KICS execution example

From wikieduonline
Revision as of 11:17, 20 November 2023 by Welcome (talk | contribs)
Jump to navigation Jump to search
cat results.json | grep issue_type | sort | uniq
					"issue_type": "IncorrectValue",
					"issue_type": "MissingAttribute",
					"issue_type": "RedundantAttribute",


cat results.json | grep '"description"' | grep -v description_id | trim | sort
"description": "A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol",
"description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve 
application performance. This means the attribute 'load_balancers' must be defined and not empty.",
"description": "AWS services resource tags are an essential part of managing components. As a best practice, the 
field 'tags' should have additional tags defined other than 'Name'",
"description": "Amazon EKS control plane logging don't enabled for all log types",
"description": "Autoscaling groups should supply tags to configurate",
"description": "EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is 
available in 1-minute periods",
"description": "EC2 Instance should not have a public IP address.",
"description": "EKS Cluster should be encrypted",
"description": "Every VPC resource should have an associated Flow Log",
"description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource 
permissions",
"description": "It's considered a best practice for AWS Security Group to have a description",
"description": "It's considered a best practice for all rules in AWS Security Group to have a description",
"description": "It's considered a best practice for an EC2 instance to use an EBS optimized instance. This 
provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other 
traffic from your instance",
"description": "Pinning an action to a full length commit SHA is currently the only way to use an action as an 
immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the 
action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When 
selecting a SHA, you should verify it is from the action's repository and not a repository fork.",
"description": "Query to find passwords and secrets in infrastructure code.",
"description": "Security group must be used or not declared",
"description": "VPC Subnet should not assign public IP",


�[38;2;34;187;51m
                   .0MO.                                    
                   OMMMx                                    
                   ;NMX;                                    
                    ...           ...              ....     
WMMMd     cWMMM0.  KMMMO      ;xKWMMMMNOc.     ,xXMMMMMWXkc.
WMMMd   .0MMMN:    KMMMO    :XMMMMMMMMMMMWl   xMMMMMWMMMMMMl
WMMMd  lWMMMO.     KMMMO   xMMMMKc...'lXMk   ,MMMMx   .;dXx 
WMMMd.0MMMX;       KMMMO  cMMMMd        '    'MMMMNl'       
WMMMNWMMMMl        KMMMO  0MMMN               oMMMMMMMXkl.  
WMMMMMMMMMMo       KMMMO  0MMMX                .ckKWMMMMMM0.
WMMMMWokMMMMk      KMMMO  oMMMMc              .     .:OMMMM0
WMMMK.  dMMMM0.    KMMMO   KMMMMx'    ,kNc   :WOc.    .NMMMX
WMMMd    cWMMMX.   KMMMO    kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd     ,NMMMN,  KMMMO     'xNMMMMMMMNx,   .l0WMMMMMMMWk, 
xkkk:      ,kkkkx  okkkl        ;xKXKx;          ;dOKKkc    

�[0m
Scanning with Keeping Infrastructure as Code Secure v1.7.11



Preparing Scan Assets:  \
Preparing Scan Assets:  -
Preparing Scan Assets:  |
Preparing Scan Assets: Done



























































































Files scanned: 62
Parsed files: 62
Queries loaded: 1049
Queries failed to execute: 0

------------------------------------

�[38;2;91;192;222mSecurity Group Rule Without Description�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 2
�[1mDescription:�[0m It's considered a best practice for all rules in AWS Security Group to have a description
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e

	�[38;2;91;192;222m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m401�[0m

		400: 
�[38;2;240;173;78m		401:   egress {
�[0m		402:     from_port        = 0


	�[38;2;91;192;222m[2]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m441�[0m

		440: 
�[38;2;240;173;78m		441:   ingress {
�[0m		442:     from_port = 22


�[38;2;91;192;222mSecurity Group Rule Without Description�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m It's considered a best practice for AWS Security Group to have a description
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c

	�[38;2;91;192;222m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m437�[0m

		436: 
�[38;2;240;173;78m		437: resource "aws_security_group" "additional" {
�[0m		438:   name_prefix = "${local.name}-additional"


�[38;2;91;192;222mSecurity Group Not Used�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m Security group must be used or not declared
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24

	�[38;2;91;192;222m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m388�[0m

		387: 
�[38;2;240;173;78m		388: resource "aws_security_group" "remote_access" {
�[0m		389:   name_prefix = "${local.name}-remote-access"


�[38;2;91;192;222mResource Not Using Tags�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 30
�[1mDescription:�[0m AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10

	�[38;2;91;192;222m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m747�[0m

		746: 
�[38;2;240;173;78m		747:   tags = merge(var.tags, var.iam_role_tags)
�[0m		748: }


	�[38;2;91;192;222m[2]:�[0m ../../path/node_groups.tf:�[38;2;34;187;51m193�[0m

		192: 
�[38;2;240;173;78m		193:   tags = merge(
�[0m		194:     var.tags,


	�[38;2;91;192;222m[3]:�[0m ../../path/modules/fargate-profile/main.tf:�[38;2;34;187;51m89�[0m

		088: 
�[38;2;240;173;78m		089:   tags = var.tags
�[0m		090: }


	�[38;2;91;192;222m[4]:�[0m ../../path/modules/fargate-profile/main.tf:�[38;2;34;187;51m40�[0m

		039: 
�[38;2;240;173;78m		040:   tags = merge(var.tags, var.iam_role_tags)
�[0m		041: }


	�[38;2;91;192;222m[5]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m452�[0m

		451: 
�[38;2;240;173;78m		452:   tags = merge(local.tags, { Name = "${local.name}-additional" })
�[0m		453: }


	�[38;2;91;192;222m[6]:�[0m ../../path/node_groups.tf:�[38;2;34;187;51m78�[0m

		077: 
�[38;2;240;173;78m		078:   tags = var.tags
�[0m		079: }


	�[38;2;91;192;222m[7]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m381�[0m

		380:       resource_type = tag_specifications.key
�[38;2;240;173;78m		381:       tags          = merge(var.tags, { Name = var.name }, var.launch_template_tags)
�[0m		382:     }


	�[38;2;91;192;222m[8]:�[0m ../../path/main.tf:�[38;2;34;187;51m382�[0m

		381: 
�[38;2;240;173;78m		382:   tags = merge(var.tags, var.cluster_encryption_policy_tags)
�[0m		383: }


	�[38;2;91;192;222m[9]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m227�[0m

		226: 
�[38;2;240;173;78m		227:   tags = var.tags
�[0m		228: }


	�[38;2;91;192;222m[10]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m357�[0m

		356: 
�[38;2;240;173;78m		357:   tags = merge(var.tags, var.iam_role_tags)
�[0m		358: }


	�[38;2;91;192;222m[11]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m387�[0m

		386: 
�[38;2;240;173;78m		387:   tags = merge(
�[0m		388:     var.tags,


	�[38;2;91;192;222m[12]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m429�[0m

		428: 
�[38;2;240;173;78m		429:   tags = merge(var.tags, var.iam_role_tags)
�[0m		430: }


	�[38;2;91;192;222m[13]:�[0m ../../path/main.tf:�[38;2;34;187;51m73�[0m

		072: 
�[38;2;240;173;78m		073:   tags = merge(
�[0m		074:     var.tags,


	�[38;2;91;192;222m[14]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m409�[0m

		408: 
�[38;2;240;173;78m		409:   tags = merge(local.tags, { Name = "${local.name}-remote" })
�[0m		410: }


	�[38;2;91;192;222m[15]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m406�[0m

		405: 
�[38;2;240;173;78m		406:   tags = local.tags
�[0m		407: }


	�[38;2;91;192;222m[16]:�[0m ../../path/main.tf:�[38;2;34;187;51m436�[0m

		435: 
�[38;2;240;173;78m		436:   tags = var.tags
�[0m		437: }


	�[38;2;91;192;222m[17]:�[0m ../../path/main.tf:�[38;2;34;187;51m327�[0m

		326: 
�[38;2;240;173;78m		327:   tags = merge(var.tags, var.iam_role_tags)
�[0m		328: }


	�[38;2;91;192;222m[18]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m277�[0m

		276:       resource_type = tag_specifications.key
�[38;2;240;173;78m		277:       tags          = merge(var.tags, { Name = var.name }, var.launch_template_tags)
�[0m		278:     }


	�[38;2;91;192;222m[19]:�[0m ../../path/main.tf:�[38;2;34;187;51m245�[0m

		244: 
�[38;2;240;173;78m		245:   tags = merge(
�[0m		246:     { Name = "${var.cluster_name}-eks-irsa" },


	�[38;2;91;192;222m[20]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m455�[0m

		454: 
�[38;2;240;173;78m		455: resource "aws_iam_policy" "additional" {
�[0m		456:   name = "${local.name}-additional"


	�[38;2;91;192;222m[21]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m63�[0m

		062: 
�[38;2;240;173;78m		063:   tags = merge(var.tags, var.irsa_tags)
�[0m		064: }


	�[38;2;91;192;222m[22]:�[0m ../../path/main.tf:�[38;2;34;187;51m113�[0m

		112: 
�[38;2;240;173;78m		113:   tags = merge(
�[0m		114:     var.tags,


	�[38;2;91;192;222m[23]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m133�[0m

		132: 
�[38;2;240;173;78m		133: resource "aws_iam_policy" "additional" {
�[0m		134:   name = "${local.name}-additional"


	�[38;2;91;192;222m[24]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m396�[0m

		395: 
�[38;2;240;173;78m		396:   tags = merge(var.tags, var.iam_role_tags)
�[0m		397: }


	�[38;2;91;192;222m[25]:�[0m ../../path/main.tf:�[38;2;34;187;51m414�[0m

		413: 
�[38;2;240;173;78m		414:   tags = var.tags
�[0m		415: }


	�[38;2;91;192;222m[26]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m777�[0m

		776: 
�[38;2;240;173;78m		777:   tags = merge(var.tags, var.iam_role_tags)
�[0m		778: 


	�[38;2;91;192;222m[27]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m191�[0m

		190: 
�[38;2;240;173;78m		191:   tags = var.tags
�[0m		192: }


	�[38;2;91;192;222m[28]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m429�[0m

		428: 
�[38;2;240;173;78m		429:   tags = local.tags
�[0m		430: }


	�[38;2;91;192;222m[29]:�[0m ../../path/main.tf:�[38;2;34;187;51m185�[0m

		184: 
�[38;2;240;173;78m		185:   tags = merge(
�[0m		186:     var.tags,


	�[38;2;91;192;222m[30]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m

		411: 
�[38;2;240;173;78m		412: resource "aws_autoscaling_group" "this" {
�[0m		413:   count = var.create && var.create_autoscaling_group ? 1 : 0


�[38;2;91;192;222mEC2 Not EBS Optimized�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766

	�[38;2;91;192;222m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m

		023: 
�[38;2;240;173;78m		024: module "ssm_bastion_ec2" {
�[0m		025:   source  = "terraform-aws-modules/ec2-instance/aws"


�[38;2;91;192;222mEC2 Instance Monitoring Disabled�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6

	�[38;2;91;192;222m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m

		023: 
�[38;2;240;173;78m		024: module "ssm_bastion_ec2" {
�[0m		025:   source  = "terraform-aws-modules/ec2-instance/aws"


�[38;2;237;213;126mVPC FlowLogs Disabled�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 5
�[1mDescription:�[0m Every VPC resource should have an associated Flow Log
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047

	�[38;2;237;213;126m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m411�[0m

		410: 
�[38;2;240;173;78m		411: module "vpc" {
�[0m		412:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;237;213;126m[2]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m309�[0m

		308: 
�[38;2;240;173;78m		309: module "vpc" {
�[0m		310:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;237;213;126m[3]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m107�[0m

		106: 
�[38;2;240;173;78m		107: module "vpc" {
�[0m		108:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;237;213;126m[4]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m301�[0m

		300: 
�[38;2;240;173;78m		301: module "vpc" {
�[0m		302:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;237;213;126m[5]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m295�[0m

		294: 
�[38;2;240;173;78m		295: module "vpc" {
�[0m		296:   source  = "terraform-aws-modules/vpc/aws"


�[38;2;237;213;126mMissing Cluster Log Types�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1
�[1mDescription:�[0m Amazon EKS control plane logging don't enabled for all log types
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df

	�[38;2;237;213;126m[1]:�[0m ../../path/main.tf:�[38;2;34;187;51m31�[0m

		030:   version                   = var.cluster_version
�[38;2;240;173;78m		031:   enabled_cluster_log_types = var.cluster_enabled_log_types
�[0m		032: 


�[38;2;237;213;126mIAM Access Analyzer Not Enabled�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1
�[1mDescription:�[0m IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370

	�[38;2;237;213;126m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m437�[0m

		436: 
�[38;2;240;173;78m		437: resource "aws_security_group" "additional" {
�[0m		438:   name_prefix = "${local.name}-additional"


�[38;2;237;213;126mAutoscaling Groups Supply Tags�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1
�[1mDescription:�[0m Autoscaling groups should supply tags to configurate
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587

	�[38;2;237;213;126m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m

		411: 
�[38;2;240;173;78m		412: resource "aws_autoscaling_group" "this" {
�[0m		413:   count = var.create && var.create_autoscaling_group ? 1 : 0


�[38;2;255;114;19mVPC Subnet Assigns Public IP�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 5
�[1mDescription:�[0m VPC Subnet should not assign public IP
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c

	�[38;2;255;114;19m[1]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m295�[0m

		294: 
�[38;2;240;173;78m		295: module "vpc" {
�[0m		296:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;255;114;19m[2]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m301�[0m

		300: 
�[38;2;240;173;78m		301: module "vpc" {
�[0m		302:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;255;114;19m[3]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m107�[0m

		106: 
�[38;2;240;173;78m		107: module "vpc" {
�[0m		108:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;255;114;19m[4]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m411�[0m

		410: 
�[38;2;240;173;78m		411: module "vpc" {
�[0m		412:   source  = "terraform-aws-modules/vpc/aws"


	�[38;2;255;114;19m[5]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m309�[0m

		308: 
�[38;2;240;173;78m		309: module "vpc" {
�[0m		310:   source  = "terraform-aws-modules/vpc/aws"


�[38;2;255;114;19mUnpinned Actions Full Length Commit SHA�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 9
�[1mDescription:�[0m Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
�[1mPlatform:�[0m CICD
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9

	�[38;2;255;114;19m[1]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m47�[0m

		046:         if: ${{ matrix.directory !=  '.' }}
�[38;2;240;173;78m		047:         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
�[0m		048:         with:


	�[38;2;255;114;19m[2]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m56�[0m

		055:         if: ${{ matrix.directory ==  '.' }}
�[38;2;240;173;78m		056:         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
�[0m		057:         with:


	�[38;2;255;114;19m[3]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m78�[0m

		077:       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
�[38;2;240;173;78m		078:         uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3
�[0m		079:         with:


	�[38;2;255;114;19m[4]:�[0m ../../path/.github/workflows/lock.yml:�[38;2;34;187;51m11�[0m

		010:     steps:
�[38;2;240;173;78m		011:       - uses: dessant/lock-threads@v4
�[0m		012:         with:


	�[38;2;255;114;19m[5]:�[0m ../../path/.github/workflows/release.yml:�[38;2;34;187;51m29�[0m

		028:       - name: Release
�[38;2;240;173;78m		029:         uses: cycjimmy/semantic-release-action@v3
�[0m		030:         with:


	�[38;2;255;114;19m[6]:�[0m ../../path/.github/workflows/pr-title.yml:�[38;2;34;187;51m17�[0m

		016:       # https://github.com/amannn/action-semantic-pull-request/releases
�[38;2;240;173;78m		017:       - uses: amannn/action-semantic-pull-request@v5.0.2
�[0m		018:         env:


	�[38;2;255;114;19m[7]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m25�[0m

		024:         id: dirs
�[38;2;240;173;78m		025:         uses: clowdhaus/terraform-composite-actions/directories@v1.8.3
�[0m		026: 


	�[38;2;255;114;19m[8]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m40�[0m

		039:         id: minMax
�[38;2;240;173;78m		040:         uses: clowdhaus/terraform-min-max@v1.2.4
�[0m		041:         with:


	�[38;2;255;114;19m[9]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m75�[0m

		074:         id: minMax
�[38;2;240;173;78m		075:         uses: clowdhaus/terraform-min-max@v1.2.4
�[0m		076: 


�[38;2;255;114;19mSensitive Port Is Exposed To Wide Private Network�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 2
�[1mDescription:�[0m A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1

	�[38;2;255;114;19m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m393�[0m

		392: 
�[38;2;240;173;78m		393:   ingress {
�[0m		394:     description = "SSH access"


	�[38;2;255;114;19m[2]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m441�[0m

		440: 
�[38;2;240;173;78m		441:   ingress {
�[0m		442:     from_port = 22


�[38;2;255;114;19mAuto Scaling Group With No Associated ELB�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 1
�[1mDescription:�[0m AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505

	�[38;2;255;114;19m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m

		411: 
�[38;2;240;173;78m		412: resource "aws_autoscaling_group" "this" {
�[0m		413:   count = var.create && var.create_autoscaling_group ? 1 : 0


�[38;2;187;33;36mPasswords And Secrets - Generic Password�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1
�[1mDescription:�[0m Query to find passwords and secrets in infrastructure code.
�[1mPlatform:�[0m Common
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/common-queries/common/487f4be7-3fd9-4506-a07a-eae252180c08

	�[38;2;187;33;36m[1]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m182�[0m

		181:   repository_username = data.aws_ecrpublic_authorization_token.token.user_name
�[38;2;240;173;78m		182:   repository_password = <SECRET-MASKED-ON-PURPOSE>
�[0m		183:   chart               = "karpenter"


�[38;2;187;33;36mEKS Cluster Encryption Disabled�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1
�[1mDescription:�[0m EKS Cluster should be encrypted
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281

	�[38;2;187;33;36m[1]:�[0m ../../path/main.tf:�[38;2;34;187;51m25�[0m

		024: 
�[38;2;240;173;78m		025: resource "aws_eks_cluster" "this" {
�[0m		026:   count = local.create ? 1 : 0


�[38;2;187;33;36mEC2 Instance Has Public IP�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1
�[1mDescription:�[0m EC2 Instance should not have a public IP address.
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce

	�[38;2;187;33;36m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m

		023: 
�[38;2;240;173;78m		024: module "ssm_bastion_ec2" {
�[0m		025:   source  = "terraform-aws-modules/ec2-instance/aws"



Results Summary:
�[38;2;187;33;36mHIGH�[0m: 3
�[38;2;255;114;19mMEDIUM�[0m: 17
�[38;2;237;213;126mLOW�[0m: 8
�[38;2;91;192;222mINFO�[0m: 36
TOTAL: 64

Results saved to file /path/results.json

Generating Reports: Done
Scan duration: 20.438463634s



See also

Advertising: