search

ShiftLeftSecurity / sast-scan

Scan is a free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly.
https://discord.gg/DCNxzaeUpd
Apache License 2.0
809 stars 111 forks source link

Integrate KICS for IaC #390

Open kaplanlior opened 1 year ago

kaplanlior commented 1 year ago

KICS is a IaC security tool, which supports many platforms.

https://github.com/checkmarx/kics

prabhu commented 1 year ago

@kaplanlior, since checkmarx is a direct competitor to Qwiet.AI (ShiftLeft) it is very hard to get this project into this org. However, I understand the need for better IaC scanning so will look into some options such as moving sast-scan back to the AppThreat org (doable) or creating a separate IaC meta tool (time consuming)

kaplanlior commented 1 year ago

As KICS is 100% open source, I don't see a reason not to use it, same as GitLab did: https://docs.gitlab.com/ee/user/application_security/iac_scanning/#supported-languages-and-frameworks

Thanks for the fast response

prabhu commented 1 year ago

@kaplanlior Will definitely look into this.

prabhu commented 1 year ago

@kaplanlior My proposal is to create a new mirror of sast-scan into the AppThreat org. It will be uncreatively called scan. I will add some enhancements such as integrating kics and upgrading versions of python, go etc to keep the project going a bit more. WDYT?

Long term, however, this approach to merely invoking various tools has to change. With rosa, I am experimenting to make the analysis "Risk-oriented" which means lots of traditional findings would get triaged out and de-prioritized. Perhaps the data from kics might help but not sure.

kaplanlior commented 1 year ago

Good luck with the proposed changes. I support anything that would allow you in integrate KICS for IaC Security.

Regarding rosa, sounds interesting. If you want to collaborate around KICS, I'm open to that.