KICS execution example
Jump to navigation
Jump to search
cat results.json | grep issue_type | sort | uniq "issue_type": "IncorrectValue", "issue_type": "MissingAttribute", "issue_type": "RedundantAttribute",
cat results.json | grep '"description"' | grep -v description_id | trim | sort "description": "A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol", "description": "AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.", "description": "AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'", "description": "Amazon EKS control plane logging don't enabled for all log types", "description": "Autoscaling groups should supply tags to configurate", "description": "EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods", "description": "EC2 Instance should not have a public IP address.", "description": "EKS Cluster should be encrypted", "description": "Every VPC resource should have an associated Flow Log", "description": "IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions", "description": "It's considered a best practice for AWS Security Group to have a description", "description": "It's considered a best practice for all rules in AWS Security Group to have a description", "description": "It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance", "description": "Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.", "description": "Query to find passwords and secrets in infrastructure code.", "description": "Security group must be used or not declared", "description": "VPC Subnet should not assign public IP",
�[38;2;34;187;51m
.0MO.
OMMMx
;NMX;
... ... ....
WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc.
WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl
WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx
WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl'
WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl.
WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0.
WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0
WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX
WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk,
xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc
�[0m
Scanning with Keeping Infrastructure as Code Secure v1.7.11
Preparing Scan Assets: \
Preparing Scan Assets: -
Preparing Scan Assets: |
Preparing Scan Assets: Done
Files scanned: 62
Parsed files: 62
Queries loaded: 1049
Queries failed to execute: 0
------------------------------------
�[38;2;91;192;222mSecurity Group Rule Without Description�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 2
�[1mDescription:�[0m It's considered a best practice for all rules in AWS Security Group to have a description
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/68eb4bf3-f9bf-463d-b5cf-e029bb446d2e
�[38;2;91;192;222m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m401�[0m
400:
�[38;2;240;173;78m 401: egress {
�[0m 402: from_port = 0
�[38;2;91;192;222m[2]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m441�[0m
440:
�[38;2;240;173;78m 441: ingress {
�[0m 442: from_port = 22
�[38;2;91;192;222mSecurity Group Rule Without Description�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m It's considered a best practice for AWS Security Group to have a description
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/cb3f5ed6-0d18-40de-a93d-b3538db31e8c
�[38;2;91;192;222m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m437�[0m
436:
�[38;2;240;173;78m 437: resource "aws_security_group" "additional" {
�[0m 438: name_prefix = "${local.name}-additional"
�[38;2;91;192;222mSecurity Group Not Used�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m Security group must be used or not declared
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24
�[38;2;91;192;222m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m388�[0m
387:
�[38;2;240;173;78m 388: resource "aws_security_group" "remote_access" {
�[0m 389: name_prefix = "${local.name}-remote-access"
�[38;2;91;192;222mResource Not Using Tags�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 30
�[1mDescription:�[0m AWS services resource tags are an essential part of managing components. As a best practice, the field 'tags' should have additional tags defined other than 'Name'
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10
�[38;2;91;192;222m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m747�[0m
746:
�[38;2;240;173;78m 747: tags = merge(var.tags, var.iam_role_tags)
�[0m 748: }
�[38;2;91;192;222m[2]:�[0m ../../path/node_groups.tf:�[38;2;34;187;51m193�[0m
192:
�[38;2;240;173;78m 193: tags = merge(
�[0m 194: var.tags,
�[38;2;91;192;222m[3]:�[0m ../../path/modules/fargate-profile/main.tf:�[38;2;34;187;51m89�[0m
088:
�[38;2;240;173;78m 089: tags = var.tags
�[0m 090: }
�[38;2;91;192;222m[4]:�[0m ../../path/modules/fargate-profile/main.tf:�[38;2;34;187;51m40�[0m
039:
�[38;2;240;173;78m 040: tags = merge(var.tags, var.iam_role_tags)
�[0m 041: }
�[38;2;91;192;222m[5]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m452�[0m
451:
�[38;2;240;173;78m 452: tags = merge(local.tags, { Name = "${local.name}-additional" })
�[0m 453: }
�[38;2;91;192;222m[6]:�[0m ../../path/node_groups.tf:�[38;2;34;187;51m78�[0m
077:
�[38;2;240;173;78m 078: tags = var.tags
�[0m 079: }
�[38;2;91;192;222m[7]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m381�[0m
380: resource_type = tag_specifications.key
�[38;2;240;173;78m 381: tags = merge(var.tags, { Name = var.name }, var.launch_template_tags)
�[0m 382: }
�[38;2;91;192;222m[8]:�[0m ../../path/main.tf:�[38;2;34;187;51m382�[0m
381:
�[38;2;240;173;78m 382: tags = merge(var.tags, var.cluster_encryption_policy_tags)
�[0m 383: }
�[38;2;91;192;222m[9]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m227�[0m
226:
�[38;2;240;173;78m 227: tags = var.tags
�[0m 228: }
�[38;2;91;192;222m[10]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m357�[0m
356:
�[38;2;240;173;78m 357: tags = merge(var.tags, var.iam_role_tags)
�[0m 358: }
�[38;2;91;192;222m[11]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m387�[0m
386:
�[38;2;240;173;78m 387: tags = merge(
�[0m 388: var.tags,
�[38;2;91;192;222m[12]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m429�[0m
428:
�[38;2;240;173;78m 429: tags = merge(var.tags, var.iam_role_tags)
�[0m 430: }
�[38;2;91;192;222m[13]:�[0m ../../path/main.tf:�[38;2;34;187;51m73�[0m
072:
�[38;2;240;173;78m 073: tags = merge(
�[0m 074: var.tags,
�[38;2;91;192;222m[14]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m409�[0m
408:
�[38;2;240;173;78m 409: tags = merge(local.tags, { Name = "${local.name}-remote" })
�[0m 410: }
�[38;2;91;192;222m[15]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m406�[0m
405:
�[38;2;240;173;78m 406: tags = local.tags
�[0m 407: }
�[38;2;91;192;222m[16]:�[0m ../../path/main.tf:�[38;2;34;187;51m436�[0m
435:
�[38;2;240;173;78m 436: tags = var.tags
�[0m 437: }
�[38;2;91;192;222m[17]:�[0m ../../path/main.tf:�[38;2;34;187;51m327�[0m
326:
�[38;2;240;173;78m 327: tags = merge(var.tags, var.iam_role_tags)
�[0m 328: }
�[38;2;91;192;222m[18]:�[0m ../../path/modules/eks-managed-node-group/main.tf:�[38;2;34;187;51m277�[0m
276: resource_type = tag_specifications.key
�[38;2;240;173;78m 277: tags = merge(var.tags, { Name = var.name }, var.launch_template_tags)
�[0m 278: }
�[38;2;91;192;222m[19]:�[0m ../../path/main.tf:�[38;2;34;187;51m245�[0m
244:
�[38;2;240;173;78m 245: tags = merge(
�[0m 246: { Name = "${var.cluster_name}-eks-irsa" },
�[38;2;91;192;222m[20]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m455�[0m
454:
�[38;2;240;173;78m 455: resource "aws_iam_policy" "additional" {
�[0m 456: name = "${local.name}-additional"
�[38;2;91;192;222m[21]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m63�[0m
062:
�[38;2;240;173;78m 063: tags = merge(var.tags, var.irsa_tags)
�[0m 064: }
�[38;2;91;192;222m[22]:�[0m ../../path/main.tf:�[38;2;34;187;51m113�[0m
112:
�[38;2;240;173;78m 113: tags = merge(
�[0m 114: var.tags,
�[38;2;91;192;222m[23]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m133�[0m
132:
�[38;2;240;173;78m 133: resource "aws_iam_policy" "additional" {
�[0m 134: name = "${local.name}-additional"
�[38;2;91;192;222m[24]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m396�[0m
395:
�[38;2;240;173;78m 396: tags = merge(var.tags, var.iam_role_tags)
�[0m 397: }
�[38;2;91;192;222m[25]:�[0m ../../path/main.tf:�[38;2;34;187;51m414�[0m
413:
�[38;2;240;173;78m 414: tags = var.tags
�[0m 415: }
�[38;2;91;192;222m[26]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m777�[0m
776:
�[38;2;240;173;78m 777: tags = merge(var.tags, var.iam_role_tags)
�[0m 778:
�[38;2;91;192;222m[27]:�[0m ../../path/modules/karpenter/main.tf:�[38;2;34;187;51m191�[0m
190:
�[38;2;240;173;78m 191: tags = var.tags
�[0m 192: }
�[38;2;91;192;222m[28]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m429�[0m
428:
�[38;2;240;173;78m 429: tags = local.tags
�[0m 430: }
�[38;2;91;192;222m[29]:�[0m ../../path/main.tf:�[38;2;34;187;51m185�[0m
184:
�[38;2;240;173;78m 185: tags = merge(
�[0m 186: var.tags,
�[38;2;91;192;222m[30]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m
411:
�[38;2;240;173;78m 412: resource "aws_autoscaling_group" "this" {
�[0m 413: count = var.create && var.create_autoscaling_group ? 1 : 0
�[38;2;91;192;222mEC2 Not EBS Optimized�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/60224630-175a-472a-9e23-133827040766
�[38;2;91;192;222m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m
023:
�[38;2;240;173;78m 024: module "ssm_bastion_ec2" {
�[0m 025: source = "terraform-aws-modules/ec2-instance/aws"
�[38;2;91;192;222mEC2 Instance Monitoring Disabled�[0m, Severity: �[38;2;91;192;222mINFO�[0m, Results: 1
�[1mDescription:�[0m EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/23b70e32-032e-4fa6-ba5c-82f56b9980e6
�[38;2;91;192;222m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m
023:
�[38;2;240;173;78m 024: module "ssm_bastion_ec2" {
�[0m 025: source = "terraform-aws-modules/ec2-instance/aws"
�[38;2;237;213;126mVPC FlowLogs Disabled�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 5
�[1mDescription:�[0m Every VPC resource should have an associated Flow Log
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/f83121ea-03da-434f-9277-9cd247ab3047
�[38;2;237;213;126m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m411�[0m
410:
�[38;2;240;173;78m 411: module "vpc" {
�[0m 412: source = "terraform-aws-modules/vpc/aws"
�[38;2;237;213;126m[2]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m309�[0m
308:
�[38;2;240;173;78m 309: module "vpc" {
�[0m 310: source = "terraform-aws-modules/vpc/aws"
�[38;2;237;213;126m[3]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m107�[0m
106:
�[38;2;240;173;78m 107: module "vpc" {
�[0m 108: source = "terraform-aws-modules/vpc/aws"
�[38;2;237;213;126m[4]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m301�[0m
300:
�[38;2;240;173;78m 301: module "vpc" {
�[0m 302: source = "terraform-aws-modules/vpc/aws"
�[38;2;237;213;126m[5]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m295�[0m
294:
�[38;2;240;173;78m 295: module "vpc" {
�[0m 296: source = "terraform-aws-modules/vpc/aws"
�[38;2;237;213;126mMissing Cluster Log Types�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1
�[1mDescription:�[0m Amazon EKS control plane logging don't enabled for all log types
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/66f130d9-b81d-4e8e-9b08-da74b9c891df
�[38;2;237;213;126m[1]:�[0m ../../path/main.tf:�[38;2;34;187;51m31�[0m
030: version = var.cluster_version
�[38;2;240;173;78m 031: enabled_cluster_log_types = var.cluster_enabled_log_types
�[0m 032:
�[38;2;237;213;126mIAM Access Analyzer Not Enabled�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1
�[1mDescription:�[0m IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/e592a0c5-5bdb-414c-9066-5dba7cdea370
�[38;2;237;213;126m[1]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m437�[0m
436:
�[38;2;240;173;78m 437: resource "aws_security_group" "additional" {
�[0m 438: name_prefix = "${local.name}-additional"
�[38;2;237;213;126mAutoscaling Groups Supply Tags�[0m, Severity: �[38;2;237;213;126mLOW�[0m, Results: 1
�[1mDescription:�[0m Autoscaling groups should supply tags to configurate
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/ba48df05-eaa1-4d64-905e-4a4b051e7587
�[38;2;237;213;126m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m
411:
�[38;2;240;173;78m 412: resource "aws_autoscaling_group" "this" {
�[0m 413: count = var.create && var.create_autoscaling_group ? 1 : 0
�[38;2;255;114;19mVPC Subnet Assigns Public IP�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 5
�[1mDescription:�[0m VPC Subnet should not assign public IP
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/52f04a44-6bfa-4c41-b1d3-4ae99a2de05c
�[38;2;255;114;19m[1]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m295�[0m
294:
�[38;2;240;173;78m 295: module "vpc" {
�[0m 296: source = "terraform-aws-modules/vpc/aws"
�[38;2;255;114;19m[2]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m301�[0m
300:
�[38;2;240;173;78m 301: module "vpc" {
�[0m 302: source = "terraform-aws-modules/vpc/aws"
�[38;2;255;114;19m[3]:�[0m ../../path/examples/fargate_profile/main.tf:�[38;2;34;187;51m107�[0m
106:
�[38;2;240;173;78m 107: module "vpc" {
�[0m 108: source = "terraform-aws-modules/vpc/aws"
�[38;2;255;114;19m[4]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m411�[0m
410:
�[38;2;240;173;78m 411: module "vpc" {
�[0m 412: source = "terraform-aws-modules/vpc/aws"
�[38;2;255;114;19m[5]:�[0m ../../path/examples/self_managed_node_group/main.tf:�[38;2;34;187;51m309�[0m
308:
�[38;2;240;173;78m 309: module "vpc" {
