🌱 add support for KICS SAST

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

checker/raw_result.go

@@ -286,6 +286,8 @@ const (
 	PysaWorkflow SASTWorkflowType = "Pysa"
 	// QodanaWorkflow represents a workflow that runs Qodana.
 	QodanaWorkflow SASTWorkflowType = "Qodana"
+	// KicsWorkflow represents a workflow that runs KICS.
+	KicsWorkflow SASTWorkflowType = "KICS"
 )
 
 // SASTWorkflow represents a SAST workflow.

checks/evaluation/sast_test.go

@@ -160,6 +160,25 @@ func TestSAST(t *testing.T) {
 				NumberOfInfo: 2,
 			},
 		},
+		{
+			name: "KICS is installed, no other SAST tools are installed",
+			findings: []finding.Finding{
+				tool(checker.KicsWorkflow),
+				{
+					Probe:   sastToolRunsOnAllCommits.Probe,
+					Outcome: finding.OutcomeTrue,
+					Values: map[string]string{
+						sastToolRunsOnAllCommits.AnalyzedPRsKey: "1",
+						sastToolRunsOnAllCommits.TotalPRsKey:    "3",
+					},
+				},
+			},
+			result: scut.TestReturn{
+				Score:        10,
+				NumberOfWarn: 0,
+				NumberOfInfo: 2,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

checks/raw/sast.go

@@ -43,6 +43,7 @@ var sastTools = map[string]bool{
 	"lgtm-com":                 true,
 	"sonarcloud":               true,
 	"sonarqubecloud":           true,
+	"kics-github-action":       true,
 }
 
 var allowedConclusions = map[string]bool{"success": true, "neutral": true}
@@ -87,6 +88,12 @@ func SAST(c *checker.CheckRequest) (checker.SASTData, error) {
 	}
 	data.Workflows = append(data.Workflows, qodanaWorkflows...)
 
+	kicsWorkflows, err := getSastUsesWorkflows(c, "^Checkmarx/kics-github-action", checker.KicsWorkflow)
+	if err != nil {
+		return data, err
+	}
+	data.Workflows = append(data.Workflows, kicsWorkflows...)
+
 	return data, nil
 }
 

checks/raw/sast_test.go

@@ -195,6 +195,29 @@ func TestSAST(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "Has KICS",
+			files: []string{".github/workflows/github-kics-workflow.yaml"},
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						Number: 1,
+					},
+				},
+			},
+			expected: checker.SASTData{
+				Workflows: []checker.SASTWorkflow{
+					{
+						Type: checker.KicsWorkflow,
+						File: checker.File{
+							Path:   ".github/workflows/github-kics-workflow.yaml",
+							Offset: checker.OffsetDefault,
+							Type:   finding.FileTypeSource,
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

checks/raw/testdata/.github/workflows/github-kics-workflow.yaml

@@ -0,0 +1,32 @@
+name: "Security Scans"
+on:
+  schedule:
+    - cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1)
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Take CI build artifacts from branch (e.g., master, release-x.y.z)'
+        required: true
+        default: 'main'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  GO_VERSION: "~1.23"
+
+jobs:
+  security-scans:
+    steps:
+      - name: KICS Scan
+        if: matrix.tool == 'kics'
+        uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3
+        with:
+          path: scans
+          config_path: .github/kics-config.yml
+          fail_on: high,medium
+          output_formats: json,sarif

checks/sast_test.go

@@ -49,7 +49,11 @@ func Test_SAST(t *testing.T) {
 			name:         "SAST checker should return min score when no PRs are found",
 			commits:      []clients.Commit{},
 			searchresult: clients.SearchResponse{},
-			checkRuns:    []clients.CheckRun{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
+			checkRuns: []clients.CheckRun{},
 			expected: scut.TestReturn{
 				Score:        checker.MinResultScore,
 				NumberOfWarn: 1,
@@ -60,7 +64,11 @@ func Test_SAST(t *testing.T) {
 			err:          errors.New("error"),
 			commits:      []clients.Commit{},
 			searchresult: clients.SearchResponse{},
-			checkRuns:    []clients.CheckRun{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
+			checkRuns: []clients.CheckRun{},
 			expected: scut.TestReturn{
 				Score: checker.InconclusiveResultScore,
 				Error: sce.ErrScorecardInternal,
@@ -76,6 +84,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "completed",
@@ -101,6 +113,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "completed",
@@ -126,6 +142,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "completed",
@@ -152,6 +172,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "completed",
@@ -178,7 +202,11 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
-			path:         ".github/workflows/airflow-codeql-workflow.yaml",
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
+			path: ".github/workflows/airflow-codeql-workflow.yaml",
 			expected: scut.TestReturn{
 				Score:        7,
 				NumberOfWarn: 1,
@@ -196,6 +224,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "completed",
@@ -231,6 +263,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "completed",
@@ -271,6 +307,10 @@ func Test_SAST(t *testing.T) {
 				},
 			},
 			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/codeql-action/analyze",
+				Path:  "/.github/workflows",
+			},
 			checkRuns: []clients.CheckRun{
 				{
 					Status:     "notCompletedForTestingOnly",
@@ -294,12 +334,51 @@ func Test_SAST(t *testing.T) {
 				NumberOfInfo: 1,
 			},
 		},
+		{
+			name: `KICS workflow with commits`,
+			err:  nil,
+			commits: []clients.Commit{
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 1),
+					},
+				},
+				{
+					AssociatedMergeRequest: clients.PullRequest{
+						MergedAt: time.Now().Add(time.Hour - 2),
+					},
+				},
+			},
+			searchresult: clients.SearchResponse{},
+			searchRequest: clients.SearchRequest{
+				Query: "github/Checkmarx/kics-github-action",
+				Path:  "/.github/workflows",
+			},
+			checkRuns: []clients.CheckRun{
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "kics-github-action",
+					},
+				},
+				{
+					Status:     "completed",
+					Conclusion: "success",
+					App: clients.CheckRunApp{
+						Slug: "kics-github-action",
+					},
+				},
+			},
+			path: ".github/workflows/github-kics-workflow.yaml",
+			expected: scut.TestReturn{
+				Score:         checker.MaxResultScore,
+				NumberOfDebug: 2,
+				NumberOfInfo:  2,
+			},
+		},
 	}
 	for _, tt := range tests {
-		searchRequest := clients.SearchRequest{
-			Query: "github/codeql-action/analyze",
-			Path:  "/.github/workflows",
-		}
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			ctrl := gomock.NewController(t)
@@ -311,7 +390,7 @@ func Test_SAST(t *testing.T) {
 				return tt.commits, tt.err
 			})
 			mockRepoClient.EXPECT().ListCheckRunsForRef("").Return(tt.checkRuns, nil).AnyTimes()
-			mockRepoClient.EXPECT().Search(searchRequest).Return(tt.searchresult, nil).AnyTimes()
+			mockRepoClient.EXPECT().Search(tt.searchRequest).Return(tt.searchresult, nil).AnyTimes()
 			mockRepoClient.EXPECT().ListFiles(gomock.Any()).DoAndReturn(
 				func(predicate func(string) (bool, error)) ([]string, error) {
 					if strings.Contains(tt.path, "pom") {

checks/testdata/.github/workflows/github-kics-workflow.yaml

@@ -0,0 +1,32 @@
+name: "Security Scans"
+on:
+  schedule:
+    - cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1)
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Take CI build artifacts from branch (e.g., master, release-x.y.z)'
+        required: true
+        default: 'main'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  GO_VERSION: "~1.23"
+
+jobs:
+  security-scans:
+    steps:
+      - name: KICS Scan
+        if: matrix.tool == 'kics'
+        uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3
+        with:
+          path: scans
+          config_path: .github/kics-config.yml
+          fail_on: high,medium
+          output_formats: json,sarif

probes/sastToolConfigured/impl_test.go

@@ -67,13 +67,17 @@ func Test_Run(t *testing.T) {
 						{
 							Type: checker.PysaWorkflow,
 						},
+						{
+							Type: checker.KicsWorkflow,
+						},
 					},
 				},
 			},
 			outcomes: []finding.Outcome{
 				finding.OutcomeTrue,
 				finding.OutcomeTrue,
 				finding.OutcomeTrue,
+				finding.OutcomeTrue,
 			},
 		},
 	}