GitLab CI: IaC Security Scan using KICS

Scan Kubernetes, Helm, Terraform, Docker, Ansible & AWS CloudFormation Code for security vulnerabilities, compliance issues & misconfigurations

Licensed under Apache License 2.0

This post is also available on my blog.

KICS is a security scanner for a range of IaC (Infrastructure as Code) tools.
You can find it’s documentaiton here: https://docs.kics.io/

How to run it inside your GitLab CI pipeline

Here’s an example with some rules disabled:

stages:
- Test

kics-scan:
stage: Test
tags:
- docker
image: docker:latest
services:
- docker:dind
variables:
# SHA of v1.2.1 Docker image
KICS_IMAGE_VERSION: sha256:8e9cebdc32fbd0102454136ca3c0e5d46d82e7b668fc936508a304da54dc4450
# KICS queries list: https://docs.kics.io/queries/all-queries/
# - Master Authentication is Disabled (1baba08e-3c8a-4be7-95eb-dced5833de21)
# - Node Auto Upgrade Not Enabled (b139213e-7d24-49c2-8025-c18faa21ecaa): We want to do upgrades manually
# - GKE Basic Authentication is Enabled (70cdf849-b7d9-4569-b87d-5d82ffd44719)
# - GCE resource labels (65c1bc7a-4835-4ac4-a2b6-13d310b0648d)
# - Private Cluster Is Disabled (6ccb85d7-0420-4907-9380-50313f80946b): We intentionally to not use a private cluster, to make interacting with it easier. It's secured with IP based protection & OAuth
KICS_EXCLUDED_QUERIES: 1baba08e-3c8a-4be7-95eb-dced5833de21,b139213e-7d24-49c2-8025-c18faa21ecaa,70cdf849-b7d9-4569-b87d-5d82ffd44719, 65c1bc7a-4835-4ac4-a2b6-13d310b0648d,6ccb85d7-0420-4907-9380-50313f80946b
script:
- docker run --rm -v "$(pwd):/repo" "checkmarx/kics@${KICS_IMAGE_VERSION}" scan -p /repo -o /repo/kics-results.json --no-progress --exclude-queries "${KICS_EXCLUDED_QUERIES}"
- SEVERITY_COUNTER_HIGH=$(grep '"HIGH"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//')
- |
if [ "${SEVERITY_COUNTER_HIGH}" -ge "1" ];
then
echo "Please fix all ${SEVERITY_COUNTER_HIGH} HIGH SEVERITY ISSUES"
exit 1
fi

It will fail if there are any issues with a HIGH severity.

That’s it 🎉

PHP Software & DevOps Engineer. Moved to https://thoeny.dev