Skip to content

Feature/lab6#1326

Open
Lisoon22 wants to merge 9 commits into
inno-devops-labs:mainfrom
Lisoon22:feature/lab6
Open

Feature/lab6#1326
Lisoon22 wants to merge 9 commits into
inno-devops-labs:mainfrom
Lisoon22:feature/lab6

Conversation

@Lisoon22

@Lisoon22 Lisoon22 commented Jul 2, 2026

Copy link
Copy Markdown

Goal

Complete Lab 6 by scanning the deliberately vulnerable infrastructure-as-code samples with Checkov and KICS, prioritizing repeated findings at the module level, and implementing a project-specific Checkov policy.

Changes

  • Added submissions/lab6.md containing:

    • Checkov Terraform scan totals;
    • passed, failed, skipped, and parsing-error counts;
    • failed-check severity breakdown;
    • top five Checkov rule IDs by frequency;
    • module-level remediation analysis;
    • KICS Ansible severity breakdown;
    • KICS Pulumi severity breakdown;
    • top five KICS queries by finding count;
    • Checkov-versus-KICS comparison.
  • Added the custom Checkov policy:

    • labs/lab6/policies/my-custom-policy.yaml
  • Added project-specific rule CKV2_CUSTOM_1, requiring taggable AWS resources to declare a tags.project ownership tag.

  • Included proof in the submission that the custom policy was accepted and produced at least one failed check.

  • Kept the deliberately vulnerable IaC fixtures unchanged.

  • Excluded regenerable scanner reports from the commit.

Testing

The following commands were used:

./scripts/lab6_install_arch.sh
sudo systemctl start docker
./scripts/lab6_run_all.sh

Checkov Terraform results were verified with:

jq '.summary' \
  labs/lab6/results/checkov-terraform.json

KICS reports were verified with:

jq '.queries | length' \
  labs/lab6/results/kics-ansible/results.json

jq '.queries | length' \
  labs/lab6/results/kics-pulumi/results.json

The custom Checkov policy was verified with:

jq '
  if type == "array" then
    .[]?.results.failed_checks[]?
  else
    .results.failed_checks[]?
  end
  | select(.check_id == "CKV2_CUSTOM_1")
' labs/lab6/results/checkov-custom.json

The generated submission was reviewed with:

cat submissions/lab6.md

Artifacts & Screenshots

Committed:

  • labs/lab6/policies/my-custom-policy.yaml
  • submissions/lab6.md

Generated locally but intentionally not committed:

  • labs/lab6/results/checkov-terraform.json
  • labs/lab6/results/checkov-custom.json
  • labs/lab6/results/kics-ansible/
  • labs/lab6/results/kics-pulumi/

Checklist

  • PR title clearly describes the Lab 6 changes
  • Vulnerable IaC fixtures were not modified
  • No secrets or credentials were committed
  • Regenerable scanner output was excluded
  • Submission exists at submissions/lab6.md
  • Commit is SSH-signed

Lab Checklist

  • Task 1 — Checkov Terraform scan completed
  • Task 1 — severity and top-five rule tables included
  • Task 1 — concrete module-leverage remediation identified
  • Task 2 — KICS Ansible scan completed
  • Task 2 — KICS Pulumi scan completed
  • Task 2 — Checkov-versus-KICS comparison included
  • Bonus — custom Checkov policy added
  • Bonus — CKV2_CUSTOM_1 demonstrably fired
  • Bonus — business and incident-response justification included

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant