Static Code Analysis of Infrastructure as Code

KICS logo

In this blogpost I will show a basic primer of using KICS together with Azure DevOps, to scan Terraform Infrastructure-as-Code.

Kics an open source solution for static code analysis of Infrastructure as Code.

https://kics.io/

What is KICS, and why should I care?

KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in the following Infrastructure as Code solutions: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, Helm, and OpenAPI 3.0 specifications

The open source tool is brought to you by Checkmarx but is a true open source community project.

I’ve blogged before about the importance of testing your IaC, and this tool makes it pretty easy to incorporate exactly this into your pipelines.

At this moment in time I’m experimenting with the usage and because some of the examples do not really work out-of-the-box, I’ve decided to put them in this blog.

Running KICS locally

You can run KICS locally, and the documentation of KICS shows a very easy example running it with a Docker container. This is a easy way of testing and playing around with the tool:

docker pull checkmarx/kics:latest
docker run -v {​​​​path_to_host_folder_to_scan}​​​​:/path /
    checkmarx/kics:latest scan -p "/path" -o "/path/results.json"

Setting up KICS in Azure DevOps

A more likely scenario is that you want to run KICS as part of your CICD strategy, automated and triggered by, for example, a pull request. But how to start?

First of all, you should have a repository in DevOps. In my example, I’ve created two folders with some Terraform code, and one Yaml pipeline:

Screenshot of Azure DevOps repo

In these ‘terraform-example1’ and ‘terraform-example2’ I’ve added some representative examples for Azure. Resources ranging from storage accounts, Windows Virtual Desktop resources to IAM and Virtual Machines.

As I have two example folders setup, I’ve created two pipelines. The Yaml file is the same, but using variables I can let KICS scan different folders. Basically it looks like this:

KICS Pipeline overview in Azure DevOps

Opening up KicsExample1 and viewing the variables shows the following:

Pipeline variable screenshot

Important to note here, is that I’ve added the complete path to the working directory. My directory is ‘terraform-example1’ but as you can find in the documentation, the path on the build agent will be /home/vsts/work/1/s/terraform-example1/. For the second pipeline example, I obviously set/home/vsts/work/1/s/terraform-example2/ as variable.

Running the KICS Azure DevOps pipeline

So, for the actual magic to happen, let us run the pipeline and look at the outcome:

Pipeline run summary

As we can see; due to some trickery with VSO logs, I’m able to put the feedback from KICS into the actual summary! In this case, I’ve taken the example from KICS and wrote the output errors to Azure DevOps. You can look at the example code how I did this.

Analyzing and debuging the results

In the previous paragraph we ran the KICS pipeline, and it came back with some errors. Now, we want to see what the actual problem is. For this we can drill down to the run:

Run details in Azure DevOps

One of the issues found in my first example, is the following error:

Storage Account Not Using Latest TLS Encryption Version, Severity: MEDIUM, Results: 1 
Description: Ensure Storage Account is using the latest version of TLS encryption 
Platform: Terraform

This issue is quite self-explanatory. KICS runs many queries, and you are able to tweak and adjust them.

The second issue found is on the keyvault in my example:

Vault Auditing Disabled, Severity: HIGH, Results: 1 
Description: Ensure that logging for Azure KeyVault is 'Enabled' 
Platform: Terraform

This also is based on a best practice, and it warns you about the disabled auditing. The great thing about this tool is that is also gives descriptions on how to fix your errors!

Concluding

There are many ways on securing your infrastructure as code and testing statically. In my previous blog about Open Policy Agent I also wrote about this. The great thing about KICS is that it is really easy to setup, and for my example in Terraform they have many well-documented queries and how to resolve the issues found.

Implementing KICS as your first line of defence is really easy and gives direct feedback in your DevOps process.

Give me the code!

The example pipeline has been put in to this public gist. Do not forget to pass in the variable PWD with the location of your project!

Any questions or remarks? Feel free to reach out via any of my public profiles or the contact page on this site.