+# KICS Github Action
[](https://www.gnu.org/licenses)
[](https://github.com/checkmarx/kics-github-action/releases)
[](https://github.com/checkmarx/kics-github-action/issues)
-## Integrate KICS into your GitHub workflows, using KICS Github Action to make your IaC more secure
+- [KICS Github Action](#kics-github-action)
+ - [Integrate KICS into your GitHub workflows](#integrate-kics-into-your-github-workflows)
+ - [Supported Platforms](#supported-platforms)
+ - [Please find more info in the official website: kics.io](#please-find-more-info-in-the-official-website-kicsio)
+ - [Inputs](#inputs)
+ - [Simple usage example](#simple-usage-example)
+ - [Workflow failures](#workflow-failures)
+ - [Don't fail on results](#dont-fail-on-results)
+ - [Fail by severity usage example](#fail-by-severity-usage-example)
+ - [Enabling Pull Request Comment](#enabling-pull-request-comment)
+ - [PR Comment Example](#pr-comment-example)
+ - [Annotations](#annotations)
+ - [Profiling KICS](#profiling-kics)
+ - [Uploading SARIF report](#uploading-sarif-report)
+ - [Using configuration file](#using-configuration-file)
+ - [How To Contribute](#how-to-contribute)
+- [License](#license)
+
+## Integrate KICS into your GitHub workflows
+
**KICS** (pronounced as 'kick-s') or **Kicscan** is an open source solution for static code analysis of Infrastructure as Code.
@@ -28,34 +47,36 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
### Please find more info in the official website: kics.io
+And official documentation page docs.kics.io
+
## Inputs
-| Variable | Example Value | Description | Type | Required | Default |
-| ------------------ | --------------------------------------- | ---------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
-| enable_comment | true | Enable pull request report comments | Boolean | No | false |
-| path | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | String | Yes | N/A |
-| ignore_on_exit | results | defines which non-zero exit codes should be ignored (all, results, errors, none) | String | No | none |
-| fail_on | high,medium | comma separated list of which severities returns exit code !=0 | String | No | high,medium,low,info |
-| timeout | 75 | number of seconds the query has to execute before being canceled | String | No | 60 |
-| profiling | CPU | turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM) | String | No | N/A |
-| config_path | ./kics.config | path to configuration file | String | No | N/A |
-| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms |
-| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A |
-| exclude_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | exclude queries by providing the query ID, comma separated list | String | No | N/A |
-| exclude_categories | 'Observability,Networking and Firewall' | exclude categories by providing its name, comma separated list | String | No | N/A |
-| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A |
-| include_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | include only specified list of queries to the scan, cannot be provided with query exclusion flags | String | No | N/A |
-| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json |
-| output_path | results.json | file path to store result in json format | String | No | N/A |
-| payload_path | /tmp/mypayload.json | file path to store source internal representation in JSON format | String | No | N/A |
-| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries |
-| verbose | true | verbose scan | Boolean | No | false |
-| type | Ansible,Dockerfile | case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform) | String | No | all types |
-| bom | true | include bill of materials (BoM) in results.json output | Boolean | No | false |
-| disable_full_descriptions | false | disable request for full descriptions and use default vulnerability descriptions | Boolean | false |
-| disable_secrets | false | disable secrets detection | Boolean | false |
-| secrets_regexes_path| ./mydir/secrets-config.json | path to custom secrets regex rules configuration file | String | No | N/A |
-| libraries_path | ./myLibsDir | path to directory with Rego libraries | String | No | N/A |
+| Variable | Example Value | Description | Type | Required | Default |
+| ------------------------- | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | --------------------------------------------- |
+| enable_comment | true | Enable pull request report comments | Boolean | No | false |
+| path | terraform/main.tf,Dockerfile | paths to a file or directories to scan, comma separated list | String | Yes | N/A |
+| ignore_on_exit | results | defines which non-zero exit codes should be ignored (all, results, errors, none) | String | No | none |
+| fail_on | high,medium | comma separated list of which severities returns exit code !=0 | String | No | high,medium,low,info |
+| timeout | 75 | number of seconds the query has to execute before being canceled | String | No | 60 |
+| profiling | CPU | turns on profiler that prints resource consumption in the logs during the execution (CPU, MEM) | String | No | N/A |
+| config_path | ./kics.config | path to configuration file | String | No | N/A |
+| platform_type | terraform,ansible | case insensitive list of platform types to scan | String | No | All platforms |
+| exclude_paths | ./shouldNotScan/*,somefile.txt | exclude paths from scan, supports glob, comma separated list | String | No | N/A |
+| exclude_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | exclude queries by providing the query ID, comma separated list | String | No | N/A |
+| exclude_categories | 'Observability,Networking and Firewall' | exclude categories by providing its name, comma separated list | String | No | N/A |
+| exclude_results | 'd4a1fa80-d9d8-450f-87c2-e1f6669c41f8' | exclude results by providing the similarity ID of a result | String | No | N/A |
+| include_queries | a227ec01-f97a-4084-91a4-47b350c1db54 | include only specified list of queries to the scan, cannot be provided with query exclusion flags | String | No | N/A |
+| output_formats | 'json,sarif' | formats in which the results report will be exported | String | No | json |
+| output_path | results.json | file path to store result in json format | String | No | N/A |
+| payload_path | /tmp/mypayload.json | file path to store source internal representation in JSON format | String | No | N/A |
+| queries | | path to directory with queries (default "./assets/queries") | String | No | ./assets/queries downloaded with the binaries |
+| verbose | true | verbose scan | Boolean | No | false |
+| type | Ansible,Dockerfile | case insensitive comma-separated list of platform types to scan (Ansible, AzureResourceManager, CloudFormation, Dockerfile, Kubernetes, OpenAPI, Terraform) | String | No | all types |
+| bom | true | include bill of materials (BoM) in results.json output | Boolean | No | false |
+| disable_full_descriptions | false | disable request for full descriptions and use default vulnerability descriptions | Boolean | false |
+| disable_secrets | false | disable secrets detection | Boolean | false |
+| secrets_regexes_path | ./mydir/secrets-config.json | path to custom secrets regex rules configuration file | String | No | N/A |
+| libraries_path | ./myLibsDir | path to directory with Rego libraries | String | No | N/A |
## Simple usage example
@@ -82,24 +103,6 @@ It is as simple as running a CLI tool, making it easy to integrate into any proj
By default KICS will fail your workflow on any results found.
