Skip to main content

TRG 8.02 - KICS

StatusCreatedPost-History
Active26-Mar-2024Initial release
Draft01-Mar-2024Draft release

Why

KICS is deployed for comprehensive scanning of Infrastructure as Code (IaC) files, ensuring secure and best-practice configurations across various IaC frameworks.

Description

KICS is essential for repositories exclusively containing Infrastructure as Code (IaC) files, such as Terraform, CloudFormation, Kubernetes, GitHub Actions, and Helm charts. It's not applicable to traditional programming languages or documentation-only repositories. Exclude non-IaC files as necessary.

Configure your GitHub Actions to include:

  • workflow_dispatch: Manual workflow execution.
  • schedule: Schedule the workflow to run at least once a week with 0 0 * * 0.
  • push and pull_request: Targets the branch that holds the IaC files intended for current deployments, which might not always be the main branch.

Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert.

caution

Address high severity findings; it is recommended to also address medium severity findings.

You can tailor the failure conditions (fail_on) for high severity issues in the workflow to suit your team's preferences.

Example KICS workflow:

name: KICS

on:
push:
branches: ["main"]
paths-ignore:
- "**/*.md"
- "**/*.txt"
pull_request:
# The branches below must be a subset of the branches above
branches: ["main"]
paths-ignore:
- "**/*.md"
- "**/*.txt"
schedule:
- cron: "0 0 * * 0"
workflow_dispatch:

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Checkout repo
uses: actions/checkout@v3

- name: Run KICS Scan with SARIF result
uses: checkmarx/kics-github-action@v1.7.0
with:
path: "." # Scanning directory .
output_path: kicsResults/ # Output path for SARIF results
output_formats: "sarif" # Output format
# ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens
fail_on: high # If you want your pipeline to fail only on high severity results and KICS engine execution errors
# exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan
# exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build
disable_secrets: true # No secret scanning

- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kicsResults/results.sarif