Hi
I'm using the following code in pipeline:
- step:
name: 'Iac scan'
script:
- pipe: atlassian/bitbucket-iac-scan:0.2.0
variables:
FILES_TO_SCAN_PATH: 'template.yaml'
SCAN_EXTRA_ARGS:
- "--fail-on"
- "high"
# CONFIG_PATH: '<string>' # Optional.
CREATE_REPORT: "true" # Optional. Default: `false`
# DEBUG: "<boolean>" # Optional. Default: `false`
but the step never fails even if a high result is found:
Results Summary:
HIGH: 1
?
Hi @sudhakar
Thanks for your question!
Try to pass the next extra args instead:
SCAN_EXTRA_ARGS:
- "--fail-on=high"
Best regards,
Oleksandr Kyrdan
Thank you.
I tried what you recommended. However the pipe still succeeds:
- step:
name: 'KICS Pipe'
script:
- pipe: atlassian/bitbucket-iac-scan:0.2.0
variables:
FILES_TO_SCAN_PATH: '.'
SCAN_EXTRA_ARGS:
- "--fail-on=high"
From the log:
-env=FILES_TO_SCAN_PATH="." \
--env=SCAN_EXTRA_ARGS_0="--fail-on=high" \
--env=SCAN_EXTRA_ARGS_COUNT="1" \
--add-host="host.docker.internal:$BITBUCKET_DOCKER_HOST_INTERNAL" \
bitbucketpipelines/bitbucket-iac-scan:0.2.0
WARNING: Kics scan result status code: 50,
✔ Pipe has finished successfully.
Scanning with Keeping Infrastructure as Code Secure v1.7.13
Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 1
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
Learn more about this vulnerability: [1]: template.yaml:97
096: Variables:
097: MY_SECRET_KEY: <SECRET-MASKED-ON-PURPOSE>
098: AWS_ACCESS_KEY_ID: "12345678901234567890"
Results Summary:
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1
A new version 'v2.0.0' of KICS is available, please consider updating
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @sudhakar
The new version of the pipe with FAIL_ON support was released:
Scan the sources and pipe should fail if the KICS scanner's result status code is more than or equal to provided threshold value
script: - pipe: atlassian/bitbucket-iac-scan:0.4.0 variables: FILES_TO_SCAN_PATH: ./my_files_to_scan_dir FAIL_ON: 40
Best regards,
Oleksandr Kyrdan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.