0 version has been released, with the major highlight being adding support to Azure Resource Manager, and CIS (Center for Internet Security) descriptions available in the reports. Check out the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.4.0
    Luander
    @luander
    Hi @rogeriopeixotocx I've noticed that the github action is broken as of today Checkmarx/kics-github-action#18
    Does it have something to do with the new release?
    2 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.4.1 version has been released. The major highlight is the ability to ignore files and disable queries with comments in the scanned files. Check out the changes and new features in the latest release in our GitHub repository:
    https://github.com/Checkmarx/kics/releases/tag/v1.4.1
    Idan Gur
    @idangur:matrix.org
    [m]
    Hey guys, I wondered if it's possible to give KICS a github link or s3 bucket to pull queries from before each run?
    1 reply
    Lior Kaplan
    @kaplanlior_gitlab
    Hi @idangur:matrix.org , yes it's possible.
    With version 1.4.0 we fixed the integration with go-getter and it support various options including S3 and git.
    Don't be shy to open new feature requests if needed.
    2 replies
    ~~~
    @AO5Z4DDEYFDSF_twitter
    image.png
    3 replies
    Hello friends! Does KICS has problems with $ref in OpenAPI? Many FPs for JSON Object Schema Without Properties/Type (v3)
    Latest version v1.4.1
    ~~~
    @AO5Z4DDEYFDSF_twitter
    image.png
    1 reply
    Also FPs for Parameter Object Without Schema
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi, KICS 1.4.2 version has been released! The major highlights are: 11 new queries​, improved vulnerability line detection, new --exclude-severities flag​, new --libraries-path flag and the​ --queries-path flag now fetches ​remote repositories​ with go-getter. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.2