Git Product home page Git Product logo

checkmarx / kics Goto Github PK

View Code? Open in Web Editor NEW
1.9K 25.0 286.0 643.54 MB

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

Home Page: https://kics.io

License: Apache License 2.0

Dockerfile 0.71% Go 24.07% Makefile 0.09% HCL 27.52% Open Policy Agent 44.01% Shell 0.01% CSS 0.08% JavaScript 0.01% HTML 3.49% ANTLR 0.02%
iac infrastructure-as-code security appsec cloudnative hacktoberfest devsecops golang security-tools vulnerability-detection

kics's Introduction

Latest Release License Queries Docker Pulls GitHub contributors Documentation GitHub Discussions

checkmarx Codacy Badge Quality Gate Status Go Report Card Go Coverage

KICS - Keep Infrastructure as Code Secure

KICS - Keep Infrastructure as Code Secure

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud native project.

Supported Platforms

Terraform    Kubernetes    Docker   

CloudFormation    Ansible    Helm   

OpenAPI    gRPC    Azure Resource Manager    Google Deployment Manager   

Cloud Deployment Kit    SAM    Docker Compose    Knative   

Crossplane    Pulumi    ServerlessFW   

Azure BluePrints    GitHub Workflows    OpenTofu   

Beta Features

Databricks    NIFCloud    TencentCloud   

In order to run the Databricks, NIFCloud and TencentCloud queries, use the --experimental-queries flag when running KICS.

Getting Started

Setting up and using KICS is super-easy.

Interested in more advanced stuff?

  • Deep dive into KICS queries.
  • Understand how to integrate KICS in your favourite CI/CD pipelines.

See KICS documentation for more details and topics.

How it Works

What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:

  • Fully customizable and adjustable heuristics rules, called queries. These can be easily edited, extended and added.
  • Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.

Community

You're welcome to join our community, talk with us on GitHub discussions or contact KICS core team at [email protected].

KICS Contributors

See our individual contributors in the community page. You're welcome to join them by contributing to KICS.

We also like to thank the following organizations for their ongoing contribution:

KICS Users

KICS is used by various companies and organizations, some are listed below. If you would like to be included here please open a PR.

Keeping Infrastructure as Code Secure!

© 2024 Checkmarx Ltd. All Rights Reserved.

kics's People

Contributors

arturribeiro-cx avatar asofsilva avatar cataraujo190 avatar cx-henriquealvelos avatar cx-ruiaraujo avatar cxandrefelicidade avatar cxlucas avatar cxmiguelsilva avatar dependabot[bot] avatar fabiogoncalvescx avatar felipe-avelar avatar freitasmillena avatar gabriel-cx avatar joaocxmartins avatar joaomartinscx avatar joaoreigota1 avatar joaorufi avatar joelcarvalhocheckmarx avatar joelsou5a avatar julioscx avatar kicsbot avatar markmishaevcx avatar mcarvalhox avatar nunoaraujocx avatar nunoocx avatar pedro-mimoso avatar pereiramarco011 avatar rafaela-soares avatar rogeriopeixotocx avatar ruben-silva avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

norbinsh cataraujo190 oribendetcx gitter-badger miguelfreitas93 adarweidman trufanovoleh elit-cx felipe-avelar stanislavpolovnyi kaplanlior securestep9 rup3r fjsnogueira b-xiang clix-dev-llc marvel-works askmetoo dsotraining benjaminstokes syllogy laozhudetui alonrosenhek-cx sh1nu11bi luis-david ttousai ferneyra10 rajivraj nx6110a5100 runciblespoon sashka3076 d1pakda5 jack51706 idan-gur magnologan sharadkhare binhan98 briansu2004 moise3 vikas99341 dimaxweb josefranciscosanchezgutierrez tor-0 mukeshpilaniya checkmarxse theoretick s-larbi dusmana smkanji smouelhi pedramjm frediana carolhausercx bhatanimesh02 roock shism2 hecg119 5l1v3r1 ori-argon-dev fr34k8 ekmixon homopatrol smaguilarcx erezyalon gh0st0ne hackerago jbrotsos legly ilanad atdavidpark hackinfinity rezaduty tpbansal ankurmadaan codeshield-test-user aermie cloudkid1273 d3v53c kingindanord alamsz pvtshdw cqr-cryeye-forks kverma517 oren-zohar doughoke nvuillam jynicolas m4rkos paulopontesm cluetrust iberrada marckcloudarch mh-yadava isp1r0 zricethezav bugwrangler anoopupadhyay lipeavelar zhanghuixi standardgalactic

kics's Issues

Add Master Authentication is Disabled query for Terraform

Platform

Terraform

Provider

GCP

Description

Kubernetes Engine Clusters must have Master Authentication set to enabled, which means the attribute 'master_auth' must have the subattributes 'username' and 'password' defined and not empty

