feat(kics): add a kics job for security misconfiguration checks (2e62739d) · Commits · to be continuous... / Docker Compose

README.md

+15 −1

Original line number	Diff line number	Diff line
		@@ -406,3 +406,17 @@ Here are its parameters:
		\| `config-opts` / `DCMP_CONFIG_OPTS` \| [`compose config` options](https://docs.docker.com/reference/cli/docker/compose/config/#options) \| `--quiet` _(to avoid displaying secrets inadvertently)_ \|
		\| `stack-config-opts` / `DCMP_STACK_CONFIG_OPTS` \| [`stack config` options](https://docs.docker.com/reference/cli/docker/stack/config/) \| "" \|
		\| `stack-config-silent` / `DCMP_STACK_CONFIG_SILENT` \| Silences standard output of `stack config` command \| `true` (standard output silenced) \|

		### KICS job

		The Docker Compose template enables running [KICS](https://docs.kics.io/latest/) thus enabling detection of security misconfigurations in your Compose file.

		This job is mapped to the `package-test` stage and is disabled by default.

		Here are its parameters:

		\| Input / Variable \| Description \| Default value \|
		\| ----------------------- \| ----------------------------------------- \| ----------------------------- \|
		\| `kics-enabled` / `DCMP_KICS_ENABLED` \| Set to `true` to enable `kics` \| false \|
		\| `kics-image` / `DCMP_KICS_IMAGE` \| kics docker image \| `docker.io/checkmarx/kics:latest` \|
		\| `kics-args` / `DCMP_KICS_ARGS` \| kics scan [options and args](https://docs.kics.io/latest/commands/#scan_command_options) \| `--ci` \|

kicker.json

+20 −0

Original line number	Diff line number	Diff line
		@@ -120,6 +120,26 @@
		}
		]
		},
		{
		"id": "kics",
		"name": "KICS",
		"description": "Runs [`kics`](https://docs.kics.io/latest/) to detect security misconfigurations in your Compose file(s)",
		"enable_with": "DCMP_KICS_ENABLED",
		"variables": [
		{
		"name": "DCMP_KICS_IMAGE",
		"description": "kics docker image",
		"default": "docker.io/checkmarx/kics:latest",
		"advanced": true
		},
		{
		"name": "DCMP_KICS_ARGS",
		"description": "kics scan [options and args](https://docs.kics.io/latest/commands/#scan_command_options)",
		"default": "--ci",
		"advanced": true
		}
		]
		},
		{
		"id": "integration",
		"name": "Integration",

templates/gitlab-ci-docker-compose.yml

+32 −0

Original line number	Diff line number	Diff line
		@@ -109,6 +109,16 @@ spec:
		- manual
		- auto
		default: manual
		kics-enabled:
		description: Enable kics
		type: boolean
		default: false
		kics-image:
		description: kics docker image
		default: docker.io/checkmarx/kics:latest
		kics-args:
		description: kics scan [options and args](https://docs.kics.io/latest/commands/#scan_command_options)
		default: --ci
		---
		# default workflow rules: Merge Request pipelines
		.tbc-workflow-rules:
		@@ -207,6 +217,10 @@ variables:
		DCMP_PROD_ENVIRONMENT_URL: $[[ inputs.prod-environment-url ]]
		DCMP_PROD_DEPLOY_STRATEGY: $[[ inputs.prod-deploy-strategy ]]

		DCMP_KICS_ENABLED: $[[ inputs.kics-enabled ]]
		DCMP_KICS_IMAGE: $[[ inputs.kics-image ]]
		DCMP_KICS_ARGS: $[[ inputs.kics-args ]]

		# default production ref name (pattern)
		PROD_REF: '/^(master\|main)$/'
		# default integration ref name (pattern)
		@@ -1020,6 +1034,24 @@ compose-config-production:
		# test policy rules must come last
		- !reference [.test-policy, rules]

		compose-kics:
		extends: .compose-base
		image: "$DCMP_KICS_IMAGE"
		stage: package-test
		script:
		- mkdir -p -m 777 reports
		- kics scan ${TRACE+--verbose} --report-formats "glsast" --output-path reports --output-name docker-compose-kics --path $COMPOSE_FILE $DCMP_KICS_ARGS
		artifacts:
		name: "KICS report from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
		expire_in: 1 day
		access: developer
		paths:
		- "reports/gl-sast-docker-compose-kics.json"
		reports:
		sast: reports/gl-sast-docker-compose-kics.json
		rules:
		- if: '$DCMP_KICS_ENABLED == "true"'

		# deploy to review env (only on feature branches)
		# disabled by default, enable this job by setting $DCMP_REVIEW_DOCKER_HOST.
		compose-review:

Original line number	Diff line number	Diff line
		@@ -406,3 +406,17 @@ Here are its parameters:
		\| `config-opts` / `DCMP_CONFIG_OPTS` \| [`compose config` options](https://docs.docker.com/reference/cli/docker/compose/config/#options) \| `--quiet` _(to avoid displaying secrets inadvertently)_ \|
		\| `stack-config-opts` / `DCMP_STACK_CONFIG_OPTS` \| [`stack config` options](https://docs.docker.com/reference/cli/docker/stack/config/) \| "" \|
		\| `stack-config-silent` / `DCMP_STACK_CONFIG_SILENT` \| Silences standard output of `stack config` command \| `true` (standard output silenced) \|

		### KICS job

		The Docker Compose template enables running [KICS](https://docs.kics.io/latest/) thus enabling detection of security misconfigurations in your Compose file.

		This job is mapped to the `package-test` stage and is disabled by default.

		Here are its parameters:

		\| Input / Variable \| Description \| Default value \|
		\| ----------------------- \| ----------------------------------------- \| ----------------------------- \|
		\| `kics-enabled` / `DCMP_KICS_ENABLED` \| Set to `true` to enable `kics` \| false \|
		\| `kics-image` / `DCMP_KICS_IMAGE` \| kics docker image \| `docker.io/checkmarx/kics:latest` \|
		\| `kics-args` / `DCMP_KICS_ARGS` \| kics scan [options and args](https://docs.kics.io/latest/commands/#scan_command_options) \| `--ci` \|