Skip to content

feat(lab6): Checkov + KICS comparison across Terraform/Ansible/Pulumi + custom policy#1167

Open
Meliman1000-7 wants to merge 18 commits into
inno-devops-labs:mainfrom
Meliman1000-7:feature/lab6
Open

feat(lab6): Checkov + KICS comparison across Terraform/Ansible/Pulumi + custom policy#1167
Meliman1000-7 wants to merge 18 commits into
inno-devops-labs:mainfrom
Meliman1000-7:feature/lab6

Conversation

@Meliman1000-7

@Meliman1000-7 Meliman1000-7 commented Jun 21, 2026

Copy link
Copy Markdown

Goal

Compare IaC security scanning tools (Checkov, KICS) across three IaC formats — Terraform, Ansible, Pulumi — analyze severity/rule-frequency breakdowns, evaluate tool-selection tradeoffs, and write a custom Checkov policy to catch an organization-specific misconfiguration.

Changes

  • labs/lab6/policies/my-custom-policy.yaml — custom Checkov graph check (CKV2_CUSTOM_1) enforcing iam_database_authentication_enabled = true on aws_db_instance resources
  • submissions/lab6.md — full writeup: Task 1 (Checkov on Terraform + Pulumi), Task 2 (KICS on Ansible + Pulumi, tool comparison), Bonus (custom policy)

Testing

Task 1 — Checkov on Terraform

checkov -d labs/lab6/vulnerable-iac/terraform --output cli --output json --output-file-path labs/lab6/results/checkov-terraform/

49 passed, 78 failed, 0 skipped

jq '[.[0].results.failed_checks[].check_id] | group_by(.) | map({rule: .[0], count: length}) | sort_by(-.count) | .[:5]' labs/lab6/results/checkov-terraform/results_json.json

top rule: CKV_AWS_289 / CKV_AWS_355 (IAM wildcard actions/resources), 4 hits each

Task 1 — Checkov on Pulumi (only secrets framework fires; no native Pulumi support)

checkov -d labs/lab6/vulnerable-iac/pulumi --output cli --output json --output-file-path labs/lab6/results/checkov-pulumi/

1 failed (hardcoded apiKey, CKV_SECRET_6)

Task 2 — KICS on Ansible

docker run --rm -v "$(pwd)/labs/lab6:/path" checkmarx/kics:latest scan -p /path/vulnerable-iac/ansible/ -o /path/results/kics-ansible/ --report-formats json,sarif

CRITICAL:0 HIGH:9 MEDIUM:0 LOW:1 INFO:0 TOTAL:10

Task 2 — KICS on Pulumi

docker run --rm -v "$(pwd)/labs/lab6:/path" checkmarx/kics:latest scan -p /path/vulnerable-iac/pulumi/ -o /path/results/kics-pulumi/ --report-formats json,sarif

CRITICAL:1 HIGH:2 MEDIUM:1 LOW:0 INFO:2 TOTAL:6

Bonus — custom Checkov policy

checkov -d labs/lab6/vulnerable-iac/terraform --external-checks-dir labs/lab6/policies --output cli --output json --output-file-path labs/lab6/results/checkov-custom/

jq '.[0].results.failed_checks[] | select(.check_id | startswith("CKV2_CUSTOM_"))' labs/lab6/results/checkov-custom/results_json.json

2 FAILED, severity HIGH: aws_db_instance.unencrypted_db, aws_db_instance.weak_db

Artifacts & Screenshots

Checklist

  • Title is clear (feat(lab6): style)
  • No secrets or large temp files committed
  • Submission file at submissions/lab6.md exists

Meliman1000-7 and others added 18 commits June 11, 2026 17:16
@Meliman1000-7
feat(lab1): juice shop deploy + PR template + triage report
dbe714c
@Meliman1000-7
fix(lab1): fix placeholder link in PR template
b1b9336
@Meliman1000-7
fix(lab1): fix placeholder link in PR template
1031345
@Meliman1000-7
Include GitHub Community information in lab1.md
c45b898
@Meliman1000-7
Add CI smoke test run URL and duration
6695e9a
@Meliman1000-7
Fix markdown formatting and update deployment details
ee905b8
@Meliman1000-7
Refine pull request template for better usability
ae8fc39
@Meliman1000-7
Merge pull request #1 from Meliman1000-7/feature/lab1
cb08be1 
feat(lab1): juice shop deploy + PR template + triage report
@Meliman1000-7
feat(lab2): Threagile threat model + secure variant + auth flow bonus
b92b9ed
@Meliman1000-7
Merge pull request #2 from Meliman1000-7/feature/lab2
8112eeb 
feat(lab2): Threagile threat model + secure variant + auth flow bonus
@Meliman1000-7
test: first signed commit
667d59c
@Meliman1000-7
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice
6208a05
@Meliman1000-7
Merge pull request #3 from Meliman1000-7/feature/lab3
fbd4fbf 
feat(lab3): SSH commit signing + gitleaks pre-commit + history rewrite
@Meliman1000-7
feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…
ef35d22 
…estation
@Meliman1000-7
Merge pull request #4 from Meliman1000-7/feature/lab4
898b2e0 
feat(lab4): SBOM generation + SCA with Syft/Grype + Trivy comparison + sign-ready attestation
@Meliman1000-7
feat(lab5): ZAP baseline + auth + Semgrep + correlation
ee19e01
@Meliman1000-7
Merge pull request #5 from Meliman1000-7/feature/lab5
b06ec9d 
feat(lab5): ZAP baseline + authenticated DAST + Semgrep SAST + SQL injection correlation
@Meliman1000-7
feat(lab6): Checkov + KICS comparison across Terraform/Ansible/Pulumi…
b934967 
… + custom policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Meliman1000-7