az bicep build)
Hi @dohnalv, thank you for the question.
In some instances, we have different queries (rules) grouped into a single rego file.
The reason for this is to enable us to reuse boilerplate rego code for different rules we're trying to catch.
-> API spec query "Invalid Schema External Documentation URL" for Swagger and OpenAPI 3.0. Are grouped in this same rego file
-> Several query ports that are being scanned are grouped into a single file
You can get the queries distribution list by running:
pip3 install -r .github/scripts/metrics/requirements.txt python3 .github/scripts/metrics/get-metrics.py
Currently, these are our numbers:
::group::Queries Metrics | Platform | Count | |------------------------+---------| | total | 1704 | | cloudformation_queries | 465 | | openapi_queries | 288 | | ansible_queries | 235 | | k8s_queries | 80 | | common_queries | 2 | | dockerfile_queries | 53 | | terraform_queries | 581 | ::endgroup:: ::set-output name=total_queries::1704 ::group::Rego File Metrics | Platform | Count | |---------------------+---------| | total | 1148 | | cloudformation_rego | 223 | | openapi_rego | 197 | | ansible_rego | 201 | | k8s_rego | 80 | | common_rego | 2 | | dockerfile_rego | 53 | | terraform_rego | 392 |
Let me know if you have any more questions.
Thanks for the question. I'm glad you asked, as this is a good opportunity to clarify. KICS uses sentry ( https://github.com/getsentry/sentry ) to track crashes of the software.
What is being tracked is the source go file and the line number the caused the crash. That's it. This gives the developers a lead to what they should investigate if/when a crash happens.
In this context, the environment variable you asked about is confusing and we'll change that. Do you want to report an issue or should I ?
Hi, I have a finding on kics which states:
Passwords And Secrets In Infrastructure Code, Severity: HIGH
And the actual code is a Kubernetes Helm chart which is pointing to a secret, and not the password itself:
existingSecret: enabled: true name: "bitwardensmtp" userKey: "username" passwordKey: "password"
Is there a way to tell KICS to ignore this finding?
--libraries-pathflag and the
--queries-pathflag now fetches remote repositories with go-getter. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.2
--disable-secretsflag and new
--secrets-regexes-pathflag, also flag
--libraries-pathsupports git repositories and compressed files. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.3