You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using kics:latest in gitlab CI/CD pipelines and since yesterday my pipelines are failing with high severity alerts.
The alerts are raised because KICS detects a password (a CI/CD git token) in the .git/config file.
I think this is a new behaviour that wasn't present in previous releases.
Expected Behavior
I would expect KICS to ignore the .git folder
Actual Behavior
.git folder gets scanned
Sample logs (redacted):
------------------------------------
Passwords And Secrets - Password in URL, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
[1]: .git/config:11
010: [remote "origin"]
011: url = [https://gitlab-ci-token:[MASKED]@gitlab.com/<redacted>](https://gitlab-ci-token:%5BMASKED%[email protected]/<redacted>)
012: fetch = +refs/heads/*:refs/remotes/origin/*
Passwords And Secrets - Generic Token, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
[1]: .git/config:11
010: [remote "origin"]
011: url = [https://gitlab-ci-token:[MASKED]@gitlab.com/<redacted>](https://gitlab-ci-token:%5BMASKED%[email protected]/<redacted>)
012: fetch = +refs/heads/*:refs/remotes/origin/*
Steps to Reproduce the Problem
kics scan -p . at the root of a git repository
Workaround
I'm using kics scan --exclude-paths ".git/*" -p . for now
Specifications
Version: v1.5.10
Platform: Docker (kics:latest)
The text was updated successfully, but these errors were encountered:
Thank you so much for using KICS! β€ And for noticing and reporting this bug! π
By default, KICS was analyzing the .git folder in the previous versions. However, KICS was only looking for IaC files. You can find a discussion about it here.
Unfortunately, this PR introduced a bug in version 1.5.10. Briefly, we improved how KICS was identifying Dockerfile by considering any possible txt file as Dockerfile and after verifying if it is actually a Dockerfile (by FROM and RUN commands). However, KICS was not discarding the possible Dockerfiles, when they were not actually a Dockerfile.
My apologies for the bug. We are already taking care of it in PR #5470.
Thank you for the explanation, and the quick response ! π
I'll be watching the next release !
It's my pleasure using KICS, thank you for making and maintaining it ! π
Hi,
First of all, thank you for KICS πβ€!
I'm using
kics:latest
in gitlab CI/CD pipelines and since yesterday my pipelines are failing with high severity alerts.The alerts are raised because KICS detects a password (a CI/CD git token) in the
.git/config
file.I think this is a new behaviour that wasn't present in previous releases.
Expected Behavior
I would expect KICS to ignore the
.git
folderActual Behavior
.git
folder gets scannedSample logs (redacted):
Steps to Reproduce the Problem
kics scan -p .
at the root of a git repositoryWorkaround
I'm using
kics scan --exclude-paths ".git/*" -p .
for nowSpecifications
v1.5.10
kics:latest
)The text was updated successfully, but these errors were encountered: