Feature/lab6

[raylduk8]

Goal

Scan vulnerable Terraform + Pulumi with Checkov and scan vulnerable Ansible with KICS

Changes

• submissions/lab6.md

Testing

Checkov

Scan Terraform

 checkov -d labs/lab6/vulnerable-iac/terraform \

  --output cli --output json \

  --output-file-path labs/lab6/results/checkov-terraform/

Top 5 Rule IDs by Count

jq '[.results.failed_checks[].check_id] | group_by(.) | map({rule: .[0], count: length}) |

    sort_by(-.count) | .[:5]' \

  labs/lab6/results/checkov-terraform/results_json.json

Severity Breakdown

jq '[.results.failed_checks[].severity] | group_by(.) | map({severity: .[0], count: length})' \

  labs/lab6/results/checkov-terraform/results_json.json

Run KICS on Ansible

docker run --rm \

  -v "$(pwd)/labs/lab6:/path" \

  checkmarx/kics:latest \

  scan -p /path/vulnerable-iac/ansible/ \

       -o /path/results/kics-ansible/ \

       --report-formats json,sarif

Run KICS on Pulumi

docker run --rm \

  -v "$(pwd)/labs/lab6:/path" \

  checkmarx/kics:latest \

  scan -p /path/vulnerable-iac/pulumi/ \

       -o /path/results/kics-pulumi/ \

       --report-formats json,sarif

Severity Breakdown

jq '[.queries[].severity] | group_by(.) | map({severity: .[0], count: length})' \

  labs/lab6/results/kics-ansible/results.json

`jq '[.queries[].severity] | group_by(.) | map({severity: .[0], count: length})' \

  labs/lab6/results/kics-pulumi/results.json

Top Queries by Impact

jq '[.queries[] | {query: .query_name, severity, count: (.files | length)}] |

    sort_by(-.count) | .[:5]' \

  labs/lab6/results/kics-ansible/results.json

jq '[.queries[] | {query: .query_name, severity, count: (.files | length)}] |

    sort_by(-.count) | .[:5]' \

  labs/lab6/results/kics-pulumi/results.json

Artifacts & Screenshots

---

• Task 1 — Checkov on Terraform + Pulumi with top-5 rules and module-leverage analysis
• Task 2 — KICS on Ansible with Checkov-vs-KICS comparison
• Bonus — Custom Checkov policy demonstrably firing on the vulnerable sample