Hi
I'm using the following code in pipeline:
- step:
name: 'Iac scan'
script:
- pipe: atlassian/bitbucket-iac-scan:0.2.0
variables:
FILES_TO_SCAN_PATH: 'template.yaml'
SCAN_EXTRA_ARGS:
- "--fail-on"
- "high"
# CONFIG_PATH: '<string>' # Optional.
CREATE_REPORT: "true" # Optional. Default: `false`
# DEBUG: "<boolean>" # Optional. Default: `false`
but the step never fails even if a high result is found:
Results Summary:
HIGH: 1
?
Hi @sudhakar
Thanks for your question!
Try to pass the next extra args instead:
SCAN_EXTRA_ARGS:
- "--fail-on=high"
Best regards,
Oleksandr Kyrdan
Thank you.
I tried what you recommended. However the pipe still succeeds:
- step:
name: 'KICS Pipe'
script:
- pipe: atlassian/bitbucket-iac-scan:0.2.0
variables:
FILES_TO_SCAN_PATH: '.'
SCAN_EXTRA_ARGS:
- "--fail-on=high"
From the log:
-env=FILES_TO_SCAN_PATH="." \
--env=SCAN_EXTRA_ARGS_0="--fail-on=high" \
--env=SCAN_EXTRA_ARGS_COUNT="1" \
--add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
bitbucketpipelines/bitbucket-iac-scan:0.2.0
WARNING: Kics scan result status code: 50,
✔ Pipe has finished successfully.
Scanning with Keeping Infrastructure as Code Secure v1.7.13
Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
Learn more about this vulnerability: [1]: template.yaml:97
096: Variables:
097: MY_SECRET_KEY: <SECRET-MASKED-ON-PURPOSE>
098: AWS_ACCESS_KEY_ID: "12345678901234567890"
Results Summary:
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1
A new version 'v2.0.0' of KICS is available, please consider updating
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @sudhakar
The new version of the pipe with FAIL_ON support was released:
Scan the sources and pipe should fail if the KICS scanner's result status code is more than or equal to provided threshold value
script: - pipe: atlassian/bitbucket-iac-scan:0.4.0 variables: FILES_TO_SCAN_PATH: ./my_files_to_scan_dir FAIL_ON: 40
Best regards,
Oleksandr Kyrdan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Online forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.