feat(lab6): Checkov + KICS scans + custom policy

[demonit4028]

PR Description:

Goal

Deliver Lab 6 — IaC Security scan reports (Checkov + KICS) plus a custom Checkov policy for S3 encryption.

Changes

• submissions/lab6.md — Full lab report with Task 1 (Checkov Terraform), Task 2 (KICS Ansible + Pulumi), and Bonus (custom policy)
• labs/lab6/policies/my-custom-policy.yaml — Custom Checkov policy CKV_CUSTOM_1: S3 buckets must have server-side encryption configured
• labs/lab6/results/checkov-custom/ — Checkov output with custom policy (78 built-in + 2 custom failures)
• (Pre-existing) labs/lab6/results/checkov-terraform/, labs/lab6/results/kics-ansible/, labs/lab6/results/kics-pulumi/ — Scanner outputs

Testing

# Checkov on Terraform (Task 1)
checkov -d labs/lab6/vulnerable-iac/terraform -o json

# KICS on Ansible (Task 2)
docker run --rm -v "$(pwd)/labs/lab6:/path" checkmarx/kics:latest scan -p /path/vulnerable-iac/ansible/

# Checkov with custom policy (Bonus)
checkov -d labs/lab6/vulnerable-iac/terraform --external-checks-dir labs/lab6/policies -o json
jq '.results.failed_checks[] | select(.check_id | startswith("CKV_CUSTOM"))'
Artifacts & Screenshots
- submissions/lab6.md
- labs/lab6/policies/my-custom-policy.yaml
Checklist
- Title follows feat(labN): <topic> format
- No secrets or large temp files committed
- Submission file at submissions/lab6.md exists