Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kicks v1.5.10 scans .git/ folder by default #5465

Closed
Timost opened this issue Jun 9, 2022 · 3 comments Β· Fixed by #5470
Closed

kicks v1.5.10 scans .git/ folder by default #5465

Timost opened this issue Jun 9, 2022 · 3 comments Β· Fixed by #5470
Labels
bug Something isn't working community Community contribution

Comments

@Timost
Copy link

Timost commented Jun 9, 2022
edited
Loading

Hi,
First of all, thank you for KICS πŸ™β€!

I'm using kics:latest in gitlab CI/CD pipelines and since yesterday my pipelines are failing with high severity alerts.
The alerts are raised because KICS detects a password (a CI/CD git token) in the .git/config file.

I think this is a new behaviour that wasn't present in previous releases.

Expected Behavior

I would expect KICS to ignore the .git folder

Actual Behavior

.git folder gets scanned

Sample logs (redacted):

------------------------------------
Passwords And Secrets - Password in URL, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
	[1]: .git/config:11
		010: [remote "origin"]
		011: 	url = [https://gitlab-ci-token:[MASKED]@gitlab.com/<redacted>](https://gitlab-ci-token:%5BMASKED%[email protected]/<redacted>)
		012: 	fetch = +refs/heads/*:refs/remotes/origin/*
Passwords And Secrets - Generic Token, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
	[1]: .git/config:11
		010: [remote "origin"]
		011: 	url = [https://gitlab-ci-token:[MASKED]@gitlab.com/<redacted>](https://gitlab-ci-token:%5BMASKED%[email protected]/<redacted>)
		012: 	fetch = +refs/heads/*:refs/remotes/origin/*

Steps to Reproduce the Problem

  1. kics scan -p . at the root of a git repository

Workaround

I'm using kics scan --exclude-paths ".git/*" -p . for now

Specifications

  • Version: v1.5.10
  • Platform: Docker (kics:latest)
@Timost Timost added bug Something isn't working community Community contribution labels Jun 9, 2022
@kaplanlior
Copy link
Contributor

Thanks @Timost for reporting and sharing your workaround.

We'll check if it's related to #5419, and update here.

@rafaela-soares rafaela-soares mentioned this issue Jun 13, 2022
Merged
@rafaela-soares
Copy link
Contributor

Hi, @Timost!

Thank you so much for using KICS! ❀ And for noticing and reporting this bug! πŸš€

By default, KICS was analyzing the .git folder in the previous versions. However, KICS was only looking for IaC files. You can find a discussion about it here.

Unfortunately, this PR introduced a bug in version 1.5.10. Briefly, we improved how KICS was identifying Dockerfile by considering any possible txt file as Dockerfile and after verifying if it is actually a Dockerfile (by FROM and RUN commands). However, KICS was not discarding the possible Dockerfiles, when they were not actually a Dockerfile.

My apologies for the bug. We are already taking care of it in PR #5470.

Once again, thank you so much!

@Timost
Copy link
Author

Timost commented Jun 13, 2022

Hi @rafaela-soares,

Thank you for the explanation, and the quick response ! πŸ‘
I'll be watching the next release !
It's my pleasure using KICS, thank you for making and maintaining it ! πŸ™

@nunoocx nunoocx mentioned this issue Jun 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(analyzer): discard possible Dockerfile when they are not actually a Dockerfile Checkmarx/kics
3 participants
@kaplanlior @Timost @rafaela-soares