add vuln

.circleci/config.yaml

@@ -0,0 +1,19 @@
+version: 2.1
+jobs:
+  kics:
+    docker:
+      - image: arturribeirocx/kics:testecritical
+    steps:
+      - checkout
+      - run:
+          name: Run KICS
+          command: |
+            /app/bin/kics scan -p ${PWD} -o ${PWD} --ci
+      - store_artifacts:
+          path: ${PWD}/results.json
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      - kics

.github/workflows/kics.yaml

@@ -2,7 +2,7 @@ name: scan with KICS and upload SARIF
 
 on:
   pull_request:
-    branches: [master]
+    branches: [main]
 
 jobs:
   kics-job:
@@ -15,18 +15,17 @@ jobs:
         # make sure results dir is created
         run: mkdir -p results-dir
       - name: Run KICS Scan with SARIF result
-        uses: checkmarx/kics-github-action@v1.7.0
+        uses: cxMiguelSilva/kics-github-action@TestConfigV6.23
         with:
-          path: 'terraform'
+          path: vulns
           # when provided with a directory on output_path
           # it will generate the specified reports file named 'results.{extension}'
           # in this example it will generate:
           # - results-dir/results.json
           # - results-dir/results.sarif
-          output_path: results-dir
-          platform_type: terraform
+          config_path: vulns/config
           output_formats: 'json,sarif'
-          exclude_paths: "terraform/gcp/big_data.tf,terraform/azure"
+          ignore_on_exit: results
           # seek query id in it's metadata.json
           exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e
       - name: Show results

positive.dockerfile

@@ -4,4 +4,5 @@ WORKDIR /app
 ONBUILD COPY . /app
 ONBUILD RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt
 EXPOSE 8080
+EXPOSE 8081
 CMD ["/env/bin/python", "main.py"]

vulns/config

@@ -0,0 +1,7 @@
+"path" = "assets/iac_samples"
+"verbose" = true
+"log-file" = true
+"type" = "Dockerfile,Kubernetes"
+"queries-path" = "assets/queries"
+"exclude-paths" = ["foo/", "bar/"]
+"output-name" = "results-demo.testcoiso"

vulns/configs/hcl/config

@@ -0,0 +1,8 @@
+"path" = "assets/iac_samples"
+"verbose" = true
+"log-file" = true
+"type" = "Dockerfile,Kubernetes"
+"queries-path" = "assets/queries"
+"exclude-paths" = ["foo/", "bar/"]
+"output-path" = "results"
+"output-name" = "res.json"

vulns/configs/json/config

@@ -0,0 +1,13 @@
+{
+  "path": "assets/iac_samples",
+  "verbose": true,
+  "log-file": true,
+  "type": "Dockerfile,Kubernetes",
+  "queries-path": "assets/queries",
+  "exclude-paths": [
+     "foo/",
+     "bar/"
+  ],
+  "output-path": "results",
+  "output-name": "res.json"
+}

vulns/configs/toml/config

@@ -0,0 +1,8 @@
+path = "assets/iac_samples"
+verbose = true
+log-file = true
+type = "Dockerfile,Kubernetes"
+queries-path = "assets/queries"
+exclude-paths = [ "foo/", "bar/" ]
+output-path = "results"
+output-name = "res.json"

vulns/configs/yaml/config

@@ -0,0 +1,13 @@
+---
+path: assets/iac_samples
+verbose: true
+log-file: true
+type:
+  - Dockerfile
+  - Kubernetes
+queries-path: assets/queries
+exclude-paths:
+  - foo/
+  - bar/
+output-path: results
+output-name: res.json

vulns/positive.dockerfile

@@ -0,0 +1,8 @@
+FROM gliderlabs/alpine:3.3
+RUN apk add --update-cache python
+WORKDIR /app
+ONBUILD COPY . /app
+ONBUILD RUN virtualenv /env && /env/bin/pip install -r /app/requirements.txt
+EXPOSE 8080
+EXPOSE 8081
+CMD ["/env/bin/python", "main.py"]

vulns/positive2.dockerfile

@@ -0,0 +1,8 @@
+FROM gliderlabs/alpine:3.3
+RUN apk add --update-cache python
+WORKDIR /app
+ONBUILD COPY . /app
+ONBUILD RUN virtualenv /env; \
+    /env/bin/pip install -r /app/requirements.txt
+EXPOSE 8080
+CMD ["/env/bin/python", "main.py"]