KICS

gistfile1.txt

stages:
    - Test

kics-scan:
  stage: Test
  tags:
      - docker
  image: docker:latest
  services:
    - docker:dind
  variables:
    # SHA of v1.2.1 Docker image
    KICS_IMAGE_VERSION: sha256:8e9cebdc32fbd0102454136ca3c0e5d46d82e7b668fc936508a304da54dc4450
    # KICS queries list: https://docs.kics.io/queries/all-queries/
    # - Master Authentication is Disabled (1baba08e-3c8a-4be7-95eb-dced5833de21)
    # - Node Auto Upgrade Not Enabled (b139213e-7d24-49c2-8025-c18faa21ecaa): We want to do upgrades manually
    # - GKE Basic Authentication is Enabled (70cdf849-b7d9-4569-b87d-5d82ffd44719)
    # - GCE resource labels (65c1bc7a-4835-4ac4-a2b6-13d310b0648d)
    # - Private Cluster Is Disabled (6ccb85d7-0420-4907-9380-50313f80946b): We intentionally to not use a private cluster, to make interacting with it easier. It's secured with IP based protection & OAuth
    KICS_EXCLUDED_QUERIES: 1baba08e-3c8a-4be7-95eb-dced5833de21,b139213e-7d24-49c2-8025-c18faa21ecaa,70cdf849-b7d9-4569-b87d-5d82ffd44719, 65c1bc7a-4835-4ac4-a2b6-13d310b0648d,6ccb85d7-0420-4907-9380-50313f80946b
  script:
    - docker run --rm -v "$(pwd):/repo" "checkmarx/kics@${KICS_IMAGE_VERSION}" scan -p /repo -o /repo/kics-results.json --no-progress --exclude-queries "${KICS_EXCLUDED_QUERIES}"
    - SEVERITY_COUNTER_HIGH=$(grep '"HIGH"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//')
    - |
      if [ "${SEVERITY_COUNTER_HIGH}" -ge "1" ];
      then
        echo "Please fix all ${SEVERITY_COUNTER_HIGH} HIGH SEVERITY ISSUES"
        exit 1
      fi