Skip to content

feat(lab6): Checkov + KICS scans + custom policy#1268

Open
Philip-78 wants to merge 1 commit into
inno-devops-labs:mainfrom
Philip-78:feature/lab6
Open

feat(lab6): Checkov + KICS scans + custom policy#1268
Philip-78 wants to merge 1 commit into
inno-devops-labs:mainfrom
Philip-78:feature/lab6

Conversation

@Philip-78

@Philip-78 Philip-78 commented Jun 26, 2026

Copy link
Copy Markdown

Goal

Scan vulnerable Terraform with Checkov, scan Ansible and Pulumi with KICS, write a custom Checkov policy.

Changes

  • submissions/lab6.md β€” Checkov Terraform findings, KICS Ansible + Pulumi findings, tool comparison, custom policy
  • labs/lab6/policies/my-custom-policy.yaml β€” custom Checkov policy (CKV2_CUSTOM_1)

Testing

  • Checkov Terraform: 80 failed / 49 passed across S3, IAM, RDS, DynamoDB, security groups
  • KICS Ansible: 10 findings (9 HIGH hardcoded secrets, 1 LOW unpinned package)
  • KICS Pulumi: 6 findings (1 CRITICAL publicly accessible RDS, 2 HIGH, 1 MEDIUM, 2 INFO)
  • Custom policy CKV2_CUSTOM_1 fires on aws_s3_bucket.public_data (missing lifecycle config)

Artifacts & Screenshots

  • submissions/lab6.md β€” full analysis
  • labs/lab6/policies/my-custom-policy.yaml β€” custom policy
  • Task 1 β€” Checkov on Terraform + top-5 rules + module-leverage analysis
  • Task 2 β€” KICS on Ansible + Pulumi + Checkov-vs-KICS comparison
  • Bonus β€” Custom Checkov policy demonstrably firing on vulnerable resource

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Philip-78