Open jonathannaguin opened 6 months ago
Is there any plans on getting this resolved? This is blocking us to use a more recent version of Kics.
Any fix for this issue?
Hi @jonathannaguin @Sudarshan-TN ,
Thanks for your inputs! We asked our internal AppSec team to provide you feedback on this. We will keep you updated asap.
(APPSEC-2729)
A recent change in Kics https://github.com/Checkmarx/kics/commit/8ac0687178361a1655245f6c9cafcdcb4360ed5c introduced a check for
DefaultRouteSettings
onAWS::ApiGatewayV2::Stage
. This check expects a value onProperties.DefaultRouteSettings.LoggingLevel
which is a field that can be ONLY set for non-HTTP API Gateways. If we try to set it, then CloudFormation fails with an error:I believe the presence of
Properties.DefaultRouteSettings.LoggingLevel
is actually optional, we can enable logging by simply specifyingAccessLogSettings
.Expected Behavior
HTTP API gateways with logging enabled should pass the Kics validation.
Actual Behavior
Kics requires a setting to be added on the CloudFormation template that is only compatible with WebSocket API Gateways.
Steps to Reproduce the Problem
The test on https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative1.yaml will only work for Web Sockets API Gateways.
Specifications