Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    dohnalv
    @dohnalv
    Hello again! I found this in the documentation. Could you please describe what data is being sent?
    e.g. queries used or something like that? Is any of this data public (most used queries)?
    Lior Kaplan
    @kaplanlior_gitlab

    Thanks for the question. I'm glad you asked, as this is a good opportunity to clarify. KICS uses sentry ( https://github.com/getsentry/sentry ) to track crashes of the software.

    What is being tracked is the source go file and the line number the caused the crash. That's it. This gives the developers a lead to what they should investigate if/when a crash happens.

    In this context, the environment variable you asked about is confusing and we'll change that. Do you want to report an issue or should I ?

    dohnalv
    @dohnalv
    Thanks for your answer! I think that the explanation that you gave me here would be enough even for the documentation. Environment variable name is not confusing at all imo, that's what it's usually called.
    Issue is here: Checkmarx/kics#3876
    Luander
    @luander

    Hi, I have a finding on kics which states:

    Passwords And Secrets In Infrastructure Code, Severity: HIGH

    And the actual code is a Kubernetes Helm chart which is pointing to a secret, and not the password itself:

    existingSecret:
              enabled: true
              name: "bitwardensmtp"
              userKey: "username"
              passwordKey: "password"

    Is there a way to tell KICS to ignore this finding?

    2 replies
    Pranav Bhatia
    @prav10194
    I have a quick question regarding KICS - is there a comparison being done against tools such as checkov, terrascan against the policies/compliances covered? Checkov with BridgeCrew offers compliances checks for HIPAA, PCI, NIST. Is there something similar in KICS too?
    1 reply
    Ameya Deshmukh
    @adeshmukh123
    We are looking to adopt KiCS to implement a robust IaC auditing process both on a code & actual resource level (currently being done using ScoutSuite), what i'm hearing from people as a feedback is that KiCS is reporting a lot of false positives (like the one @prav10194 reported)..though i don't have the data with me at the moment (will publish here as soon as i get it) I want to understand if you guys are planning any updates in the future releases which can address this concern ? If the answer to this question is yes, it'll help me a great deal if you can provide me a list. Thanks !!!
    IaC code : Cloudformation & Terraform , Platform : AWS
    1 reply
    Ameya Deshmukh
    @adeshmukh123
    Thanks @kaplanlior_gitlab. I have the evidence and following are the screenshots for your reference.
    7 replies
    Passwords_Secrets_IaC.jpg
    Memcached Disabled.jpg
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.4.0 version has been released, with the major highlight being adding support to Azure Resource Manager, and CIS (Center for Internet Security) descriptions available in the reports. Check out the changes and new features in the latest release in our GitHub repository https://github.com/Checkmarx/kics/releases/tag/v1.4.0
    Luander
    @luander
    Hi @rogeriopeixotocx I've noticed that the github action is broken as of today Checkmarx/kics-github-action#18
    Does it have something to do with the new release?
    2 replies
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi! KICS 1.4.1 version has been released. The major highlight is the ability to ignore files and disable queries with comments in the scanned files. Check out the changes and new features in the latest release in our GitHub repository:
    https://github.com/Checkmarx/kics/releases/tag/v1.4.1
    Idan Gur
    @idangur:matrix.org
    [m]
    Hey guys, I wondered if it's possible to give KICS a github link or s3 bucket to pull queries from before each run?
    1 reply
    Lior Kaplan
    @kaplanlior_gitlab
    Hi @idangur:matrix.org , yes it's possible.
    With version 1.4.0 we fixed the integration with go-getter and it support various options including S3 and git.
    Don't be shy to open new feature requests if needed.
    2 replies
    ~~~
    @AO5Z4DDEYFDSF_twitter
    image.png
    3 replies
    Hello friends! Does KICS has problems with $ref in OpenAPI? Many FPs for JSON Object Schema Without Properties/Type (v3)
    Latest version v1.4.1
    ~~~
    @AO5Z4DDEYFDSF_twitter
    image.png
    1 reply
    Also FPs for Parameter Object Without Schema
    Rogerio Peixoto
    @rogeriopeixotocx
    Hi, KICS 1.4.2 version has been released! The major highlights are: 11 new queries​, improved vulnerability line detection, new --exclude-severities flag​, new --libraries-path flag and the​ --queries-path flag now fetches ​remote repositories​ with go-getter. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.2
    cx-demo
    @cx-demo

    Hi, I encountered error "fatal error: concurrent map read and map write" while executing a KICS scan with the provided Azure DevOps integration. Anyone has a clue.

    kics_error_log.txt

    ~~~
    @AO5Z4DDEYFDSF_twitter
    Does anyone have an example of secure OpenAPI spec? On which KICS will show that everything is OK
    Felipe Avelar
    @felipe-avelar
    Hi, KICS 1.4.3 version has been released! The major highlights are: 20 new queries, rewrite passwords and secrets query to use regex based strategy, new --disable-secrets flag and new --secrets-regexes-path flag, also flag --libraries-path supports git repositories and compressed files. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.3
    Felipe Avelar
    @felipe-avelar
    Hi, KICS 1.4.4 version has been released! The major highlights are: 17 new queries, added tfvars verification on passwords and secrets query, also added support to verified terraform modules on 62 queries, besides many bugfixes. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.4
    Ben Smith
    @jsmith97
    S
    Hi All, I am struggling to get KICS to analyse a helm chart.
    I get the following error for any template that contains templating.
    failed to parse file content: /file_path ERROR: “failed to parse yaml: invalid yaml”
    Ben Smith
    @jsmith97
    Has any one got KICS working with helm charts?
    Lior Kaplan
    @kaplanlior_gitlab
    Hi Ben, which version are you using ?
    Ben Smith
    @jsmith97
    v1.4.4
    We are using v1.4.4
    João Reigota
    @joaoReigota1
    Hi @jsmith97 I think I found out what the problem is, KICS renders your Helm Chart as Kubernetes manifests and it then proceeds to parse and scan such manifests. It should be expected for KICS to exclude the yaml template files inside a helm Chart, but there is a bug, so KICS tries to parse these template files as-is without success, hence the error in the log "failed to parse yaml: invalid yaml".
    Although the log error appeared I believe KICS still rendered and parsed your helm Chart, I will get to fixing this issue right away in the meantime feel free to open a bug report and for a workaround try excluding your templates folders using the flag -e, --exclude-paths
    Ben Smith
    @jsmith97
    Thanks for the prompt reply @joaoReigota1 I will give it a go and let you know.
    João Reigota
    @joaoReigota1
    The issue should be fixed with this PR Checkmarx/kics#4380
    Felipe Avelar
    @felipe-avelar
    Hi, KICS 1.4.5 version has been released! The major highlights are: 9 new queries, added support to bom (activate with flag --bom), azure blueprints and terraform plans, also an image based on ubi7 was added, besides many bugfixes and queries refactor. Check out the changes and new features in the latest release in our GitHub repository: https://github.com/Checkmarx/kics/releases/tag/v1.4.5