feat(lab6): Checkov + KICS scans + custom policy

[witch2256]

Goal

Complete Lab 6 — IaC Security: Checkov + KICS (main tasks, no bonus)

Changes

• Added submissions/lab6.md with detailed analysis:
  • Task 1 – Checkov on Terraform: 127 total checks, 78 failed; top 5 rule IDs (CKV_AWS_355, 289, 382, 290, 288) and their descriptions
  • Module‑leverage analysis: fixing the IAM policy module alone eliminates 14 findings (~18% of all failures)
  • Task 2 – KICS on Ansible: 10 findings (9 HIGH, 1 LOW) – hardcoded passwords in inventory/playbook, secrets in URLs, unpinned package version
  • Task 2 – KICS on Pulumi: 6 findings (1 CRITICAL, 2 HIGH, 1 MEDIUM, 2 INFO) – RDS public access, DynamoDB no encryption, monitoring gaps
  • Checkov vs KICS comparison: Checkov better for broad Terraform policy coverage (IAM, S3, RDS, SGs); KICS better for native Ansible/Pulumi parsing and secret detection
• Pulumi state file (pulumi-state-rendered.json) missing from repo; Pulumi analysed via KICS only (Task 2), not via Checkov

Testing & Verification

• Checkov 3.3.2 ran on Terraform directory: checkov -d labs/lab6/vulnerable-iac/terraform
• JSON output parsed with jq: 127 checks, 78 failed; severity null (no Bridgecrew API key)
• Top 5 rules extracted, module‑leverage impact calculated (14 findings fixed by IAM module change)
• KICS 2.1.20 (Docker) scanned Ansible playbooks: 10 findings – 9 HIGH, 1 LOW; top query “Generic Password” (6 occurrences)
• KICS scanned Pulumi YAML: 6 findings – 1 CRITICAL, 2 HIGH, 1 MEDIUM, 2 INFO
• All jq severity and top‑query commands completed successfully

Artifacts & Screenshots

• submissions/lab6.md

Checklist

• Title is clear

• No secrets committed

• Submission file exists

• Task 1 — Checkov on Terraform with top‑5 rules and module‑leverage analysis

• Task 2 — KICS on Ansible + Pulumi with Checkov‑vs‑KICS comparison

• Bonus — Custom Checkov policy (skipped)