Add Network Policy is Disabled query for Terraform

Platform

Terraform

Provider

GCP

Description

Kubernetes Engine Clusters must have Network Policy enabled, meaning that the attribute 'network_policy.enabled' must be true and the attribute 'addons_config.network_policy_config.disabled' must be false

Add IP_Aliasing_is_Disabled query for Terraform

Platform

Terraform

Provider

GCP

Description

Kubernetes Clusters must be created with Alias IP ranges enabled, which means the attribut 'ip_allocation_policy' must be defined and, if defined, the attribute 'networking_mode' must be VPC_NATIVE

Add CloudStorageBucketWithPublicAccess query for Terraform

Platform

Terraform

Provider

GCP

Description

This query detects if a Cloud Storage Bucket is anonymously or publicly accessible by checking if the member/members field inside the resource 'google_storage_bucket_iam_member' equals/includes 'allUsers' or 'allAuthenticatedUsers'.

Update older Terraform queries

Platform

Terraform

Provider

Azure

Description

Rename and change the description and description URL for the following queries:

  • reme_geo_redundancy_disabled
  • reme_ssl_enforce_disabled
  • reme_check_key_expiration_is_set
  • check_secret_expiration_is_set
  • storage_account_enable_Https
  • reme_connection_throttling
  • reme_log_connections
  • sql_auditing_retention
  • mssql_auditing_retention
  • postgre_sql_logs_enabled
  • sql_database_disabled_audit
  • email_alerts_enabled
  • sql_server_auditing_enabled
  • mssql_server_auditing_enabled
  • reme_logRetensionGraterThan90Days
  • ssl_connection_enabled
  • reme_security_center_princing_tier

Add SQLDatabaseBackupConfigurationDisabled query for Terraform

Platform

Terraform

Provider

GCP

Description

This query detects Cloud SQL Database instances with backup_configuration disabled. Checks if, within the 'settings' block, the 'backup_configuration' block exists with the 'enable' field equal to 'false'.

Add SQLDatabaseSSLDisabled query for Terraform

Platform

Terraform

Provider

GCP

Description

This query detects Cloud SQL Database instances with SSL disabled for incoming connections. Checks if, within the 'settings' block, the 'ip_configuration' block exists with the 'require_ssl' field equal to 'false'.

Add categories structure in queries

Currently the queries are divided in code by "system/provider" (e.g. terraform/aws). A structure grouping the queries per category is recommended to be more readable -> "system/category/provider".

Add End-to-End testing capabilities

By running our engine against our code samples, we should guarantee that it would never fail, for each PR.

Input:
go run ./cmd/console/main.go -p assets/queries
Output:
Exit status should be 0

In case of failing (exit status 1), we should give some information of the error (showing the log for example)

Add DnssecUseRSASHA1 query for Terraform

Platform

Terraform

Provider

GCP

Description

This query checks if, within the 'dnssec_config' block, the 'default_key_specs' block exists with the 'algorithm' field is 'rsasha1' which is bad.

Add ObjectVersioningNotEnabled query for Terraform

Platform

Terraform

Provider

GCP

Description

This query ensures that object versioning is enabled on a Google Storage Bucket by checking if the 'versioning' block exists within the 'google_storage_bucket' resource and with the 'enabled' field equal to 'true'.

Add Client Certificate is Disabled query for Terraform

Platform

Terraform

Provider

GCP

Description

Kubernetes Clusters must be created with Client Certificate enabled, which means 'master_auth' must have 'client_certificate_config' with the attribute 'issue_client_certificate' equal to true

Project renaming to KICS

Description

The repo should be renamed to the new name (KICS) - Keeping Infrastructure as Code Secure

All hardcoded places containing the previous should also be addressed

Add logRetention query for Terraform

Platform

Terraform

Provider

Azure

Description

Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.