feat(lab6): Checkov + KICS scans + custom policy

[Troshkins]

Goal

Deliver Lab 6 IaC security analysis: Checkov scan of vulnerable Terraform, KICS scans of Ansible and Pulumi, plus a custom Checkov policy.

Changes

• Added submissions/lab6.md with Checkov and KICS findings, severity tables, top rules, tool comparison, and remediation analysis.
• Added labs/lab6/policies/my-custom-policy.yaml.
• Custom policy CKV2_CUSTOM_1 requires taggable AWS resources to define an Environment tag.
• Scanner output directories were intentionally not committed because they are reproducible artifacts.

Testing

• Ran Checkov 3.3.1 against Terraform:

  checkov -d labs/lab6/vulnerable-iac/terraform \
    --output cli --output json \
    --output-file-path labs/lab6/results/checkov-terraform/

  Observed: 49 passed, 78 failed, 0 parsing errors across 16 resources.

• Ran KICS 2.1.20 against Ansible:

  docker run --rm \
    -v "$(pwd)/labs/lab6:/path" \
    checkmarx/kics:latest \
    scan -p /path/vulnerable-iac/ansible/ \
         -o /path/results/kics-ansible/ \
         --report-formats json,sarif

  Observed: 10 findings — 9 HIGH and 1 LOW.

• Ran KICS 2.1.20 against Pulumi:

  docker run --rm \
    -v "$(pwd)/labs/lab6:/path" \
    checkmarx/kics:latest \
    scan -p /path/vulnerable-iac/pulumi/ \
         -o /path/results/kics-pulumi/ \
         --report-formats json,sarif

  Observed: 6 findings — 1 CRITICAL, 2 HIGH, 1 MEDIUM, and 2 INFO.

• Verified the custom Checkov policy:

  checkov -d labs/lab6/vulnerable-iac/terraform \
    --external-checks-dir labs/lab6/policies \
    --output cli --output json \
    --output-file-path labs/lab6/results/checkov-custom/

  CKV2_CUSTOM_1 fired on 12 AWS resources missing the Environment tag.

Artifacts & Screenshots

• Submission report: submissions/lab6.md
• Custom policy: labs/lab6/policies/my-custom-policy.yaml
• Scan reports were generated locally under labs/lab6/results/ and intentionally excluded from Git.

Checklist

• Title is clear (feat(lab6): Checkov + KICS scans + custom policy)
• No secrets/large temp files committed
• Submission file at submissions/lab6.md exists
• Task 1 — Checkov Terraform scan and analysis completed
• Task 2 — KICS Ansible and Pulumi scans completed
• Bonus — Custom Checkov policy created and verified