Checkmarx · JonasCordsen · Nov 19, 2024 · Nov 22, 2024 · Nov 22, 2024 · Nov 27, 2024
@@ -13,14 +13,6 @@ Here, you'll find information on upcoming enhancements, planned features, and ar
 Currently, KICS doesn't perform validation checks on Bicep files before scanning them.
 This means that even if a file isn't syntactically or structurally correct, it will still be scanned, potentially leading to inaccurate results without any error notifications. We're actively prioritizing this fix and anticipate implementing it in the forthcoming weeks.
 
-### Commands on Bicep Files as Comments
-
-The current version does not support **ignoring sections using special commands in comments** when scanning Bicep files. Unlike other file types, where comments starting with `kics-scan` can control the scan behavior, this feature is not yet available for Bicep.
-
-We are working on adding this capability in future updates. Until then, please note that Bicep files will be scanned in their entirety, and commands in comments will be ignored.
-
-More information about commands on comments in files is available on [Running KICS documentation page](https://docs.kics.io/latest/running-kics/#using_commands_on_scanned_files_as_comments)
-
 ### Logic and Cycle Operators
 
 Currently, KICS does not analyze logic and cycle operators. This means that expressions within constructs such as for and if statements are ignored during the scanning process. As a result, any security issues or vulnerabilities present within these constructs will not be detected by KICS.
@@ -37,12 +29,12 @@ To avoid potential false positives and improve the accuracy of scans when workin
 
 **Note**: When using the "--disable-secrets" flag, be aware that this will disable the passwords and secrets query for all languages, not just Bicep files. As a result, you may miss some security checks in other files. Before using this flag, carefully consider the impact on your overall security coverage, especially if your project includes multiple languages or file types.
 
-We advise reviewing your project's specific security needs to determine if this flag is appropriate. More information about the passwords and secrets query is available in our [Password and Secrets documentation](https://github.com/Checkmarx/kics/blob/master/docs/secrets.md). 
+We advise reviewing your project's specific security needs to determine if this flag is appropriate. More information about the passwords and secrets query is available in our [Password and Secrets documentation](https://github.com/Checkmarx/kics/blob/master/docs/secrets.md).
 
 
 ---
 
 ## Contribution
 
 If you'd like to contribute or provide insightful feedback regarding KICS' capabilities and limitations, please don't hesitate to contact [our team](https://github.com/Checkmarx/kics/issues/).
-We appreciate your patience and understanding as we strive to deliver a more robust scanning solution.
+We appreciate your patience and understanding as we strive to deliver a more robust scanning solution.
@@ -33,36 +33,36 @@ Available archive formats:
 -   `xz`
 
 ```
-To scan a zip file, we would use this instruction: 
+To scan a zip file, we would use this instruction:
 
 docker run -t -v "{path_to_folder_of_zip}:/path" checkmarx/kics:latest scan -p /path/{name_of_zip_file}
 
 -t: Docker command to allocate a pseudo-TTY.
 
 -v "{path_to_folder_of_zip}:/path": Mounts the directory containing the zip file to be scanned into the Docker container.
 
-checkmarx/kics:latest: Specifies the Docker image to use, which is the latest version of KICS available. 
+checkmarx/kics:latest: Specifies the Docker image to use, which is the latest version of KICS available.
 
 scan -p /path/{name_of_zip_file}: initiates a scan on the zip file we provided, considering it's folder path.
 ```
 
 ```
-To scan a file named "Example", we would use this instruction: 
+To scan a file named "Example", we would use this instruction:
 
 docker run -t -v "{path_to_folder_of_file_Example}:/path" checkmarx/kics:latest scan -p /path/Example
 
 -t: Docker command to allocate a pseudo-TTY.
 
 -v "{path_to_folder_of_file_Example}:/path": Mounts the directory containing the file to be scanned into the Docker container.
 
-checkmarx/kics:latest: Specifies the Docker image to use, which is the latest version of KICS available. 
+checkmarx/kics:latest: Specifies the Docker image to use, which is the latest version of KICS available.
 
 scan -p /path/Example: initiates a scan on the "Example" file we provided, considering it's folder path.
 ```
 
-More information on Docker CLI can be seen [here](https://docs.docker.com/engine/reference/commandline/cli/)   
+More information on Docker CLI can be seen [here](https://docs.docker.com/engine/reference/commandline/cli/)
 
-More information on Go getter can be seen [here](https://github.com/hashicorp/go-getter#unarchiving)   
+More information on Go getter can be seen [here](https://github.com/hashicorp/go-getter#unarchiving)
 
 ### S3
 
@@ -233,6 +233,21 @@ Results that point to lines 2 and 3 will be ignored.
 
 Results that point from line 1 to 6 will be ignored.
 
+For Bicep, `ignore-block` is only usable within a `resource` block, either for the whole block or for a single property.
+
+```bicep
+1: resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = {
+2:   name: 'storageaccountname'
+3:   // kics-scan ignore-block
+4:   sku: {
+5:     name: 'Standard_LRS'
+6:   }
+7: }
+...
+```
+
+Results that point from line 4 to 6 will be ignored.
+
 For Dockerfile `ignore-block` is only usable when the whole `FROM` block should be ignored.
 
 ```Dockerfile

@@ -103,7 +103,7 @@ expression:
 	| primaryExpression;
 
 // lambdaExpression -> ( "(" argumentList? ")" | IDENTIFIER ) "=>" expression
-lambdaExpression: 
+lambdaExpression:
     (OPAR argumentList? CPAR | identifier) ARROW expression;
 
 logicCharacter: (GT | GTE | LT | LTE | EQ | NEQ);
@@ -288,9 +288,16 @@ NUMBER: [0-9]+ ('.' [0-9]+)?;
 // NL -> ("\n" | "\r")+
 NL: [\r\n]+;
 
-SINGLE_LINE_COMMENT: '//' ~[\r\n]* -> skip;
+// Add rules to capture single-line and multi-line comments
+SINGLE_LINE_COMMENT: '//' ~[\r\n]* -> channel(HIDDEN);
 
-MULTI_LINE_COMMENT: '/*' .*? '*/' -> skip;
+MULTI_LINE_COMMENT: '/*' .*? '*/' -> channel(HIDDEN);
+
+// Add rule to handle comments
+comment
+    : SINGLE_LINE_COMMENT
+    | MULTI_LINE_COMMENT
+    ;
 
 SPACES: [ \t]+ -> skip;
 
@@ -300,4 +307,4 @@ fragment STRINGCHAR: ~[\\'\n\r\t$] | ESCAPE;
 
 fragment ESCAPE: '\\' ([\\'nrt$] | 'u{' HEX+ '}');
 
-fragment HEX: [0-9a-fA-F];
+fragment HEX: [0-9a-fA-F];