Skip to content

feat(lab6): Checkov + KICS scans + custom policy#7

Open
StefFashka wants to merge 2 commits into
mainfrom
feature/lab6
Open

feat(lab6): Checkov + KICS scans + custom policy#7
StefFashka wants to merge 2 commits into
mainfrom
feature/lab6

Conversation

@StefFashka

Copy link
Copy Markdown
Owner

Goal

This PR delivers the completed Lab 6 IaC security assignment, scanning vulnerable Terraform, Pulumi, and Ansible infrastructure code with Checkov and KICS, then adding a custom Checkov policy that fires on the vulnerable Terraform sample.

Changes

  • submissions/lab6.md — Final submission report with Checkov/KICS findings tables, rule-frequency triage, module-leverage analysis, and tool comparison.
  • labs/lab6/policies/my-custom-policy.yaml — Custom Checkov graph policy requiring S3 buckets to have lifecycle configuration.

Testing

Verified all scans locally using Docker-based Checkov and KICS runs.

  1. Checkov Terraform Scan (127 checks total):
docker run --rm -v ${PWD}/labs/lab6:/path bridgecrew/checkov:latest \
  -d /path/vulnerable-iac/terraform \
  --output cli --output json \
  --output-file-path /path/results/checkov-terraform/
# Output: passed: 49, failed: 78, skipped: 0
  1. KICS Ansible Scan (10 findings total):
docker run --rm -v ${PWD}/labs/lab6:/path checkmarx/kics:latest \
  scan -p /path/vulnerable-iac/ansible/ \
       -o /path/results/kics-ansible/ \
       --report-formats json,sarif
# Output: HIGH: 9, MEDIUM: 0, LOW: 1, INFO: 0
  1. KICS Pulumi Scan (6 findings total):
docker run --rm -v ${PWD}/labs/lab6:/path checkmarx/kics:latest \
  scan -p /path/vulnerable-iac/pulumi/ \
       -o /path/results/kics-pulumi/ \
       --report-formats json,sarif
# Output: CRITICAL: 1, HIGH: 2, MEDIUM: 1, LOW: 0, INFO: 2
  1. Custom Checkov Policy:
docker run --rm -v ${PWD}/labs/lab6:/path bridgecrew/checkov:latest \
  -d /path/vulnerable-iac/terraform \
  --external-checks-dir /path/policies \
  --run-all-external-checks \
  --output cli --output json \
  --output-file-path /path/results/checkov-custom/ \
  --quiet --compact
# Output: CKV2_CUSTOM_1 fired on 2 S3 bucket resources
  • Task 1 — Checkov on Terraform + Pulumi with top-5 rules and module-leverage analysis
  • Task 2 — KICS on Ansible with Checkov-vs-KICS comparison
  • Bonus — Custom Checkov policy demonstrably firing on the vulnerable sample

Artifacts & Screenshots

The final analysis and pasted evidence are in submissions/lab6.md. Regenerable scanner outputs were produced under labs/lab6/results/ and are intentionally not committed.

@StefFashka StefFashka changed the title Feature/lab6 feat(lab6): Checkov + KICS scans + custom policy Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant