KICS execution example
Jump to navigation
Jump to search
cat results.json | grep issue_type | sort | uniq "issue_type": "IncorrectValue", "issue_type": "MissingAttribute", "issue_type": "RedundantAttribute",
cat results.json | grep '"description"' | grep -v description_id | trim | sort "description": "A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol", "description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.", "description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'", "description": "Amazon EKS control plane logging don't enabled for all log types", "description": "Autoscaling groups should supply tags to configurate", "description": "EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods", "description": "EC2 Instance should not have a public IP address.", "description": "EKS Cluster should be encrypted", "description": "Every VPC resource should have an associated Flow Log", "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", "description": "It's considered a best practice for AWS Security Group to have a description", "description": "It's considered a best practice for all rules in AWS Security Group to have a description", "description": "It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance", "description": "Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.", "description": "Query to find passwords and secrets in infrastructure code.", "description": "Security group must be used or not declared", "description": "VPC Subnet should not assign public IP",
�[38;2;34;187;51m .0MO. OMMMx ;NMX; ... ... .... WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc. WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl' WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl. WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0. WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0 WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk, xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc �[0m Scanning with Keeping Infrastructure as Code Secure v1.7.11 Preparing Scan Assets: \ Preparing Scan Assets: - Preparing Scan Assets: | Preparing Scan Assets: Done Files scanned: 62 Parsed files: 62 Queries loaded: 1049 Queries failed to execute: 0 ------------------------------------ �[38;2;91;192;222mSecurity Group Rule Without Description�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 2 �[1mDescription:�[0m It's considered a best practice for all rules in AWS Security Group to have a description �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e �[38;2;91;192;222m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m401�[0m 400: �[38;2;240;173;78m 401: egress { �[0m 402: from_port = 0 �[38;2;91;192;222m[2]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m441�[0m 440: �[38;2;240;173;78m 441: ingress { �[0m 442: from_port = 22 �[38;2;91;192;222mSecurity Group Rule Without Description�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1 �[1mDescription:�[0m It's considered a best practice for AWS Security Group to have a description �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c �[38;2;91;192;222m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m437�[0m 436: �[38;2;240;173;78m 437: resource "aws_security_group" "additional" { �[0m 438: name_prefix = "${local.name}-additional" �[38;2;91;192;222mSecurity Group Not Used�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1 �[1mDescription:�[0m Security group must be used or not declared �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24 �[38;2;91;192;222m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m388�[0m 387: �[38;2;240;173;78m 388: resource "aws_security_group" "remote_access" { �[0m 389: name_prefix = "${local.name}-remote-access" �[38;2;91;192;222mResource Not Using Tags�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 30 �[1mDescription:�[0m AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name' �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10 �[38;2;91;192;222m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m747�[0m 746: �[38;2;240;173;78m 747: tags = merge(var.tags, var.iam_role_tags) �[0m 748: } �[38;2;91;192;222m[2]:�[0m ../../path/node_groups.tf:�[38;2;34;187;51m193�[0m 192: �[38;2;240;173;78m 193: tags = merge( �[0m 194: var.tags, �[38;2;91;192;222m[3]:�[0m ../../path/modules/fargate-profile/main.tf:�[38;2;34;187;51m89�[0m 088: �[38;2;240;173;78m 089: tags = var.tags �[0m 090: } �[38;2;91;192;222m[4]:�[0m ../../path/modules/fargate-profile/main.tf:�[38;2;34;187;51m40�[0m 039: �[38;2;240;173;78m 040: tags = merge(var.tags, var.iam_role_tags) �[0m 041: } �[38;2;91;192;222m[5]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m452�[0m 451: �[38;2;240;173;78m 452: tags = merge(local.tags, { Name = "${local.name}-additional" }) �[0m 453: } �[38;2;91;192;222m[6]:�[0m ../../path/node_groups.tf:�[38;2;34;187;51m78�[0m 077: �[38;2;240;173;78m 078: tags = var.tags �[0m 079: } �[38;2;91;192;222m[7]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m381�[0m 380: resource_type = tag_specifications.key �[38;2;240;173;78m 381: tags = merge(var.tags, { Name = var.name }, var.launch_template_tags) �[0m 382: } �[38;2;91;192;222m[8]:�[0m ../../path/main.tf:�[38;2;34;187;51m382�[0m 381: �[38;2;240;173;78m 382: tags = merge(var.tags, var.cluster_encryption_policy_tags) �[0m 383: } �[38;2;91;192;222m[9]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m227�[0m 226: �[38;2;240;173;78m 227: tags = var.tags �[0m 228: } �[38;2;91;192;222m[10]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m357�[0m 356: �[38;2;240;173;78m 357: tags = merge(var.tags, var.iam_role_tags) �[0m 358: } �[38;2;91;192;222m[11]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m387�[0m 386: �[38;2;240;173;78m 387: tags = merge( �[0m 388: var.tags, �[38;2;91;192;222m[12]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m429�[0m 428: �[38;2;240;173;78m 429: tags = merge(var.tags, var.iam_role_tags) �[0m 430: } �[38;2;91;192;222m[13]:�[0m ../../path/main.tf:�[38;2;34;187;51m73�[0m 072: �[38;2;240;173;78m 073: tags = merge( �[0m 074: var.tags, �[38;2;91;192;222m[14]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m409�[0m 408: �[38;2;240;173;78m 409: tags = merge(local.tags, { Name = "${local.name}-remote" }) �[0m 410: } �[38;2;91;192;222m[15]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m406�[0m 405: �[38;2;240;173;78m 406: tags = local.tags �[0m 407: } �[38;2;91;192;222m[16]:�[0m ../../path/main.tf:�[38;2;34;187;51m436�[0m 435: �[38;2;240;173;78m 436: tags = var.tags �[0m 437: } �[38;2;91;192;222m[17]:�[0m ../../path/main.tf:�[38;2;34;187;51m327�[0m 326: �[38;2;240;173;78m 327: tags = merge(var.tags, var.iam_role_tags) �[0m 328: } �[38;2;91;192;222m[18]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m277�[0m 276: resource_type = tag_specifications.key �[38;2;240;173;78m 277: tags = merge(var.tags, { Name = var.name }, var.launch_template_tags) �[0m 278: } �[38;2;91;192;222m[19]:�[0m ../../path/main.tf:�[38;2;34;187;51m245�[0m 244: �[38;2;240;173;78m 245: tags = merge( �[0m 246: { Name = "${var.cluster_name}-eks-irsa" }, �[38;2;91;192;222m[20]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m455�[0m 454: �[38;2;240;173;78m 455: resource "aws_iam_policy" "additional" { �[0m 456: name = "${local.name}-additional" �[38;2;91;192;222m[21]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m63�[0m 062: �[38;2;240;173;78m 063: tags = merge(var.tags, var.irsa_tags) �[0m 064: } �[38;2;91;192;222m[22]:�[0m ../../path/main.tf:�[38;2;34;187;51m113�[0m 112: �[38;2;240;173;78m 113: tags = merge( �[0m 114: var.tags, �[38;2;91;192;222m[23]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m133�[0m 132: �[38;2;240;173;78m 133: resource "aws_iam_policy" "additional" { �[0m 134: name = "${local.name}-additional" �[38;2;91;192;222m[24]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m396�[0m 395: �[38;2;240;173;78m 396: tags = merge(var.tags, var.iam_role_tags) �[0m 397: } �[38;2;91;192;222m[25]:�[0m ../../path/main.tf:�[38;2;34;187;51m414�[0m 413: �[38;2;240;173;78m 414: tags = var.tags �[0m 415: } �[38;2;91;192;222m[26]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m777�[0m 776: �[38;2;240;173;78m 777: tags = merge(var.tags, var.iam_role_tags) �[0m 778: �[38;2;91;192;222m[27]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m191�[0m 190: �[38;2;240;173;78m 191: tags = var.tags �[0m 192: } �[38;2;91;192;222m[28]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m429�[0m 428: �[38;2;240;173;78m 429: tags = local.tags �[0m 430: } �[38;2;91;192;222m[29]:�[0m ../../path/main.tf:�[38;2;34;187;51m185�[0m 184: �[38;2;240;173;78m 185: tags = merge( �[0m 186: var.tags, �[38;2;91;192;222m[30]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m 411: �[38;2;240;173;78m 412: resource "aws_autoscaling_group" "this" { �[0m 413: count = var.create && var.create_autoscaling_group ? 1 : 0 �[38;2;91;192;222mEC2 Not EBS Optimized�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1 �[1mDescription:�[0m It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766 �[38;2;91;192;222m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m 023: �[38;2;240;173;78m 024: module "ssm_bastion_ec2" { �[0m 025: source = "terraform-aws-modules/ec2-instance/aws" �[38;2;91;192;222mEC2 Instance Monitoring Disabled�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1 �[1mDescription:�[0m EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6 �[38;2;91;192;222m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m 023: �[38;2;240;173;78m 024: module "ssm_bastion_ec2" { �[0m 025: source = "terraform-aws-modules/ec2-instance/aws" �[38;2;237;213;126mVPC FlowLogs Disabled�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 5 �[1mDescription:�[0m Every VPC resource should have an associated Flow Log �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047 �[38;2;237;213;126m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m411�[0m 410: �[38;2;240;173;78m 411: module "vpc" { �[0m 412: source = "terraform-aws-modules/vpc/aws" �[38;2;237;213;126m[2]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m309�[0m 308: �[38;2;240;173;78m 309: module "vpc" { �[0m 310: source = "terraform-aws-modules/vpc/aws" �[38;2;237;213;126m[3]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m107�[0m 106: �[38;2;240;173;78m 107: module "vpc" { �[0m 108: source = "terraform-aws-modules/vpc/aws" �[38;2;237;213;126m[4]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m301�[0m 300: �[38;2;240;173;78m 301: module "vpc" { �[0m 302: source = "terraform-aws-modules/vpc/aws" �[38;2;237;213;126m[5]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m295�[0m 294: �[38;2;240;173;78m 295: module "vpc" { �[0m 296: source = "terraform-aws-modules/vpc/aws" �[38;2;237;213;126mMissing Cluster Log Types�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1 �[1mDescription:�[0m Amazon EKS control plane logging don't enabled for all log types �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df �[38;2;237;213;126m[1]:�[0m ../../path/main.tf:�[38;2;34;187;51m31�[0m 030: version = var.cluster_version �[38;2;240;173;78m 031: enabled_cluster_log_types = var.cluster_enabled_log_types �[0m 032: �[38;2;237;213;126mIAM Access Analyzer Not Enabled�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1 �[1mDescription:�[0m IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370 �[38;2;237;213;126m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m437�[0m 436: �[38;2;240;173;78m 437: resource "aws_security_group" "additional" { �[0m 438: name_prefix = "${local.name}-additional" �[38;2;237;213;126mAutoscaling Groups Supply Tags�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1 �[1mDescription:�[0m Autoscaling groups should supply tags to configurate �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587 �[38;2;237;213;126m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m 411: �[38;2;240;173;78m 412: resource "aws_autoscaling_group" "this" { �[0m 413: count = var.create && var.create_autoscaling_group ? 1 : 0 �[38;2;255;114;19mVPC Subnet Assigns Public IP�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 5 �[1mDescription:�[0m VPC Subnet should not assign public IP �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c �[38;2;255;114;19m[1]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m295�[0m 294: �[38;2;240;173;78m 295: module "vpc" { �[0m 296: source = "terraform-aws-modules/vpc/aws" �[38;2;255;114;19m[2]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m301�[0m 300: �[38;2;240;173;78m 301: module "vpc" { �[0m 302: source = "terraform-aws-modules/vpc/aws" �[38;2;255;114;19m[3]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m107�[0m 106: �[38;2;240;173;78m 107: module "vpc" { �[0m 108: source = "terraform-aws-modules/vpc/aws" �[38;2;255;114;19m[4]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m411�[0m 410: �[38;2;240;173;78m 411: module "vpc" { �[0m 412: source = "terraform-aws-modules/vpc/aws" �[38;2;255;114;19m[5]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m309�[0m 308: �[38;2;240;173;78m 309: module "vpc" { �[0m 310: source = "terraform-aws-modules/vpc/aws" �[38;2;255;114;19mUnpinned Actions Full Length Commit SHA�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 9 �[1mDescription:�[0m Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork. �[1mPlatform:�[0m CICD �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9 �[38;2;255;114;19m[1]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m47�[0m 046: if: ${{ matrix.directory != '.' }} �[38;2;240;173;78m 047: uses: clowdhaus/terraform-composite-actions/[email protected] �[0m 048: with: �[38;2;255;114;19m[2]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m56�[0m 055: if: ${{ matrix.directory == '.' }} �[38;2;240;173;78m 056: uses: clowdhaus/terraform-composite-actions/[email protected] �[0m 057: with: �[38;2;255;114;19m[3]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m78�[0m 077: - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} �[38;2;240;173;78m 078: uses: clowdhaus/terraform-composite-actions/[email protected] �[0m 079: with: �[38;2;255;114;19m[4]:�[0m ../../path/.github/workflows/lock.yml:�[38;2;34;187;51m11�[0m 010: steps: �[38;2;240;173;78m 011: - uses: dessant/lock-threads@v4 �[0m 012: with: �[38;2;255;114;19m[5]:�[0m ../../path/.github/workflows/release.yml:�[38;2;34;187;51m29�[0m 028: - name: Release �[38;2;240;173;78m 029: uses: cycjimmy/semantic-release-action@v3 �[0m 030: with: �[38;2;255;114;19m[6]:�[0m ../../path/.github/workflows/pr-title.yml:�[38;2;34;187;51m17�[0m 016: # https://github.com/amannn/action-semantic-pull-request/releases �[38;2;240;173;78m 017: - uses: amannn/[email protected] �[0m 018: env: �[38;2;255;114;19m[7]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m25�[0m 024: id: dirs �[38;2;240;173;78m 025: uses: clowdhaus/terraform-composite-actions/[email protected] �[0m 026: �[38;2;255;114;19m[8]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m40�[0m 039: id: minMax �[38;2;240;173;78m 040: uses: clowdhaus/[email protected] �[0m 041: with: �[38;2;255;114;19m[9]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m75�[0m 074: id: minMax �[38;2;240;173;78m 075: uses: clowdhaus/[email protected] �[0m 076: �[38;2;255;114;19mSensitive Port Is Exposed To Wide Private Network�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 2 �[1mDescription:�[0m A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1 �[38;2;255;114;19m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m393�[0m 392: �[38;2;240;173;78m 393: ingress { �[0m 394: description = "SSH access" �[38;2;255;114;19m[2]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m441�[0m 440: �[38;2;240;173;78m 441: ingress { �[0m 442: from_port = 22 �[38;2;255;114;19mAuto Scaling Group With No Associated ELB�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 1 �[1mDescription:�[0m AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty. �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505 �[38;2;255;114;19m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m 411: �[38;2;240;173;78m 412: resource "aws_autoscaling_group" "this" { �[0m 413: count = var.create && var.create_autoscaling_group ? 1 : 0 �[38;2;187;33;36mPasswords And Secrets - Generic Password�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1 �[1mDescription:�[0m Query to find passwords and secrets in infrastructure code. �[1mPlatform:�[0m Common �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/common-queries/common/487f4be7-3fd9-4506-a07a-eae252180c08 �[38;2;187;33;36m[1]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m182�[0m 181: repository_username = data.aws_ecrpublic_authorization_token.token.user_name �[38;2;240;173;78m 182: repository_password = <SECRET-MASKED-ON-PURPOSE> �[0m 183: chart = "karpenter" �[38;2;187;33;36mEKS Cluster Encryption Disabled�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1 �[1mDescription:�[0m EKS Cluster should be encrypted �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281 �[38;2;187;33;36m[1]:�[0m ../../path/main.tf:�[38;2;34;187;51m25�[0m 024: �[38;2;240;173;78m 025: resource "aws_eks_cluster" "this" { �[0m 026: count = local.create ? 1 : 0 �[38;2;187;33;36mEC2 Instance Has Public IP�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1 �[1mDescription:�[0m EC2 Instance should not have a public IP address. �[1mPlatform:�[0m Terraform �[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce �[38;2;187;33;36m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m 023: �[38;2;240;173;78m 024: module "ssm_bastion_ec2" { �[0m 025: source = "terraform-aws-modules/ec2-instance/aws" Results Summary: �[38;2;187;33;36mHIGH�[0m: 3 �[38;2;255;114;19mMEDIUM�[0m: 17 �[38;2;237;213;126mLOW�[0m: 8 �[38;2;91;192;222mINFO�[0m: 36 TOTAL: 64 Results saved to file /path/results.json Generating Reports: Done Scan duration: 20.438463634s
See also
Advertising: