Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @cbhat-ie, it's great to have you here! Currently this feature is not supported. However, you can open a feature request with a detailed description of your use case. Also, any contributions are more than welcome!
    cbhat-ie
    @cbhat-ie
    Thanks @rogeriopeixotocx! I will create a feature request for this. Also, will see if I can make the required changes. Can you send me the link to the feature request page please?
    3 replies
    John R. Kelly III
    @JohnKeippel
    Is there any initial work being done to support Azure Bicep? Or json based ARM templates, though I think it might better to skip having to transpiring Bicep just to perform this check.
    John R. Kelly III
    @JohnKeippel
    Whoops, didn’t realize return was going to submit! Interested in working a bit on this, since it would be quite useful to be able to audit these templates prior to deployment time. I’m interested in working on this if anyone has a fork for Azure support.
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi @JohnKeippel, thank you for your engagement! ARM is currently on the roadmap, but we still have some milestones to complete before we get there. If you want to start working on it right away it would be much appreciated! Feel free to reach me here or in private for any questions and if you're comfortable enough just submit a pull request and we can work together.
    John R. Kelly III
    @JohnKeippel
    @rogeriopeixotocx - Thanks for the reply! I think I understand the layout of the project, the rego policy definitions, tests, etc. And matching the implementation of the Azure Terraform queries for Bicep would keep things in parity. I think the big question mark for me, and where I assume the majority of the work is at, is that each provider (TF, K8s, CF, etc) needs its own file parser. Is that accurate?
    Rogerio Peixoto
    @rogeriopeixotocx
    @JohnKeippel Yes. Ideally, we would need to implement a Golang parser for the BICEP DSL or we could start by supporting the ARM JSON template (product of az bicep build)
    dohnalv
    @dohnalv
    Hi, in one of your last talks, you mentioned that KICS contains over 1500 queries. However, on Github in the assets dir, I counted 1148 and on docs.kics.io 1216 (the CSV file with all queries). I am definitely missing something here - could you please point me in the right direction?
    Not that the exact number is that important - I was curious about their distribution (how many for Docker, how many for CloudFormation...) and wondered, why the total number is lower than expected...
    Rogerio Peixoto
    @rogeriopeixotocx

    Hi @dohnalv, thank you for the question.
    In some instances, we have different queries (rules) grouped into a single rego file.

    The reason for this is to enable us to reuse boilerplate rego code for different rules we're trying to catch.
    Example:
    -> API spec query "Invalid Schema External Documentation URL" for Swagger and OpenAPI 3.0. Are grouped in this same rego file
    -> Several query ports that are being scanned are grouped into a single file

    You can get the queries distribution list by running:

    pip3 install -r .github/scripts/metrics/requirements.txt
    python3 .github/scripts/metrics/get-metrics.py

    Currently, these are our numbers:

    ::group::Queries Metrics
    | Platform               |   Count |
    |------------------------+---------|
    | total                  |    1704 |
    | cloudformation_queries |     465 |
    | openapi_queries        |     288 |
    | ansible_queries        |     235 |
    | k8s_queries            |      80 |
    | common_queries         |       2 |
    | dockerfile_queries     |      53 |
    | terraform_queries      |     581 |
    ::endgroup::
    
    ::set-output name=total_queries::1704
    
    ::group::Rego File Metrics
    | Platform            |   Count |
    |---------------------+---------|
    | total               |    1148 |
    | cloudformation_rego |     223 |
    | openapi_rego        |     197 |
    | ansible_rego        |     201 |
    | k8s_rego            |      80 |
    | common_rego         |       2 |
    | dockerfile_rego     |      53 |
    | terraform_rego      |     392 |

    Let me know if you have any more questions.

    dohnalv
    @dohnalv
    I knew I was missing something! Thanks for the quick response, appreciated
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.3.5 version has been released, with the major highlight being +11 new queries, integration of hashicorp/go-getter into KICS, and the support to provide input data to queries . Checkout the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.3.5
    dohnalv
    @dohnalv
    image.png
    1 reply
    Hello again! I found this in the documentation. Could you please describe what data is being sent?
    e.g. queries used or something like that? Is any of this data public (most used queries)?
    Lior Kaplan
    @kaplanlior_gitlab

    Thanks for the question. I'm glad you asked, as this is a good opportunity to clarify. KICS uses sentry ( https://github.com/getsentry/sentry ) to track crashes of the software.

    What is being tracked is the source go file and the line number the caused the crash. That's it. This gives the developers a lead to what they should investigate if/when a crash happens.

    In this context, the environment variable you asked about is confusing and we'll change that. Do you want to report an issue or should I ?

    dohnalv
    @dohnalv
    Thanks for your answer! I think that the explanation that you gave me here would be enough even for the documentation. Environment variable name is not confusing at all imo, that's what it's usually called.
    Issue is here: Checkmarx/kics#3876
    Luander
    @luander

    Hi, I have a finding on kics which states:

    Passwords And Secrets In Infrastructure Code, Severity: HIGH

    And the actual code is a Kubernetes Helm chart which is pointing to a secret, and not the password itself:

    existingSecret:
              enabled: true
              name: "bitwardensmtp"
              userKey: "username"
              passwordKey: "password"

    Is there a way to tell KICS to ignore this finding?

    2 replies
    Pranav Bhatia
    @prav10194
    I have a quick question regarding KICS - is there a comparison being done against tools such as checkov, terrascan against the policies/compliances covered? Checkov with BridgeCrew offers compliances checks for HIPAA, PCI, NIST. Is there something similar in KICS too?
    1 reply
    Ameya Deshmukh
    @adeshmukh123
    We are looking to adopt KiCS to implement a robust IaC auditing process both on a code & actual resource level (currently being done using ScoutSuite), what i'm hearing from people as a feedback is that KiCS is reporting a lot of false positives (like the one @prav10194 reported)..though i don't have the data with me at the moment (will publish here as soon as i get it) I want to understand if you guys are planning any updates in the future releases which can address this concern ? If the answer to this question is yes, it'll help me a great deal if you can provide me a list. Thanks !!!
    IaC code : Cloudformation & Terraform , Platform : AWS
    1 reply
    Ameya Deshmukh
    @adeshmukh123
    Thanks @kaplanlior_gitlab. I have the evidence and following are the screenshots for your reference.
    7 replies
    Passwords_Secrets_IaC.jpg
    Memcached Disabled.jpg
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.4.0 version has been released, with the major highlight being adding support to Azure Resource Manager, and CIS (Center for Internet Security) descriptions available in the reports. Check out the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.4.0
    Luander
    @luander
    Hi @rogeriopeixotocx I've noticed that the github action is broken as of today Checkmarx/kics-github-action#18
    Does it have something to do with the new release?
    2 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.4.1 version has been released. The major highlight is the ability to ignore files and disable queries with comments in the scanned files. Check out the changes and new features in the latest release in our GitHub repository:
    https://github.com/Checkmarx/kics/releases/tag/v1.4.1
    Idan Gur
    @idangur:matrix.org
    [m]
    Hey guys, I wondered if it's possible to give KICS a github link or s3 bucket to pull queries from before each run?
    1 reply
    Lior Kaplan
    @kaplanlior_gitlab
    Hi @idangur:matrix.org , yes it's possible.
    With version 1.4.0 we fixed the integration with go-getter and it support various options including S3 and git.
    Don't be shy to open new feature requests if needed.
    2 replies
    ~~~
    @AO5Z4DDEYFDSF_twitter
    image.png
    3 replies
    Hello friends! Does KICS has problems with $ref in OpenAPI? Many FPs for JSON Object Schema Without Properties/Type (v3)
    Latest version v1.4.1
    ~~~
    @AO5Z4DDEYFDSF_twitter
    image.png
    1 reply
    Also FPs for Parameter Object Without Schema
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi, KICS 1.4.2 version has been released! The major highlights are: 11 new queries​, improved vulnerability line detection, new --exclude-severities flag​, new --libraries-path flag and the​ --queries-path flag now fetches ​remote repositories​ with go-getter. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.2
    cx-demo
    @cx-demo

    Hi, I encountered error "fatal error: concurrent map read and map write" while executing a KICS scan with the provided Azure DevOps integration. Anyone has a clue.

    kics_error_log.txt

    ~~~
    @AO5Z4DDEYFDSF_twitter
    Does anyone have an example of secure OpenAPI spec? On which KICS will show that everything is OK
    Felipe Avelar
    @felipe-avelar
    Hi, KICS 1.4.3 version has been released! The major highlights are: 20 new queries, rewrite passwords and secrets query to use regex based strategy, new --disable-secrets flag and new --secrets-regexes-path flag, also flag --libraries-path supports git repositories and compressed files. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.3
    Felipe Avelar
    @felipe-avelar
    Hi, KICS 1.4.4 version has been released! The major highlights are: 17 new queries, added tfvars verification on passwords and secrets query, also added support to verified terraform modules on 62 queries, besides many bugfixes. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.4
    Ben Smith
    @jsmith97
    S
    Hi All, I am struggling to get KICS to analyse a helm chart.
    I get the following error for any template that contains templating.
    failed to parse file content: /file_path ERROR: “failed to parse yaml: invalid yaml”
    Ben Smith
    @jsmith97
    Has any one got KICS working with helm charts?
    Lior Kaplan
    @kaplanlior_gitlab
    Hi Ben, which version are you using ?
    Ben Smith
    @jsmith97
    v1.4.4
    We are using v1.4.4
    João Reigota
    @joaoReigota1
    Hi @jsmith97 I think I found out what the problem is, KICS renders your Helm Chart as Kubernetes manifests and it then proceeds to parse and scan such manifests. It should be expected for KICS to exclude the yaml template files inside a helm Chart, but there is a bug, so KICS tries to parse these template files as-is without success, hence the error in the log "failed to parse yaml: invalid yaml".
    Although the log error appeared I believe KICS still rendered and parsed your helm Chart, I will get to fixing this issue right away in the meantime feel free to open a bug report and for a workaround try excluding your templates folders using the flag -e, --exclude-paths
    Ben Smith
    @jsmith97
    Thanks for the prompt reply @joaoReigota1 I will give it a go and let you know.
    João Reigota
    @joaoReigota1
    The issue should be fixed with this PR Checkmarx/kics#4380
    Felipe Avelar
    @felipe-avelar
    Hi, KICS 1.4.5 version has been released! The major highlights are: 9 new queries, added support to bom (activate with flag --bom), azure blueprints and terraform plans, also an image based on ubi7 was added, besides many bugfixes and queries refactor. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.5