Orlando Thöny
Orlando's Blog

Orlando's Blog

GitLab CI: Security Scan using KICS

Scan Kubernetes, Helm, Terraform, Docker, Ansible & AWS CloudFormation Code for security vulnerabilities, compliance issues & misconfigurations

Licensed under [Apache License 2.0](https://cdn.hashnode.com/res/hashnode/image/upload/v1619800941631/p_-6gHt6T.html)Licensed under Apache License 2.0

KICS is a security scanner for a range of IaC (Infrastructure as Code) tools. You can find it’s documentaiton here: https://docs.kics.io/

How to run it inside your GitLab CI pipeline

Here’s an example with some rules disabled:

stages:
    - Test

kics-scan:
  stage: Test
  tags:
      - docker
  image: docker:latest
  services:
    - docker:dind
  variables:
    # SHA of v1.2.1 Docker image
    KICS_IMAGE_VERSION: sha256:8e9cebdc32fbd0102454136ca3c0e5d46d82e7b668fc936508a304da54dc4450
    # KICS queries list: https://docs.kics.io/queries/all-queries/
    # - Master Authentication is Disabled (1baba08e-3c8a-4be7-95eb-dced5833de21)
    # - Node Auto Upgrade Not Enabled (b139213e-7d24-49c2-8025-c18faa21ecaa): We want to do upgrades manually
    # - GKE Basic Authentication is Enabled (70cdf849-b7d9-4569-b87d-5d82ffd44719)
    # - GCE resource labels (65c1bc7a-4835-4ac4-a2b6-13d310b0648d)
    # - Private Cluster Is Disabled (6ccb85d7-0420-4907-9380-50313f80946b): We intentionally to not use a private cluster, to make interacting with it easier. It's secured with IP based protection & OAuth
    KICS_EXCLUDED_QUERIES: 1baba08e-3c8a-4be7-95eb-dced5833de21,b139213e-7d24-49c2-8025-c18faa21ecaa,70cdf849-b7d9-4569-b87d-5d82ffd44719, 65c1bc7a-4835-4ac4-a2b6-13d310b0648d,6ccb85d7-0420-4907-9380-50313f80946b
  script:
    - docker run --rm -v "$(pwd):/repo" "checkmarx/kics@${KICS_IMAGE_VERSION}" scan -p /repo -o /repo/kics-results.json --no-progress --exclude-queries "${KICS_EXCLUDED_QUERIES}"
    - SEVERITY_COUNTER_HIGH=$(grep '"HIGH"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//')
    - |
      if [ "${SEVERITY_COUNTER_HIGH}" -ge "1" ];
      then
        echo "Please fix all ${SEVERITY_COUNTER_HIGH} HIGH SEVERITY ISSUES"
        exit 1
      fi

It will fail if there are any issues with a HIGH severity.

That’s it 🎉

 
Share this