Skip to content

Feature/lab6#2

Open
raaller wants to merge 8 commits into
mainfrom
feature/lab6
Open

Feature/lab6#2
raaller wants to merge 8 commits into
mainfrom
feature/lab6

Conversation

@raaller

@raaller raaller commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Goal

Scan the deliberately vulnerable Terraform, Ansible, and Pulumi IaC samples using Checkov and KICS, triage the findings, compare the tools, and implement a custom Checkov policy requiring RDS resources to have a restricted-data classification tag.

Changes

  • submissions/lab6.md
    • Checkov Terraform results split by framework
    • Top-five Checkov rules by frequency
    • Module-level remediation analysis
    • KICS Ansible and Pulumi severity breakdowns
    • Checkov-vs-KICS comparison
    • Custom policy definition and firing evidence
  • labs/lab6/policies/my-custom-policy.yaml
    • Custom Checkov policy CKV2_CUSTOM_1
    • Requires every aws_db_instance to define tags.DataClassification = "restricted"

Testing

Checkov on Terraform

checkov -d labs/lab6/vulnerable-iac/terraform \
  --output cli --output json \
  --output-file-path labs/lab6/results/checkov-terraform/

Results:

terraform: passed 49, failed 78
secrets:   passed 0,  failed 2

Top-five rules:

jq '[.[].results.failed_checks[]?.check_id]
    | group_by(.)
    | map({rule: .[0], count: length})
    | sort_by(-.count)
    | .[:5]' \
  labs/lab6/results/checkov-terraform/results_json.json
CKV_AWS_289: 4
CKV_AWS_355: 4
CKV_AWS_23:  3
CKV_AWS_288: 3
CKV_AWS_290: 3

KICS on Ansible

docker run --rm \
  -v "$(pwd)/labs/lab6:/path" \
  checkmarx/kics:v2.1.20 \
  scan \
    -p /path/vulnerable-iac/ansible/ \
    -o /path/results/kics-ansible/ \
    --report-formats json,sarif

Individual findings:

HIGH:  9
LOW:   1
Total: 10

Query-group severity breakdown:

jq '[.queries[].severity]
    | group_by(.)
    | map({severity: .[0], count: length})' \
  labs/lab6/results/kics-ansible/results.json
HIGH: 3 query groups
LOW:  1 query group

KICS on Pulumi

docker run --rm \
  -v "$(pwd)/labs/lab6:/path" \
  checkmarx/kics:v2.1.20 \
  scan \
    -p /path/vulnerable-iac/pulumi/ \
    -o /path/results/kics-pulumi/ \
    --report-formats json,sarif

Results:

CRITICAL: 1
HIGH:     2
MEDIUM:   1
LOW:      0
INFO:     2
Total:    6

Query-group severity breakdown:

jq '[.queries[].severity]
    | group_by(.)
    | map({severity: .[0], count: length})' \
  labs/lab6/results/kics-pulumi/results.json

Custom Checkov policy

checkov -d labs/lab6/vulnerable-iac/terraform \
  --external-checks-dir labs/lab6/policies \
  --output cli --output json \
  --output-file-path labs/lab6/results/checkov-custom/

Verification:

jq '[.[].results.failed_checks[]?]
    | map(select(.check_id | startswith("CKV2_CUSTOM_")))' \
  labs/lab6/results/checkov-custom/results_json.json

CKV2_CUSTOM_1 fired on:

aws_db_instance.unencrypted_db
aws_db_instance.weak_db

Both resources are missing the required classification:

tags = {
  DataClassification = "restricted"
}

Artifacts

  • Submission report: submissions/lab6.md
  • Custom policy: labs/lab6/policies/my-custom-policy.yaml

Scanner-generated output under labs/lab6/results/ is intentionally not committed.

Checklist

  • Title follows the feat(labN): <topic> convention
  • No secrets or generated scanner output committed
  • Submission file exists at submissions/lab6.md
  • Task 1 — Checkov on Terraform with top-five rules and module-leverage analysis
  • Task 2 — KICS on Ansible and Pulumi with Checkov-vs-KICS comparison
  • Bonus — Custom Checkov policy demonstrably firing on vulnerable Terraform resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant