Skip to content
Open
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/scripts/queries-validator/metadata-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,9 @@
"azure",
"common",
"gcp",
"ibmcloud",
"nifcloud",
"oraclecloud",
"tencentcloud"
]
},
Expand Down
14 changes: 14 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,20 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
</picture>
</a>
</td>
<td>
<a href="https://github.com/Checkmarx/kics/blob/master/docs/platforms.md#ibmcloud-for-terraform">
<img alt="IBMCloud" src="docs/img/logo-ibmcloud.png" width="100">
</a>
</td>
<td>
<a href="https://github.com/Checkmarx/kics/blob/master/docs/platforms.md#oraclecloud-for-terraform">
<picture>
<source media="(prefers-color-scheme: light)" srcset="docs/img/logo-oraclecloud.png" width="180">
<source media="(prefers-color-scheme: dark)" srcset="docs/img/logo-oraclecloud-dark.png" width="180">
<img alt="OracleCloud" src="docs/img/logo-oraclecloud.png" width="100">
</picture>
</a>
</td>
</tr>
</table>

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"id": "a6bc2970-c10d-45ab-9050-cf69c393e911",
"queryName": "Load Balancer VPC is Public",
"severity": "MEDIUM",
"category": "Insecure Configurations",
"descriptionText": "IBM Load Balancer VPC should not be public",
"descriptionUrl": "https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb",
"platform": "Terraform",
"descriptionID": "a6bc2970",
"cloudProvider": "ibmcloud",
"cwe": "668",
"riskScore": "3.0",
"experimental": "true"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package Cx

import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {

lb := input.document[i].resource.ibm_is_lb[name]
not common_lib.valid_key(lb, "type")

result := {
"documentId": input.document[i].id,
"resourceType": "ibm_is_lb",
"resourceName": tf_lib.get_resource_name(lb, name),
"searchKey": sprintf("ibm_is_lb[%s]", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": sprintf("'ibm_is_lb[%s]' should be set to private or private_path.", [name]),
"keyActualValue": sprintf("'ibm_is_lb[%s]' is missing type property, defaults to public.", [name]),
"searchLine": common_lib.build_search_line(["resource","ibm_is_lb", name], []),
}
}

CxPolicy[result] {

lb := input.document[i].resource.ibm_is_lb[name]
lb.type != "private"
lb.type != "private_path"

result := {
"documentId": input.document[i].id,
"resourceType": "ibm_is_lb",
"resourceName": tf_lib.get_resource_name(lb, name),
"searchKey": sprintf("ibm_is_lb[%s]", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("'ibm_is_lb[%s]' should be set to private or private_path.", [name]),
"keyActualValue": sprintf("'ibm_is_lb[%s]' is set to %s.", [name, lb.type]),
"searchLine": common_lib.build_search_line(["resource","ibm_is_lb", name, "type"], []),
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Case: type is defined to private_path
resource "ibm_is_lb" "example" {
name = "example-load-balancer"
subnets = [ibm_is_subnet.example.id]
profile = "network-private-path"
type = "private_path"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Case: type is defined to private
resource "ibm_is_lb" "example" {
name = "example-load-balancer"
subnets = [ibm_is_subnet.example.id]
profile = "network-private-path"
type = "private"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Case: type is defined to public
resource "ibm_is_lb" "example" {
name = "example-load-balancer"
subnets = [ibm_is_subnet.example.id]
profile = "network-private-path"
type = "public"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
resource "ibm_is_lb" "example" {
name = "example-load-balancer"
subnets = [ibm_is_subnet.example.id]
profile = "network-private-path"
# Case: type is not defined, defaults to public
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
[
{
"queryName": "Load Balancer VPC is Public",
"severity": "MEDIUM",
"line": 6,
"fileName": "positive1.tf"
},
{
"queryName": "Load Balancer VPC is Public",
"severity": "MEDIUM",
"line": 1,
"fileName": "positive2.tf"
}
]

Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"id": "1d2e88ff-7ee7-4c8a-bf16-01488c83f295",
"queryName": "Instance Monitoring Disabled",
"severity": "LOW",
"category": "Observability",
"descriptionText": "Instance should have monitoring enabled",
"descriptionUrl": "https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance_configuration.html#is_monitoring_disabled-2",
"platform": "Terraform",
"descriptionID": "1d2e88ff",
"cloudProvider": "oraclecloud",
"cwe": "778",
"riskScore": "1.0",
"experimental": "true"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
package Cx

import data.generic.common as common_lib
import data.generic.terraform as tf_lib

CxPolicy[result] {
resource := input.document[i].resource.oci_core_instance[name]
agent_config := resource.agent_config
agent_config.is_monitoring_disabled == true

result := {
"documentId": input.document[i].id,
"resourceType": "oci_core_instance",
"resourceName": tf_lib.get_resource_name(resource, name),
"searchKey": sprintf("oci_core_instance[%s]", [name]),
"issueType": "IncorrectValue",
"keyExpectedValue": "Attribute 'is_monitoring_disabled' should be set to false.",
"keyActualValue": "Attribute 'is_monitoring_disabled' is set to true.",
"searchLine": common_lib.build_search_line(["resource", "oci_core_instance", name, "agent_config", "is_monitoring_disabled"], []),
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Case: is_monitoring_disabled set to false
resource "oci_core_instance" "fail" {
availability_domain = var.instance_availability_domain
compartment_id = var.compartment_id
shape = var.instance_shape
agent_config {
is_monitoring_disabled = false
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Case: missing is_monitoring_disabled property, defaults to false
resource "oci_core_instance" "fail" {
availability_domain = var.instance_availability_domain
compartment_id = var.compartment_id
shape = var.instance_shape
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Case: missing is_monitoring_disabled inside agent_config
resource "oci_core_instance" "fail" {
availability_domain = var.instance_availability_domain
compartment_id = var.compartment_id
shape = var.instance_shape
agent_config {}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
resource "oci_core_instance" "fail" {
availability_domain = var.instance_availability_domain
compartment_id = var.compartment_id
shape = var.instance_shape
agent_config {
is_monitoring_disabled = true
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
[
{
"queryName": "Instance Monitoring Disabled",
"severity": "LOW",
"line": 6,
"fileName": "positive.tf"
}
]
2 changes: 1 addition & 1 deletion docs/commands.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ Use "kics [command] --help" for more information about a command.
| Flags | Description |
|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|-m, --bom | include bill of materials (BoM) in results output |
| --cloud-provider strings | list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud) |
| --cloud-provider strings | list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud) |
| --config string | path to configuration file |
| --old-severities | uses old severities in query results |
| --disable-full-descriptions | disable request for full descriptions and use default vulnerability descriptions |
Expand Down
2 changes: 1 addition & 1 deletion docs/dockerhub.md
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ Usage:

Flags:
-m, --bom include bill of materials (BoM) in results output
--cloud-provider strings list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
--cloud-provider strings list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)
--config string path to configuration file
--old-severities use old severities in query results (excludes critical severity)
--disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions
Expand Down
Binary file added docs/img/logo-ibmcloud.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/img/logo-oraclecloud-dark.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/img/logo-oraclecloud.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 6 additions & 0 deletions docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,12 @@ KICS scans and detects issues in following Infrastructure as Code solutions:
<div class="card" style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
<img alt="TencentCloud" src="img/logo-tencentcloud.png" width="120">&nbsp;&nbsp;&nbsp;
</div>
<div class="card" style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
<img alt="IBMCloud" src="img/logo-ibmcloud.png" width="90">&nbsp;&nbsp;&nbsp;
</div>
<div class="card" style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
<img alt="OracleCloud" src="img/logo-oraclecloud.png" width="120">&nbsp;&nbsp;&nbsp;
</div>
</div>

## Getting Started
Expand Down
8 changes: 8 additions & 0 deletions docs/platforms.md
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,14 @@ KICS supports scanning Databricks under Terraform file extension (`.tf`).

KICS supports scanning TencentCloud under Terraform file extension (`.tf`).

### IBMCloud for Terraform

KICS supports scanning IBMCloud under Terraform file extension (`.tf`).

### OracleCloud for Terraform

KICS supports scanning OracleCloud under Terraform file extension (`.tf`).

### Terraform variables path

When using vars in a terraform file there are 2 ways of passing the file in which a variable's value is present.
Expand Down
2 changes: 1 addition & 1 deletion e2e/fixtures/assets/scan_help
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Usage:

Flags:
-m, --bom include bill of materials (BoM) in results output
--cloud-provider strings list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
--cloud-provider strings list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)
--config string path to configuration file
--disable-full-descriptions disable request for full descriptions and use default vulnerability descriptions
--disable-secrets disable secrets scanning
Expand Down
2 changes: 2 additions & 0 deletions internal/constants/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,9 @@ var (
"aws": "",
"azure": "",
"gcp": "",
"ibmcloud": "",
"nifcloud": "",
"oraclecloud": "",
"tencentcloud": "",
}
)
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/source/filesystem.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func ListSupportedPlatforms() []string {

// ListSupportedCloudProviders returns a list of supported cloud providers
func ListSupportedCloudProviders() []string {
return []string{"alicloud", "aws", "azure", "gcp", "nifcloud", "tencentcloud"}
return []string{"alicloud", "aws", "azure", "gcp", "ibmcloud", "nifcloud", "oraclecloud", "tencentcloud"}
}

func getLibraryInDir(platform, libraryDirPath string) string {
Expand Down
2 changes: 1 addition & 1 deletion pkg/engine/source/filesystem_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -821,7 +821,7 @@ func TestSource_validateMetadata(t *testing.T) {

// TestSource_ListSupportedCloudProviders tests the function ListSupportedCloudProviders.
func TestSource_ListSupportedCloudProviders(t *testing.T) {
want := []string{"alicloud", "aws", "azure", "gcp", "nifcloud", "tencentcloud"}
want := []string{"alicloud", "aws", "azure", "gcp", "ibmcloud", "nifcloud", "oraclecloud", "tencentcloud"}
t.Run("test List Supported CP", func(t *testing.T) {
got := ListSupportedCloudProviders()
require.Equal(t, want, got)
Expand Down
2 changes: 2 additions & 0 deletions test/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,9 @@ var (
"../assets/queries/terraform/kubernetes": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/terraform/general": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/terraform/alicloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/terraform/ibmcloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/terraform/nifcloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/terraform/oraclecloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/terraform/tencentcloud": {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
"../assets/queries/crossplane/aws": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
"../assets/queries/crossplane/azure": {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
Expand Down
Loading