Goal

This PR delivers Lab 6: infrastructure-as-code security analysis with Checkov and KICS, module-level finding triage, and a project-specific custom Checkov policy.

Changes

• Added submissions/lab6.md with:
  • Checkov Terraform scan totals and severity breakdown;
  • top five Checkov rule IDs by frequency;
  • module-level remediation analysis;
  • KICS Ansible and Pulumi severity tables;
  • top five KICS queries by finding count;
  • Checkov-versus-KICS coverage analysis;
  • proof that the custom policy was accepted and fired.
• Added labs/lab6/policies/my-custom-policy.yaml.
• The custom policy requires every taggable AWS resource to declare tags.project, creating an enforceable ownership convention.
• The deliberately vulnerable IaC files were analyzed but not modified.
• Regenerable Checkov and KICS reports were kept out of the commit.

Testing

Commands used:

./scripts/lab6_install_arch.sh
./scripts/lab6_run_all.sh

jq '.summary, .results.failed_checks[0]' \
  labs/lab6/results/checkov-terraform/results_json.json

jq '.queries | length' \
  labs/lab6/results/kics-ansible/results.json

jq '.queries | length' \
  labs/lab6/results/kics-pulumi/results.json

jq '
  .results.failed_checks[]
  | select(.check_id | startswith("CKV2_CUSTOM_"))
' labs/lab6/results/checkov-custom/results_json.json

The workflow verified that:

• Checkov parsed and scanned the Terraform sample.
• KICS generated JSON and SARIF reports for Ansible and Pulumi.
• Submission tables were generated from actual scanner JSON.
• CKV2_CUSTOM_1 was loaded through --external-checks-dir.
• The custom policy produced at least one failed resource check.

Artifacts & Screenshots

Committed:

• labs/lab6/policies/my-custom-policy.yaml
• submissions/lab6.md

Generated locally but intentionally not committed:

• labs/lab6/results/checkov-terraform/
• labs/lab6/results/checkov-custom/
• labs/lab6/results/kics-ansible/
• labs/lab6/results/kics-pulumi/

Checklist

• Title is clear (feat(lab6): Checkov + KICS scans + custom policy)
• Vulnerable IaC fixtures were not modified
• No large regenerable scanner output committed
• Submission exists at submissions/lab6.md
• Lab commit is SSH-signed

Lab Checklist

• Task 1 — Checkov Terraform scan completed
• Task 1 — severity and top-five rule tables included
• Task 1 — module-leverage analysis included
• Task 2 — KICS Ansible scan completed
• Task 2 — KICS Pulumi scan completed
• Task 2 — Checkov/KICS trade-offs explained
• Bonus — valid YAML custom Checkov policy committed
• Bonus — custom policy demonstrably fired
• Bonus — business and incident-response justification included