feat(lab6): Checkov + KICS scans + custom policy by Maflock · Pull Request #1266 · inno-devops-labs/DevSecOps-Intro

Maflock · 2026-06-26T20:37:48Z

Goal

Scan vulnerable Terraform + Pulumi with Checkov, scan vulnerable Ansible with KICS, then (bonus) write a custom Checkov policy for a project-specific rule.

Changes

Added submissions/lab6.md
Added labs/lab6/policies/my-custom-policy.yaml

Testing

checkov -d labs/lab6/vulnerable-iac/terraform --output json \
  --output-file-path labs/lab6/results/checkov-terraform/
# Result: 80 failed / 49 passed across 18 resources

docker run --rm -v "$(pwd)/labs/lab6":/path checkmarx/kics:v2.1.3 \
  scan -p /path/vulnerable-iac/ansible/ -o /path/results/kics-ansible/ --report-formats json
# Result: 10 findings - 9 HIGH, 1 LOW

docker run --rm -v "$(pwd)/labs/lab6":/path checkmarx/kics:v2.1.3 \
  scan -p /path/vulnerable-iac/pulumi/ -o /path/results/kics-pulumi/ --report-formats json
# Result: 6 findings (1 CRITICAL, 2 HIGH, 1 MEDIUM, 2 INFO)

checkov -d labs/lab6/vulnerable-iac/terraform --external-checks-dir labs/lab6/policies \
  --check CKV2_CUSTOM_1 --output json --output-file-path labs/lab6/results/checkov-custom/
# Result: custom policy fires on 2 RDS instances

Artifacts & Screenshots

submissions/lab6.md
labs/lab6/policies/my-custom-policy.yaml

Checklist

Title is clear (feat(lab6): Checkov + KICS scans + custom policy)
No secrets/large temp files committed
submissions/lab6.md exists
Task 1 — Checkov on Terraform + Pulumi with top-5 rules and module-leverage analysis
Task 2 — KICS on Ansible with Checkov-vs-KICS comparison
Bonus — Custom Checkov policy demonstrably firing on the vulnerable sample

feat(lab1): juice shop deploy + PR template + triage report

feat(lab2): Threagile threat model + secure variant + auth flow

…ntro into feature/lab3

feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice

…estation

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation

feat(lab5): ZAP baseline + auth + Semgrep + correlation

Maflock and others added 17 commits June 12, 2026 07:11

lab1 - Juice Shop deploy + PR template + triage report

0c98811

lab1 - Поправить lab1-smoke.yaml

055c13a

lab1 - fix triage report

b359be5

feat(lab2): Threagile threat model + secure variant + auth flow

8613cc0

test: first signed commit

7e18861

test: second signed commit

9783d75

Merge pull request #1 from Maflock/feature/lab1

88ed560

feat(lab1): juice shop deploy + PR template + triage report

Merge pull request #2 from Maflock/feature/lab2

bf54aa6

feat(lab2): Threagile threat model + secure variant + auth flow

Merge branch 'main' into feature/lab3

d3bcfe5

Merge branch 'feature/lab3' of https://github.com/Maflock/DevSecOps-I…

3165249

…ntro into feature/lab3

feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice

6c127c6

Merge pull request #3 from Maflock/feature/lab3

16af01d

feat(lab3): SSH signing + gitleaks pre-commit + history rewrite practice

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready att…

f4e77f6

…estation

Merge pull request #4 from Maflock/feature/lab4

481e309

feat(lab4): juice-shop SBOM + Grype/Trivy comparison + sign-ready attestation

feat(lab5): ZAP baseline + auth + Semgrep + correlation

7682097

Merge pull request #5 from Maflock/feature/lab5

a0a6fd6

feat(lab5): ZAP baseline + auth + Semgrep + correlation

feat(lab6): Checkov + KICS scans + custom policy

5853e0a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(lab6): Checkov + KICS scans + custom policy#1266

feat(lab6): Checkov + KICS scans + custom policy#1266
Maflock wants to merge 17 commits into
inno-devops-labs:mainfrom
Maflock:feature/lab6

Maflock commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

Maflock commented Jun 26, 2026

Goal

Changes

Testing

Artifacts & Screenshots

Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant