Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update kics.yaml #5

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Update kics.yaml #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
19ca968
Update kics.yaml
cxMiguelSilva Mar 18, 2024
6baae83
Update kics.yaml
cxMiguelSilva Mar 18, 2024
f175878
Update kics.yaml
cxMiguelSilva Mar 18, 2024
2c5bc3b
update
cxMiguelSilva Mar 18, 2024
e6c5809
update
cxMiguelSilva Mar 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 12 additions & 31 deletions .github/workflows/kics.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,19 @@
name: scan with KICS and upload SARIF
name: Test KICS action PR comment

on:
pull_request:
branches: [main]

jobs:
kics-job:
test:
runs-on: ubuntu-latest
name: kics-action
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Mkdir results-dir
# make sure results dir is created
run: mkdir -p results-dir
- name: Run KICS Scan with SARIF result
uses: cxMiguelSilva/[email protected]
with:
path: vulns
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
config_path: vulns/config
output_formats: 'json,sarif'
ignore_on_exit: results
# seek query id in it's metadata.json
exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e
- name: Show results
run: |
cat results-dir/results.sarif
cat results-dir/results.json
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results-dir/results.sarif
- uses: actions/checkout@v3
- name: run kics Scan
uses: cxMiguelSilva/kics-github-action@TestCriticalV3
with:
path: vulns
token: ${{ secrets.GITHUB_TOKEN }}
output_path: myResults/
ignore_on_exit: results
enable_comments: true
queries: vulns/vpc_flow_logs_disabled
12 changes: 12 additions & 0 deletions vulns/vpc_flow_logs_disabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"id": "d2731f3d-a992-44ed-812e-f4f1c2747d71",
"queryName": "VPC Flow Logs Disabled",
"severity": "CRITICAL",
"category": "Observability",
"descriptionText": "Every VPC resource should have an associated Flow Log",
"descriptionUrl": "https://registry.terraform.io/providers/aliyun/alicloud/latest/docs/resources/vpc_flow_log",
"platform": "Terraform",
"descriptionID": "2841dac6",
"cloudProvider": "alicloud",
"cwe": ""
}
24 changes: 24 additions & 0 deletions vulns/vpc_flow_logs_disabled/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
package Cx

import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {
resources := input.document[i].resource
alicloudVpc := resources.alicloud_vpc[name_vpc]
alicloudVpcId := sprintf("${alicloud_vpc.%s.id}", [name_vpc])

alicloudFlowLogsId := [vpc_id | vpc_id := resources.alicloud_vpc_flow_log[_].resource_id]
not common_lib.inArray(alicloudFlowLogsId, alicloudVpcId)

result := {
"documentId": input.document[i].id,
"resourceType": "alicloud_vpc",
"resourceName": name_vpc,
"searchKey": sprintf("alicloud_vpc[%s]", [name_vpc]),
"issueType": "IncorrectValue",
"keyActualValue": sprintf("alicloud_vpc[%s] is not associated with an 'alicloud_vpc_flow_log'", [name_vpc]),
"keyExpectedValue": sprintf("alicloud_vpc[%s] is associated with an 'alicloud_vpc_flow_log'", [name_vpc]),
"searchLine": common_lib.build_search_line(["resource", "alicloud_vpc", name_vpc], []),
}
}
15 changes: 15 additions & 0 deletions vulns/vpc_flow_logs_disabled/test/negative1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "alicloud_vpc" "main" {
cidr_block = "192.168.0.0/24"
name = var.name
}

resource "alicloud_vpc_flow_log" "default" {
depends_on = ["alicloud_vpc.main"]
resource_id = alicloud_vpc.main.id
resource_type = "VPC"
traffic_type = "All"
log_store_name = var.log_store_name
project_name = var.project_name
flow_log_name = var.name
status = "Active"
}
15 changes: 15 additions & 0 deletions vulns/vpc_flow_logs_disabled/test/positive1.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "alicloud_vpc" "main" {

Check warning on line 1 in vulns/vpc_flow_logs_disabled/test/positive1.tf

View workflow job for this annotation

GitHub Actions / test

[CRITICAL] VPC Flow Logs Disabled 

Every VPC resource should have an associated Flow Log
cidr_block = "192.168.0.0/24"
name = var.name
}

resource "alicloud_vpc_flow_log" "default" {
depends_on = ["alicloud_vpc.default"]
resource_id = alicloud_vpc.default.id
resource_type = "VPC"
traffic_type = "All"
log_store_name = var.log_store_name
project_name = var.project_name
flow_log_name = var.name
status = "Active"
}
8 changes: 8 additions & 0 deletions vulns/vpc_flow_logs_disabled/test/positive_expected_result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[
{
"queryName": "VPC Flow Logs Disabled",
"severity": "LOW",
"line": 1,
"fileName": "positive1.tf"
}
]
Loading