Skip to content

Commit fcdc8b2

Browse files
Merge branch 'AST-126467-update-metric-log-filter-to-be-more-permissive' of https://github.com/Checkmarx/kics into AST-126467-update-metric-log-filter-to-be-more-permissive
2 parents c9ef836 + 5576162 commit fcdc8b2

File tree

27 files changed

+203
-56
lines changed

27 files changed

+203
-56
lines changed

.github/scripts/report/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/Checkmarx/e2e-report
22

3-
go 1.24.0
3+
go 1.25.7
44

55
require (
66
github.com/rs/zerolog v1.31.0

.github/workflows/go-ci.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,9 +16,9 @@ jobs:
1616
go-version-file: go.mod
1717
cache: false
1818
- name: golangci-lint
19-
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
19+
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
2020
with:
21-
version: v2.0.2
21+
version: v2.9.0
2222
args: -c .golangci.yml --timeout 20m
2323
go-generate:
2424
name: go-generate
@@ -39,7 +39,7 @@ jobs:
3939
name: unit-tests
4040
strategy:
4141
matrix:
42-
go-version: [1.24.x]
42+
go-version: [1.25.x]
4343
os: [ubuntu-latest, windows-2022, macos-latest]
4444
runs-on: ${{ matrix.os }}
4545
steps:

.github/workflows/go-e2e-debian.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
strategy:
1111
fail-fast: false
1212
matrix:
13-
go-version: [1.24.x]
13+
go-version: [1.25.x]
1414
os: [ubuntu-latest]
1515
runs-on: ${{ matrix.os }}
1616
steps:

.github/workflows/go-e2e.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
strategy:
1111
fail-fast: false
1212
matrix:
13-
go-version: [1.24.x]
13+
go-version: [1.25.x]
1414
os: [ubuntu-latest]
1515
kics-docker: ["Dockerfile", "docker/Dockerfile.ubi8", "docker/Dockerfile.alpine"]
1616
runs-on: ${{ matrix.os }}

.github/workflows/release-nightly.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ jobs:
5151
- name: Set up Go
5252
uses: actions/setup-go@v5
5353
with:
54-
go-version: 1.24.x
54+
go-version: 1.25.x
5555
- name: Run GoReleaser
5656
uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
5757
with:

.golangci.yml

Lines changed: 13 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -78,11 +78,19 @@ linters:
7878
rules:
7979
- name: package-comments
8080
disabled: true
81-
nolintlint:
82-
allow-leading-space: true # don't require machine-readable nolint directives (i.e. with no leading space)
83-
allow-unused: false # report any unused nolint directives
84-
require-explanation: false # don't require an explanation for nolint directives
85-
require-specific: false # don't require nolint directives to be specific about which linter is being skipped
81+
exclusions:
82+
rules:
83+
- path: _test\.go
84+
linters:
85+
- mnd
86+
- scopelint
87+
paths:
88+
- assets
89+
- docs
90+
- vendor
91+
- pkg/parser/jsonfilter/parser
92+
- pkg/parser/bicep/antlr
93+
8694
formatters:
8795
enable:
8896
- gofmt
@@ -92,19 +100,6 @@ formatters:
92100
local-prefixes:
93101
- github.com/golangci/golangci-lint
94102

95-
issues:
96-
# Excluding configuration per-path, per-linter, per-text and per-source
97-
exclude-rules:
98-
- path: _test\.go
99-
linters:
100-
- mnd
101-
- scopelint
102-
exclude-dirs:
103-
- assets
104-
- docs
105-
- vendor
106-
- pkg/parser/jsonfilter/parser
107-
- pkg/parser/bicep/antlr
108103
run:
109104
timeout: 5m
110105
tests: false

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM checkmarx/go:1.25.6-r0@sha256:8e7befa1320d506ee2e5511501196bc4afa0df731b54809a7404cdd766d3b940 AS build_env
1+
FROM checkmarx/go:1.25.7-r0@sha256:add1bea087fc0aee63a1849e3a54fe384776318d16db82af06d008ab90d2d395 AS build_env
22

33
# Copy the source from the current directory to the Working Directory inside the container
44
WORKDIR /app
@@ -29,7 +29,7 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
2929
# Runtime image
3030
# Ignore no User Cmd since KICS container is stopped afer scan
3131
# kics-scan ignore-line
32-
FROM checkmarx/git:2.52.0-r2@sha256:02efaee67a44a711d858628a6c02b06ee3ef90ed42906c9c8d98ef054a6b7165
32+
FROM checkmarx/git:2.53.0-r0@sha256:b25d6ec8723a9b7b27460d21ce3d46df4cfca473840b468825582b7723b76af4
3333

3434
ENV TERM xterm-256color
3535

assets/queries/azureResourceManager/secret_without_expiration_date/query.rego

Lines changed: 21 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -10,36 +10,35 @@ CxPolicy[result] {
1010
[path, value] := walk(doc)
1111

1212
value.type == resourceTypes[_]
13-
not common_lib.valid_key(value.properties, "attributes")
13+
14+
res := get_res(value, path)
1415

1516
result := {
1617
"documentId": input.document[i].id,
1718
"resourceType": value.type,
1819
"resourceName": value.name,
19-
"searchKey": sprintf("%s.name={{%s}}.properties", [common_lib.concat_path(path), value.name]),
20+
"searchKey": res.sk,
2021
"issueType": "MissingAttribute",
21-
"keyExpectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'attributes.exp' property id defined",
22-
"keyActualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'attributes' property defined",
23-
"searchLine": common_lib.build_search_line(path, ["properties"]),
22+
"keyExpectedValue": res.kev,
23+
"keyActualValue": res.kav,
24+
"searchLine": res.sl,
2425
}
2526
}
2627

27-
CxPolicy[result] {
28-
doc := input.document[i]
29-
30-
[path, value] := walk(doc)
31-
32-
value.type == resourceTypes[_]
28+
get_res(value, path) = res {
29+
not common_lib.valid_key(value.properties, "attributes")
30+
res := {
31+
"sk": sprintf("%s.name={{%s}}.properties", [common_lib.concat_path(path), value.name]),
32+
"kev": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined",
33+
"kav": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes' property defined",
34+
"sl": common_lib.build_search_line(path, ["properties"]),
35+
}
36+
} else = res {
3337
not common_lib.valid_key(value.properties.attributes, "exp")
34-
35-
result := {
36-
"documentId": input.document[i].id,
37-
"resourceType": value.type,
38-
"resourceName": value.name,
39-
"searchKey": sprintf("%s.name={{%s}}.properties.attributes", [common_lib.concat_path(path), value.name]),
40-
"issueType": "MissingAttribute",
41-
"keyExpectedValue": "resource with type 'Microsoft.Security/securityContacts' should have 'attributes.exp' property id defined",
42-
"keyActualValue": "resource with type 'Microsoft.Security/securityContacts' doesn't have 'attributes.exp' property defined",
43-
"searchLine": common_lib.build_search_line(path, ["properties", "attributes"]),
38+
res := {
39+
"sk": sprintf("%s.name={{%s}}.properties.attributes", [common_lib.concat_path(path), value.name]),
40+
"kev": "resource with type 'Microsoft.KeyVault/vaults/secrets' should have 'attributes.exp' property id defined",
41+
"kav": "resource with type 'Microsoft.KeyVault/vaults/secrets' doesn't have 'attributes.exp' property defined",
42+
"sl": common_lib.build_search_line(path, ["properties", "attributes"]),
4443
}
45-
}
44+
}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
{
2+
"id": "4b5ee6a4-5682-4725-8a7a-d9e9a51986c8",
3+
"queryName": "Beta - Shielded GKE Node Do Not Have Integrity Monitoring Enabled",
4+
"severity": "MEDIUM",
5+
"category": "Observability",
6+
"descriptionText": "Enabling Integrity Monitoring for Shielded GKE Nodes is necessary to be notified of inconsistencies during the node boot sequence.",
7+
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool",
8+
"platform": "Terraform",
9+
"descriptionID": "4b5ee6a4",
10+
"cloudProvider": "gcp",
11+
"cwe": "353",
12+
"riskScore": "3.0",
13+
"experimental": "true"
14+
}
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
package Cx
2+
3+
import data.generic.common as common_lib
4+
import data.generic.terraform as tf_lib
5+
6+
supported_resources := {"google_container_cluster", "google_container_node_pool"}
7+
8+
CxPolicy[result] {
9+
resource := input.document[i].resource[supported_resources[res_index]][name]
10+
11+
resource.node_config.shielded_instance_config.enable_integrity_monitoring == false
12+
13+
result := {
14+
"documentId": input.document[i].id,
15+
"resourceType": supported_resources[res_index],
16+
"resourceName": tf_lib.get_resource_name(resource, name),
17+
"searchKey": sprintf("%s[%s].node_config.shielded_instance_config.enable_integrity_monitoring", [supported_resources[res_index], name]),
18+
"issueType": "IncorrectValue",
19+
"keyExpectedValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' should be defined to 'true'",
20+
"keyActualValue": "'node_config.shielded_instance_config.enable_integrity_monitoring' is not defined to 'true'",
21+
"searchLine": common_lib.build_search_line(["resource", supported_resources[res_index], name, "node_config", "shielded_instance_config", "enable_integrity_monitoring"], [])
22+
}
23+
}

0 commit comments

Comments
 (0)