Integrate KICS with Azure Pipelines

You can integrate KICS into your Azure Pipelines CI/CD.

This provides you the ability to run KICS scans in your GitLab repositories and streamline vulnerabilities and misconfiguration checks to your infrastructure as code (IaC).

Tutorial

The following tutorial is a possible way of using KICS in Azure Pipelines CI. You can be creative and come up with different solutions that fit your pipelines.

In this case we instruct the job to download and use the latest Linux version of KICS.

1- Edit or add a new azure-pipelines.yml file in the root of your repository

2- Declare a new stage

stages:
- stage: kics
  displayName: kics

3- Declare the steps - in this case it is a script where we follow the steps:

3.1- Get the OS name: OS=$(uname -s)

3.2- Declare version and KICS binaries to download

get_latest_kics_release() {
    curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" |
        grep '"tag_name":' |
        sed -E 's/.*"([^"]+)".*/\1/'
}
LATEST_TAG=$(get_latest_kics_release)
LATEST_VERSION=${LATEST_TAG#v}
PACKAGE_NAME=kics_${LATEST_VERSION}_${OS}_x64.tar.gz
TARGET_DIR=/home/vsts/kics

3.3- Download the binary

mkdir -p ${TARGET_DIR}
wget -q -c https://github.com/Checkmarx/kics/releases/download/${LATEST_TAG}/${PACKAGE_NAME} -O - | tar -xz -C ${TARGET_DIR}

3.4- Start the scan

 ${TARGET_DIR}/kics scan --no-progress -q ${TARGET_DIR}/assets/queries -p ${PWD} -o ${PWD}/kics-results --output-name "azure-pipelines-integration" --report-formats "json,sarif"

3.5- Consume the results

TOTAL_SEVERITY_COUNTER=`grep '"total_counter"':' ' kics-results.json | awk {'print $2'}`
export SEVERITY_COUNTER_HIGH=`grep '"HIGH"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
SEVERITY_COUNTER_MEDIUM=`grep '"INFO"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
SEVERITY_COUNTER_LOW=`grep '"LOW"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
SEVERITY_COUNTER_INFO=`grep '"MEDIUM"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
echo "TOTAL SEVERITY COUNTER $TOTAL_SEVERITY_COUNTER"

3.6- Optionally, define a breaking point for the CI

if [ "$SEVERITY_COUNTER_HIGH" -ge "1" ]; then
    echo "Please fix all $SEVERITY_COUNTER_HIGH HIGH SEVERITY COUNTERS" && exit 1;
fi

Here is the full content of the job

trigger:
- master

pool:
  vmImage: 'ubuntu-latest'

stages:
- stage: kics
  displayName: kics

  jobs:
  - job: runKics
    displayName: runKics
    steps:
      - script: |
          get_latest_kics_release() {
            curl --silent "https://api.github.com/repos/Checkmarx/kics/releases/latest" |
              grep '"tag_name":' |
              sed -E 's/.*"([^"]+)".*/\1/'
          }

          OS=$(uname -s)
          LATEST_TAG=$(get_latest_kics_release)
          LATEST_VERSION=${LATEST_TAG#v}
          PACKAGE_NAME=kics_${LATEST_VERSION}_${OS}_x64.tar.gz
          TARGET_DIR=/home/vsts/kics

          mkdir -p ${TARGET_DIR}
          wget -q -c https://github.com/Checkmarx/kics/releases/download/${LATEST_TAG}/${PACKAGE_NAME} -O - | tar -xz -C ${TARGET_DIR}

          echo '--- START SCANNING ---'
          ${TARGET_DIR}/kics scan --no-progress -q ${TARGET_DIR}/assets/queries -p ${PWD} -o ${PWD}/kics-results --output-name "azure-pipelines-integration" --report-formats "json,sarif"

          TOTAL_SEVERITY_COUNTER=`grep '"total_counter"':' ' kics-results.json | awk {'print $2'}`
          export SEVERITY_COUNTER_HIGH=`grep '"HIGH"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
          SEVERITY_COUNTER_MEDIUM=`grep '"INFO"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
          SEVERITY_COUNTER_LOW=`grep '"LOW"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
          SEVERITY_COUNTER_INFO=`grep '"MEDIUM"':' ' kics-results.json | awk {'print $2'} | sed 's/.$//'`
          echo "TOTAL SEVERITY COUNTER $TOTAL_SEVERITY_COUNTER"

          if [ "$SEVERITY_COUNTER_HIGH" -ge "1" ]; then
            echo "Please fix all $SEVERITY_COUNTER_HIGH HIGH SEVERITY COUNTERS" && exit 1;
          fi

Example Results

When your pipeline executes, it will run this job. If KICS finds any issues, it will fail the build.

Pipeline Failure

Pipeline Success