Go To All Steps
Codefresh Steps: Reusable Code for Common Operations
This page provides code you can use to perform common operations in the Codefresh CI/CD platform.
38.4K

checkmarx/kics checkmarx/kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx

arguments

  • BOM - include bill of materials (BoM) in results output
  • DISABLE_FULL_DESCRIPTIONS - disable request for full descriptions and use default vulnerability descriptions
  • DISABLE_SECRETS - disable secrets scanning
  • EXCLUDE_CATEGORIES - exclude categories by providing its name; cannot be provided with query inclusion flags
  • EXCLUDE_PATHS - exclude paths from scan
  • EXCLUDE_QUERIES - exclude queries by providing the query ID; cannot be provided with query inclusion flags
  • EXCLUDE_RESULTS - exclude results by providing the similarity ID of a result
  • EXCLUDE_SEVERITIES - exclude results by providing the severity of a result
  • FAIL_ON - which kind of results should return an exit code different from 0
  • IGNORE_ON_EXIT - defines which kind of non-zero exits code should be ignored (all, results, errors, none)
  • INCLUDE_QUERIES - include queries by providing the query ID; cannot be provided with query exclusion flags
  • LIBRARIES_PATH - path to directory with libraries
  • LOG_LEVEL - determines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL)
  • OUTPUT_FORMATS - formats in which the results will be exported (all, asff, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube)
  • OUTPUT_PATH - directory path to store reports
  • PAYLOAD_PATH - path to store internal representation JSON file
  • PROFILING - enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)
  • PROJECT_PATH - paths or directories to scan
  • QUERIES_PATH - paths to directory with queries
  • SECRETS_REGEXES_PATH - path to secrets regex rules configuration file
  • TIME_OUT - number of seconds the query has to execute before being canceled
  • TYPES - case insensitive list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, DockerCompose, GRPC, GoogleDeploymentManager, Kubernetes, OpenAPI, Terraform)
  • VERBOSE - write logs to stdout too (mutually exclusive with silent)
    steps:
  clone:
    title: Clone a project
    type: git-clone
    repo: rafaela-soares/query
    git: github
  run_kics:
    title: Scanning IaC files
    type: checkmarx/kics
    arguments:
      PROJECT_PATH: ./query
      QUERIES_PATH: ./query/alb_listening_on_http
      EXCLUDE_PATHS: ./query/alb_listening_on_http/test/negative.yaml
      TYPES: Ansible

  
    steps:
  run_kics:
    title: Scanning IaC files
    type: checkmarx/kics
    arguments:
      PROJECT_PATH: 'git::https://github.com/rafaela-soares/query'
      EXCLUDE_RESULTS: >-
        ad70b3786c9bc9cc17d9b413772c0930c22f7b7cc749bc9a7c27533a29de5287,2669fd966f36e8bac8901297b895cc894791f2ef9a036e3beab357fb20e95cff
      TYPES: Ansible
      VERBOSE: true

  
    steps:
  run_kics:
    title: Scanning IaC files
    type: checkmarx/kics
    arguments:
      PROJECT_PATH: 'git::https://github.com/rafaela-soares/query'
      TYPES: Ansible
      EXCLUDE_CATEGORIES: Networking and Firewall

  
    steps:
  clone:
    title: Clone a project
    type: git-clone
    repo: rafaela-soares/secrets
    git: github
  run_kics:
    title: Scanning IaC files
    type: checkmarx/kics
    arguments:
      PROJECT_PATH: ./secrets/passwords_and_secrets/test/positive1.yaml
      SECRETS_REGEXES_PATH: ./secrets/passwords_and_secrets/regex_rules.json

  
    steps:
  clone:
    title: Clone a project
    type: git-clone
    repo: rafaela-soares/query
    git: github
  run_kics:
    title: Scanning IaC files With KICS
    type: checkmarx/kics
    arguments:
      PROJECT_PATH: ./query
      QUERIES_PATH: ./query/alb_listening_on_http
      OUTPUT_PATH: /codefresh/volume/query/reports
      OUTPUT_FORMATS: all
      VERBOSE: true
      EXCLUDE_PATHS: ./query/alb_listening_on_http/test/negative.yaml
      TYPES: Ansible
      LOG_LEVEL: DEBUG
      PAYLOAD_PATH: /codefresh/volume/query/payload.json
      IGNORE_ON_EXIT: results
  save_reports_and_payload:
    title: Saving KICS payload and KICS reports
    type: git-commit
    arguments:
      repo: rafaela-soares/query
      git: github
      working_directory: /codefresh/volume/query
      commit_message: saved payload and reports
      git_user_name: git-user-name
      git_user_email: git-user@email.com
      allow_empty: false
      add:
        - payload.json
        - ./reports
  save_reports_in_s3_bucket:
    title: Saving KICS reports
    image: amazon/aws-cli
    working_directory: /codefresh/volume/query
    commands:
      - mkdir ~/.aws
      - touch ~/.aws/config
      - chmod 600 ~/.aws/config
      - 'echo "[default]" > ~/.aws/config'
      - 'echo "aws_access_key_id=${AWS_ACCESS_KEY_ID}" >> ~/.aws/config'
      - 'echo "aws_secret_access_key=${AWS_SECRET_ACCESS_KEY}" >> ~/.aws/config'
      - 'echo "aws_session_token=${AWS_SESSION_TOKEN}" >> ~/.aws/config'
      - 'echo "region=${AWS_REGION}" >> ~/.aws/config'
      - 'aws s3 cp ./reports s3://${{BUCKET_NAME}}/ --recursive'
github.com
Checkmarx
Nov 25, 2022
source