Skip to content

Commit

Permalink
Add KICS exclude severities functionality (#111)
Browse files Browse the repository at this point in the history
  • Loading branch information
@JonZeolla
JonZeolla committed Sep 15, 2021
1 parent a19f718 commit b55db41
Show file tree
Hide file tree
Showing 5 changed files with 72 additions and 14 deletions.
2 changes: 1 addition & 1 deletion Pipfile.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 9 additions & 6 deletions docs/Ansible/index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,19 @@ a pipeline action on commit or pull request::
Customizing KICS
^^^^^^^^^^^^^^^^

+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
| Environment variable | Result | Example |
+======================+===========================================+===============================================================================+
| ``KICS_QUERIES`` | Passes the value to ``--include-queries`` | ``c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff`` |
+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
+-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
| Environment variable | Result | Example |
+=============================+==============================================+===============================================================================+
| ``KICS_QUERIES`` | Passes the value to ``--include-queries`` | ``c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff`` |
+-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
| ``KICS_EXCLUDE_SEVERITIES`` | Passes the value to ``--exclude-severities`` | ``info,low`` |
+-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+

::

KICS_QUERIES=c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
docker run --env-file <(env | grep KICS_QUERIES) -v $(pwd):/iac easy_infra:latest-minimal ansible-playbook EXAMPLE.yml --check
KICS_EXCLUDE_SEVERITIES=info,low
docker run --env-file <(env | grep ^KICS_) -v $(pwd):/iac easy_infra:latest-minimal ansible-playbook EXAMPLE.yml --check

Disabling Security
^^^^^^^^^^^^^^^^^^
Expand Down
16 changes: 10 additions & 6 deletions docs/Terraform/index.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,16 +41,20 @@ plan`` and ``terraform deploy``::
Customizing KICS
^^^^^^^^^^^^^^^^

+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
| Environment variable | Result | Example |
+======================+===========================================+===============================================================================+
| ``KICS_QUERIES`` | Passes the value to ``--include-queries`` | ``4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73`` |
+----------------------+-------------------------------------------+-------------------------------------------------------------------------------+
+-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
| Environment variable | Result | Example |
+=============================+==============================================+===============================================================================+
| ``KICS_QUERIES`` | Passes the value to ``--include-queries`` | ``4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73`` |
+-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+
| ``KICS_EXCLUDE_SEVERITIES`` | Passes the value to ``--exclude-severities`` | ``info,low`` |
+-----------------------------+----------------------------------------------+-------------------------------------------------------------------------------+


::

KICS_QUERIES=4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73
docker run --env-file <(env | grep KICS_QUERIES) -v $(pwd):/iac easy_infra:latest-minimal terraform validate
KICS_EXCLUDE_SEVERITIES=info,low
docker run --env-file <(env | grep ^KICS_) -v $(pwd):/iac easy_infra:latest-minimal terraform validate

Terraform Caching
^^^^^^^^^^^^^^^^^
Expand Down
2 changes: 2 additions & 0 deletions easy_infra.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ _anchors:
--output-name kics --path .
customizations:
KICS_QUERIES: --include-queries
KICS_EXCLUDE_SEVERITIES: --exclude-severities
description: directory scan
terrascan:
command: terrascan scan -i terraform -t all -d .
Expand All @@ -33,6 +34,7 @@ commands:
--output-name kics --path .
customizations:
KICS_QUERIES: --include-queries
KICS_EXCLUDE_SEVERITIES: --exclude-severities
description: directory scan
version: 2.9.6+dfsg-1
version_argument: --version
Expand Down
51 changes: 50 additions & 1 deletion tests/test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,6 +321,11 @@ def run_terraform(*, image: str, final: bool = False):
"terraform init",
0,
),
(
{"KICS_EXCLUDE_SEVERITIES": "info"},
"terraform validate",
0,
),
]

LOG.debug("Testing secure terraform configurations")
Expand Down Expand Up @@ -482,6 +487,31 @@ def run_terraform(*, image: str, final: bool = False):
'/usr/bin/env bash -c "KICS_QUERIES=5a2486aa-facf-477d-a5c1-b010789459ce terraform --skip-tfsec --skip-terrascan --skip-checkov validate"',
50,
),
(
{
"SKIP_CHECKOV": "true",
"SKIP_TFSEC": "true",
"SKIP_TERRASCAN": "true",
"KICS_EXCLUDE_SEVERITIES": "medium",
},
"terraform validate",
50,
), # Doesn't exclude high
(
{
"SKIP_CHECKOV": "true",
"SKIP_TFSEC": "true",
"SKIP_TERRASCAN": "true",
"KICS_EXCLUDE_SEVERITIES": "info,low,medium,high",
},
"terraform validate",
0,
), # Excludes all the severities
(
{},
'/usr/bin/env bash -c "KICS_EXCLUDE_SEVERITIES=info,low,medium,high terraform --skip-tfsec --skip-terrascan --skip-checkov validate"',
0,
), # Excludes all the severities
]

num_tests_ran += exec_tests(tests=tests, volumes=kics_volumes, image=image)
Expand Down Expand Up @@ -881,9 +911,28 @@ def run_ansible(*, image: str):
),
(
{},
"/usr/bin/env bash -c 'KICS_QUERIES=7dfb316c-a6c2-454d-b8a2-97f147b0c0ff ansible-playbook insecure.yml --check'",
'/usr/bin/env bash -c "KICS_QUERIES=7dfb316c-a6c2-454d-b8a2-97f147b0c0ff ansible-playbook insecure.yml --check"',
50,
),
(
{
"KICS_EXCLUDE_SEVERITIES": "info,low",
},
"ansible-playbook insecure.yml --check",
50,
), # Doesn't exclude high or medium
(
{
"KICS_EXCLUDE_SEVERITIES": "high,medium",
},
"ansible-playbook insecure.yml --check",
4,
), # Excludes all the relevant severities, exits 4 because insecure.yml is not a valid Play
(
{},
'/usr/bin/env bash -c "KICS_EXCLUDE_SEVERITIES=info,low,medium,high ansible-playbook insecure.yml --check"',
4,
), # Excludes all the severities, exits 4 because insecure.yml is not a valid Play
]

num_tests_ran += exec_tests(tests=tests, volumes=kics_volumes, image=image)
Expand Down

0 comments on commit b55db41

Please sign in to comment.