You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
( opening this issue for further input, following presentation & discussion on December 1st community meeting)
Is your feature request related to a problem?
Many Open Source projects have IaC files to facilitate faster installation / consumption for their project. We want to verify projects check the security of these files, so the artifacts and the community who uses them would be safer. This, at later phases, also have Supply Chain Security implications.
Example: keptn project scans their repository with KICS to make sure the dockerfiles (and the containers created with them) are secure according to best practices. Same for HELM charts.
Describe the solution you'd like
Add an IaC security category / score.
Phase 1
Detect if repository has IaC files
Detect if repository has IaC security check in place (e.g. KICS github action)
Warn if files exist & there isn’t a security check
Similar to dependencies files & checking for SCA tools.
Phase 2
Score project based on the results of IaC security check.
Each critical result - 2 point reduction, high - 1 point reduction.
With goal to implement both phases as once, as suggested in the community meeting.
Additional context
Previous references where IaC scans were mentioned : #1984, #2318
The text was updated successfully, but these errors were encountered:
SGTM, this looks great. Can we add it as part of the SAST check? We've been thinking of revamping it to support more tools based on what's in the repo.
Fyi, we're working in a finer-grained output format #2584 which will allow reporting more granular results.
( opening this issue for further input, following presentation & discussion on December 1st community meeting)
Is your feature request related to a problem?
Many Open Source projects have IaC files to facilitate faster installation / consumption for their project. We want to verify projects check the security of these files, so the artifacts and the community who uses them would be safer. This, at later phases, also have Supply Chain Security implications.
Example: keptn project scans their repository with KICS to make sure the dockerfiles (and the containers created with them) are secure according to best practices. Same for HELM charts.
Describe the solution you'd like
Add an IaC security category / score.
Phase 1
Detect if repository has IaC files
Detect if repository has IaC security check in place (e.g. KICS github action)
Warn if files exist & there isn’t a security check
Similar to dependencies files & checking for SCA tools.
Phase 2
Score project based on the results of IaC security check.
Each critical result - 2 point reduction, high - 1 point reduction.
With goal to implement both phases as once, as suggested in the community meeting.
Additional context
Previous references where IaC scans were mentioned : #1984, #2318
The text was updated successfully, but these errors were encountered: