🌱 add support for KICS SAST

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

checker/raw_result.go

@@ -286,6 +286,8 @@ const (
 	PysaWorkflow SASTWorkflowType = "Pysa"
 	// QodanaWorkflow represents a workflow that runs Qodana.
 	QodanaWorkflow SASTWorkflowType = "Qodana"
+	// KicsWorkflow represents a workflow that runs KICS.
+	KicsWorkflow SASTWorkflowType = "KICS"
 )
 
 // SASTWorkflow represents a SAST workflow.

checks/raw/sast.go

@@ -87,6 +87,12 @@ func SAST(c *checker.CheckRequest) (checker.SASTData, error) {
 	}
 	data.Workflows = append(data.Workflows, qodanaWorkflows...)
 
+	kicsWorkflows, err := getSastUsesWorkflows(c, "^Checkmarx/kics-github-action", checker.KicsWorkflow)
+	if err != nil {
+		return data, err
+	}
+	data.Workflows = append(data.Workflows, kicsWorkflows...)
+
 	return data, nil
 }
 

checks/raw/sast_test.go

@@ -195,6 +195,29 @@ func TestSAST(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "Has KICS",
+			files: []string{".github/workflows/github-kics-workflow.yaml"},
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						Number: 1,
+					},
+				},
+			},
+			expected: checker.SASTData{
+				Workflows: []checker.SASTWorkflow{
+					{
+						Type: checker.KicsWorkflow,
+						File: checker.File{
+							Path:   ".github/workflows/github-kics-workflow.yaml",
+							Offset: checker.OffsetDefault,
+							Type:   finding.FileTypeSource,
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

checks/raw/testdata/.github/workflows/github-kics-workflow.yaml

@@ -0,0 +1,32 @@
+name: "Security Scans"
+on:
+  schedule:
+    - cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1)
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Take CI build artifacts from branch (e.g., master, release-x.y.z)'
+        required: true
+        default: 'main'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  GO_VERSION: "~1.23"
+
+jobs:
+  security-scans:
+    steps:
+      - name: KICS Scan
+        if: matrix.tool == 'kics'
+        uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3
+        with:
+          path: scans
+          config_path: .github/kics-config.yml
+          fail_on: high,medium
+          output_formats: json,sarif