Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Bitbucket Infrastructure as Code Security Scan : how to fail on high

sudhakar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 18, 2024

Hi 
I'm using the following code in pipeline:

 - step:

name: 'Iac scan'

script:

- pipe: atlassian/bitbucket-iac-scan:0.2.0

variables:

FILES_TO_SCAN_PATH: 'template.yaml'

SCAN_EXTRA_ARGS:

- "--fail-on"

- "high"

# CONFIG_PATH: '<string>' # Optional.

CREATE_REPORT: "true" # Optional. Default: `false`

# DEBUG: "<boolean>" # Optional. Default: `false`

but the step never fails even if a high result is found:

Results Summary:
143
HIGH: 1

?

1 answer

1 vote
Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 19, 2024

Hi @sudhakar 

Thanks for your question!

Try to pass the next extra args instead:

SCAN_EXTRA_ARGS: 
- "--fail-on=high"

 

Best regards,
Oleksandr Kyrdan

sudhakar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 21, 2024

Thank you.

I tried what you recommended. However the pipe still succeeds:

 

- step:

name: 'KICS Pipe'

script:

- pipe: atlassian/bitbucket-iac-scan:0.2.0

variables:

FILES_TO_SCAN_PATH: '.'

SCAN_EXTRA_ARGS:

- "--fail-on=high"

From the log:

-env=FILES_TO_SCAN_PATH="." \

--env=SCAN_EXTRA_ARGS_0="--fail-on=high" \

--env=SCAN_EXTRA_ARGS_COUNT="1" \

--add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \

bitbucketpipelines/bitbucket-iac-scan:0.2.0

WARNING: Kics scan result status code: 50,

✔ Pipe has finished successfully.

Scanning with Keeping Infrastructure as Code Secure v1.7.13

Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 1

Description: Query to find passwords and secrets in infrastructure code.

Platform: Common

Learn more about this vulnerability: [1]: template.yaml:97

096: Variables:

097: MY_SECRET_KEY: <SECRET-MASKED-ON-PURPOSE>

098: AWS_ACCESS_KEY_ID: "12345678901234567890"

Results Summary:

HIGH: 1

MEDIUM: 0

LOW: 0

INFO: 0

TOTAL: 1

A new version 'v2.0.0' of KICS is available, please consider updating
Regards
Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 10, 2024

Hi @sudhakar

The new version of the pipe with FAIL_ON support was released:

Scan the sources and pipe should fail if the KICS scanner's result status code is more than or equal to provided threshold value

script:
  - pipe: atlassian/bitbucket-iac-scan:0.4.0
    variables:
      FILES_TO_SCAN_PATH: ./my_files_to_scan_dir
      FAIL_ON: 40


Best regards,
Oleksandr Kyrdan

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events