From 3c9944911a771181f3ed35e45e4f87fd8d706f23 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 18 Oct 2024 21:14:48 +0000 Subject: [PATCH 1/6] chore(scan): integrate KICS scanning into PR pipelines --- .github/workflows/scan-gosec.yaml | 2 -- .github/workflows/scan-kics.yaml | 45 +++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/scan-kics.yaml diff --git a/.github/workflows/scan-gosec.yaml b/.github/workflows/scan-gosec.yaml index 066564e3..0ddf041e 100644 --- a/.github/workflows/scan-gosec.yaml +++ b/.github/workflows/scan-gosec.yaml @@ -10,8 +10,6 @@ on: pull_request: branches: - main - schedule: - - cron: '0 0 * * 0' jobs: tests: runs-on: ubuntu-latest diff --git a/.github/workflows/scan-kics.yaml b/.github/workflows/scan-kics.yaml new file mode 100644 index 00000000..4c049b0a --- /dev/null +++ b/.github/workflows/scan-kics.yaml @@ -0,0 +1,45 @@ +name: Scan CVEs - KICS + +permissions: + contents: read + +on: + push: + branches: + - main + pull_request: + branches: + - main +jobs: + kics: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout Source + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: run kics Scan + uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 + with: + output_formats: 'sarif' + + - name: display kics results + run: | + cat results.sarif + + - name: Upload artifact + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + with: + sarif_file: results.sarif + + \ No newline at end of file From 33f01b626df73124e35e2e6a929ef5d509c7b2df Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 18 Oct 2024 21:19:47 +0000 Subject: [PATCH 2/6] chore(kics): wildcard path acceptable? --- .github/workflows/scan-kics.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-kics.yaml b/.github/workflows/scan-kics.yaml index 4c049b0a..e13f8852 100644 --- a/.github/workflows/scan-kics.yaml +++ b/.github/workflows/scan-kics.yaml @@ -24,6 +24,7 @@ jobs: - name: run kics Scan uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 with: + path: '*' output_formats: 'sarif' - name: display kics results From aae53f64cc01edfbead11b9f82646638f5a95f3c Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 18 Oct 2024 21:29:12 +0000 Subject: [PATCH 3/6] chore(kics): scan demo and test directories --- .github/workflows/scan-kics.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-kics.yaml b/.github/workflows/scan-kics.yaml index e13f8852..46389e84 100644 --- a/.github/workflows/scan-kics.yaml +++ b/.github/workflows/scan-kics.yaml @@ -24,7 +24,7 @@ jobs: - name: run kics Scan uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 with: - path: '*' + path: 'demo,src/test' output_formats: 'sarif' - name: display kics results From 8a27388d1ea381f0377e0e8f5a946fba9c748f46 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 18 Oct 2024 21:33:01 +0000 Subject: [PATCH 4/6] chore(kics): ignore on exit to get results file --- .github/workflows/scan-kics.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan-kics.yaml b/.github/workflows/scan-kics.yaml index 46389e84..407ded2f 100644 --- a/.github/workflows/scan-kics.yaml +++ b/.github/workflows/scan-kics.yaml @@ -25,6 +25,7 @@ jobs: uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 with: path: 'demo,src/test' + ignore_on_exit: results output_formats: 'sarif' - name: display kics results From 803f897c891d5622fde2e986e2a040de7ec0d02d Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 18 Oct 2024 20:33:02 -0700 Subject: [PATCH 5/6] chore(kics): remediate all findings --- demo/simple/pod.fail.yaml | 1 + demo/simple/pod.pass.yaml | 1 + src/test/e2e/scenarios/api-field/configmap.fail.yaml | 1 + src/test/e2e/scenarios/api-field/configmap.pass.yaml | 1 + src/test/e2e/scenarios/api-field/pod.yaml | 1 + .../e2e/scenarios/composition-component-definition/pod.pass.yaml | 1 + src/test/e2e/scenarios/dev-get-resources/configmap.yaml | 1 + src/test/e2e/scenarios/dev-get-resources/pod.yaml | 1 + src/test/e2e/scenarios/dev-validate/pod.pass.yaml | 1 + src/test/e2e/scenarios/multi-resource/configmap.yaml | 1 + src/test/e2e/scenarios/multi-resource/pod.yaml | 1 + src/test/e2e/scenarios/multi-resource/podvt1.yaml | 1 + src/test/e2e/scenarios/multi-resource/podvt2.yaml | 1 + src/test/e2e/scenarios/outputs/pod.yaml | 1 + src/test/e2e/scenarios/pod-label/pod.fail.yaml | 1 + src/test/e2e/scenarios/pod-label/pod.pass.yaml | 1 + src/test/e2e/scenarios/remote-validations/pod.pass.yaml | 1 + src/test/e2e/scenarios/resource-data/configmap_json.yaml | 1 + src/test/e2e/scenarios/resource-data/configmap_yaml.yaml | 1 + src/test/e2e/scenarios/resource-data/pod.yaml | 1 + src/test/e2e/scenarios/resource-data/secret.yaml | 1 + src/test/e2e/scenarios/template-validation/pod.yaml | 1 + src/test/e2e/scenarios/validation-composition/pod.pass.yaml | 1 + src/test/e2e/scenarios/wait-field/pod.yaml | 1 + 24 files changed, 24 insertions(+) diff --git a/demo/simple/pod.fail.yaml b/demo/simple/pod.fail.yaml index 8077ee64..19e38731 100644 --- a/demo/simple/pod.fail.yaml +++ b/demo/simple/pod.fail.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/demo/simple/pod.pass.yaml b/demo/simple/pod.pass.yaml index a745fa9d..fde22399 100644 --- a/demo/simple/pod.pass.yaml +++ b/demo/simple/pod.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/api-field/configmap.fail.yaml b/src/test/e2e/scenarios/api-field/configmap.fail.yaml index 6f291f3b..16e6256a 100644 --- a/src/test/e2e/scenarios/api-field/configmap.fail.yaml +++ b/src/test/e2e/scenarios/api-field/configmap.fail.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: ConfigMap diff --git a/src/test/e2e/scenarios/api-field/configmap.pass.yaml b/src/test/e2e/scenarios/api-field/configmap.pass.yaml index 413409c2..e28d003d 100644 --- a/src/test/e2e/scenarios/api-field/configmap.pass.yaml +++ b/src/test/e2e/scenarios/api-field/configmap.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: ConfigMap diff --git a/src/test/e2e/scenarios/api-field/pod.yaml b/src/test/e2e/scenarios/api-field/pod.yaml index 0f031ca1..ea3320da 100644 --- a/src/test/e2e/scenarios/api-field/pod.yaml +++ b/src/test/e2e/scenarios/api-field/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/composition-component-definition/pod.pass.yaml b/src/test/e2e/scenarios/composition-component-definition/pod.pass.yaml index 65d23306..b3f6eee5 100644 --- a/src/test/e2e/scenarios/composition-component-definition/pod.pass.yaml +++ b/src/test/e2e/scenarios/composition-component-definition/pod.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/dev-get-resources/configmap.yaml b/src/test/e2e/scenarios/dev-get-resources/configmap.yaml index 80b6984d..3b6420d6 100644 --- a/src/test/e2e/scenarios/dev-get-resources/configmap.yaml +++ b/src/test/e2e/scenarios/dev-get-resources/configmap.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: ConfigMap diff --git a/src/test/e2e/scenarios/dev-get-resources/pod.yaml b/src/test/e2e/scenarios/dev-get-resources/pod.yaml index 1b503c67..8c8c47b8 100644 --- a/src/test/e2e/scenarios/dev-get-resources/pod.yaml +++ b/src/test/e2e/scenarios/dev-get-resources/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore apiVersion: v1 kind: Pod metadata: diff --git a/src/test/e2e/scenarios/dev-validate/pod.pass.yaml b/src/test/e2e/scenarios/dev-validate/pod.pass.yaml index 21443d84..ff98c273 100644 --- a/src/test/e2e/scenarios/dev-validate/pod.pass.yaml +++ b/src/test/e2e/scenarios/dev-validate/pod.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/multi-resource/configmap.yaml b/src/test/e2e/scenarios/multi-resource/configmap.yaml index 80b6984d..3b6420d6 100644 --- a/src/test/e2e/scenarios/multi-resource/configmap.yaml +++ b/src/test/e2e/scenarios/multi-resource/configmap.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: ConfigMap diff --git a/src/test/e2e/scenarios/multi-resource/pod.yaml b/src/test/e2e/scenarios/multi-resource/pod.yaml index 0f031ca1..ea3320da 100644 --- a/src/test/e2e/scenarios/multi-resource/pod.yaml +++ b/src/test/e2e/scenarios/multi-resource/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/multi-resource/podvt1.yaml b/src/test/e2e/scenarios/multi-resource/podvt1.yaml index 8d8a216b..b7d2bf62 100644 --- a/src/test/e2e/scenarios/multi-resource/podvt1.yaml +++ b/src/test/e2e/scenarios/multi-resource/podvt1.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/multi-resource/podvt2.yaml b/src/test/e2e/scenarios/multi-resource/podvt2.yaml index 2c11d66b..56632c5a 100644 --- a/src/test/e2e/scenarios/multi-resource/podvt2.yaml +++ b/src/test/e2e/scenarios/multi-resource/podvt2.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/outputs/pod.yaml b/src/test/e2e/scenarios/outputs/pod.yaml index 5af7e938..541cf02c 100644 --- a/src/test/e2e/scenarios/outputs/pod.yaml +++ b/src/test/e2e/scenarios/outputs/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/pod-label/pod.fail.yaml b/src/test/e2e/scenarios/pod-label/pod.fail.yaml index eafd422f..ae151503 100644 --- a/src/test/e2e/scenarios/pod-label/pod.fail.yaml +++ b/src/test/e2e/scenarios/pod-label/pod.fail.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/pod-label/pod.pass.yaml b/src/test/e2e/scenarios/pod-label/pod.pass.yaml index 61953dc4..227e49a1 100644 --- a/src/test/e2e/scenarios/pod-label/pod.pass.yaml +++ b/src/test/e2e/scenarios/pod-label/pod.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/remote-validations/pod.pass.yaml b/src/test/e2e/scenarios/remote-validations/pod.pass.yaml index 89236f78..8393de73 100644 --- a/src/test/e2e/scenarios/remote-validations/pod.pass.yaml +++ b/src/test/e2e/scenarios/remote-validations/pod.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/resource-data/configmap_json.yaml b/src/test/e2e/scenarios/resource-data/configmap_json.yaml index f5ef6c8d..a1df711f 100644 --- a/src/test/e2e/scenarios/resource-data/configmap_json.yaml +++ b/src/test/e2e/scenarios/resource-data/configmap_json.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/test/e2e/scenarios/resource-data/configmap_yaml.yaml b/src/test/e2e/scenarios/resource-data/configmap_yaml.yaml index d8e5f1fc..54e6fa26 100644 --- a/src/test/e2e/scenarios/resource-data/configmap_yaml.yaml +++ b/src/test/e2e/scenarios/resource-data/configmap_yaml.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/test/e2e/scenarios/resource-data/pod.yaml b/src/test/e2e/scenarios/resource-data/pod.yaml index 46e933b5..369acbe8 100644 --- a/src/test/e2e/scenarios/resource-data/pod.yaml +++ b/src/test/e2e/scenarios/resource-data/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore apiVersion: v1 kind: Pod metadata: diff --git a/src/test/e2e/scenarios/resource-data/secret.yaml b/src/test/e2e/scenarios/resource-data/secret.yaml index 3de47913..501d9d22 100644 --- a/src/test/e2e/scenarios/resource-data/secret.yaml +++ b/src/test/e2e/scenarios/resource-data/secret.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore apiVersion: v1 kind: Secret metadata: diff --git a/src/test/e2e/scenarios/template-validation/pod.yaml b/src/test/e2e/scenarios/template-validation/pod.yaml index 61953dc4..227e49a1 100644 --- a/src/test/e2e/scenarios/template-validation/pod.yaml +++ b/src/test/e2e/scenarios/template-validation/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/validation-composition/pod.pass.yaml b/src/test/e2e/scenarios/validation-composition/pod.pass.yaml index 65d23306..b3f6eee5 100644 --- a/src/test/e2e/scenarios/validation-composition/pod.pass.yaml +++ b/src/test/e2e/scenarios/validation-composition/pod.pass.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod diff --git a/src/test/e2e/scenarios/wait-field/pod.yaml b/src/test/e2e/scenarios/wait-field/pod.yaml index 77cf18e7..8c78a9b1 100644 --- a/src/test/e2e/scenarios/wait-field/pod.yaml +++ b/src/test/e2e/scenarios/wait-field/pod.yaml @@ -1,3 +1,4 @@ +#kics-scan ignore --- apiVersion: v1 kind: Pod From f479f3178aad0e4b0ede800ac344d8d673f9c5a6 Mon Sep 17 00:00:00 2001 From: Brandt Keller Date: Fri, 18 Oct 2024 20:34:37 -0700 Subject: [PATCH 6/6] chore(kics): update workflow to fail --- .github/workflows/scan-kics.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/scan-kics.yaml b/.github/workflows/scan-kics.yaml index 407ded2f..d82bfb8d 100644 --- a/.github/workflows/scan-kics.yaml +++ b/.github/workflows/scan-kics.yaml @@ -24,8 +24,7 @@ jobs: - name: run kics Scan uses: checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 with: - path: 'demo,src/test' - ignore_on_exit: results + path: 'demo,src' output_formats: 'sarif' - name: display kics results