-### Fail by severity usage example
-
-If want your pipeline just to fail on HIGH and MEDIUM severity results and KICS engine execution errors:
-
-```yaml
- steps:
- - uses: actions/checkout@v2
- - name: run kics Scan
- uses: checkmarx/kics-action@v1.3
- with:
- path: 'terraform,my-other-sub-folder/Dockerfile'
- fail_on: high,medium
- output_path: 'results.json'
- - name: display kics results
- run: |
- cat results.json
-```
-
### Don't fail on results
If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens:
@@ -118,6 +121,88 @@ If you want KICS to ignore the results and return exit status code 0 unless a KI
cat results.json
```
+### Fail by severity usage example
+
+If want your pipeline just to fail on HIGH and MEDIUM severity results and KICS engine execution errors:
+
+```yaml
+ steps:
+ - uses: actions/checkout@v2
+ - name: run kics Scan
+ uses: checkmarx/kics-action@v1.3
+ with:
+ path: 'terraform,my-other-sub-folder/Dockerfile'
+ fail_on: high,medium
+ output_path: 'results.json'
+ - name: display kics results
+ run: |
+ cat results.json
+```
+
+## Enabling Pull Request Comment
+
+`GITHUB_TOKEN` enables this github action to access github API and post comments in a pull request:
+
+```yaml
+name: Test KICS action PR comment
+
+on:
+ pull_request:
+
+jobs:
+ test:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: run kics Scan
+ uses: checkmarx/kics-action@v1.3
+ with:
+ path: test/samples/positive1.tf,test/samples/positive2.tf
+ token: ${{ secrets.GITHUB_TOKEN }}
+ output_path: myResults/
+ ignore_on_exit: results
+ enable_comments: true
+```
+
+### PR Comment Example
+
+
+
+
+**KICS version: 1.4.5**
+
+| + +| | Category | Results | +| --------------------------------------------------------------------------------------------------------------- | -------- | ------- | +|  | HIGH | 3 | +|  | MEDIUM | 2 | +|  | LOW | 0 | +|  | INFO | 0 | +|  | TRACE | 0 | +|  | TOTAL | 5 | + + | + +| | Metric | Values | +| -------------------------------------------------------------------------------------------------------------------- | ------------------------- | ------ | +|  | Files scanned | 2 | +|  | Files parsed | 2 | +|  | Files failed to scan | 0 | +|  | Total queries | 821 | +|  | Queries failed to execute | 0 | +|  | Execution time | 13s | + + |
## Profiling KICS
@@ -234,65 +319,6 @@ jobs:
with:
sarif_file: results-dir/results.sarif
```
-
-## Enabling Pull Request Comment
-
-`GITHUB_TOKEN` enables this github action to access github API and post comments in a pull request:
-
-```yaml
-name: Test KICS action PR comment
-
-on:
- pull_request:
-
-jobs:
- test:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: run kics Scan
- uses: checkmarx/kics-action@v1.3
- with:
- path: test/samples/positive1.tf,test/samples/positive2.tf
- token: ${{ secrets.GITHUB_TOKEN }}
- output_path: myResults/
- ignore_on_exit: results
- enable_comments: true
-```
-
-### Example Pull Request Comment
-
-
-
-
-**KICS version: 1.4.5**
-
-| - -| | Category | Results | -| --- |--- | --- | -|  |HIGH | 3 | -|  |MEDIUM | 2 | -|  |LOW | 0 | -|  |INFO | 0 | -|  |TRACE | 0 | -|  | TOTAL | 5 | - - | - -| | Metric | Values | -| --- | --- | --- | -|  | Files scanned | 2 | -|  | Files parsed | 2 | -|  | Files failed to scan | 0 | -|  | Total queries | 821 | -|  | Queries failed to execute | 0 | -|  | Execution time | 13s | - - |