�[0m 310: source = "terraform-aws-modules/vpc/aws"
�[38;2;255;114;19mUnpinned Actions Full Length Commit SHA�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 9
�[1mDescription:�[0m Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
�[1mPlatform:�[0m CICD
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9
�[38;2;255;114;19m[1]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m47�[0m
046: if: ${{ matrix.directory != '.' }}
�[38;2;240;173;78m 047: uses: clowdhaus/terraform-composite-actions/[email protected]
�[0m 048: with:
�[38;2;255;114;19m[2]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m56�[0m
055: if: ${{ matrix.directory == '.' }}
�[38;2;240;173;78m 056: uses: clowdhaus/terraform-composite-actions/[email protected]
�[0m 057: with:
�[38;2;255;114;19m[3]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m78�[0m
077: - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
�[38;2;240;173;78m 078: uses: clowdhaus/terraform-composite-actions/[email protected]
�[0m 079: with:
�[38;2;255;114;19m[4]:�[0m ../../path/.github/workflows/lock.yml:�[38;2;34;187;51m11�[0m
010: steps:
�[38;2;240;173;78m 011: - uses: dessant/lock-threads@v4
�[0m 012: with:
�[38;2;255;114;19m[5]:�[0m ../../path/.github/workflows/release.yml:�[38;2;34;187;51m29�[0m
028: - name: Release
�[38;2;240;173;78m 029: uses: cycjimmy/semantic-release-action@v3
�[0m 030: with:
�[38;2;255;114;19m[6]:�[0m ../../path/.github/workflows/pr-title.yml:�[38;2;34;187;51m17�[0m
016: # https://github.com/amannn/action-semantic-pull-request/releases
�[38;2;240;173;78m 017: - uses: amannn/[email protected]
�[0m 018: env:
�[38;2;255;114;19m[7]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m25�[0m
024: id: dirs
�[38;2;240;173;78m 025: uses: clowdhaus/terraform-composite-actions/[email protected]
�[0m 026:
�[38;2;255;114;19m[8]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m40�[0m
039: id: minMax
�[38;2;240;173;78m 040: uses: clowdhaus/[email protected]
�[0m 041: with:
�[38;2;255;114;19m[9]:�[0m ../../path/.github/workflows/pre-commit.yml:�[38;2;34;187;51m75�[0m
074: id: minMax
�[38;2;240;173;78m 075: uses: clowdhaus/[email protected]
�[0m 076:
�[38;2;255;114;19mSensitive Port Is Exposed To Wide Private Network�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 2
�[1mDescription:�[0m A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/92fe237e-074c-4262-81a4-2077acb928c1
�[38;2;255;114;19m[1]:�[0m ../../path/examples/eks_managed_node_group/main.tf:�[38;2;34;187;51m393�[0m
392:
�[38;2;240;173;78m 393: ingress {
�[0m 394: description = "SSH access"
�[38;2;255;114;19m[2]:�[0m ../../path/examples/complete/main.tf:�[38;2;34;187;51m441�[0m
440:
�[38;2;240;173;78m 441: ingress {
�[0m 442: from_port = 22
�[38;2;255;114;19mAuto Scaling Group With No Associated ELB�[0m, Severity: �[38;2;255;114;19mMEDIUM�[0m, Results: 1
�[1mDescription:�[0m AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/8e94dced-9bcc-4203-8eb7-7e41202b2505
�[38;2;255;114;19m[1]:�[0m ../../path/modules/self-managed-node-group/main.tf:�[38;2;34;187;51m412�[0m
411:
�[38;2;240;173;78m 412: resource "aws_autoscaling_group" "this" {
�[0m 413: count = var.create && var.create_autoscaling_group ? 1 : 0
�[38;2;187;33;36mPasswords And Secrets - Generic Password�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1
�[1mDescription:�[0m Query to find passwords and secrets in infrastructure code.
�[1mPlatform:�[0m Common
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/common-queries/common/487f4be7-3fd9-4506-a07a-eae252180c08
�[38;2;187;33;36m[1]:�[0m ../../path/examples/karpenter/main.tf:�[38;2;34;187;51m182�[0m
181: repository_username = data.aws_ecrpublic_authorization_token.token.user_name
�[38;2;240;173;78m 182: repository_password = <SECRET-MASKED-ON-PURPOSE>
�[0m 183: chart = "karpenter"
�[38;2;187;33;36mEKS Cluster Encryption Disabled�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1
�[1mDescription:�[0m EKS Cluster should be encrypted
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/63ebcb19-2739-4d3f-aa5c-e8bbb9b85281
�[38;2;187;33;36m[1]:�[0m ../../path/main.tf:�[38;2;34;187;51m25�[0m
024:
�[38;2;240;173;78m 025: resource "aws_eks_cluster" "this" {
�[0m 026: count = local.create ? 1 : 0
�[38;2;187;33;36mEC2 Instance Has Public IP�[0m, Severity: �[38;2;187;33;36mHIGH�[0m, Results: 1
�[1mDescription:�[0m EC2 Instance should not have a public IP address.
�[1mPlatform:�[0m Terraform
�[1mLearn more about this vulnerability:�[0m https://docs.kics.io/latest/queries/terraform-queries/aws/5a2486aa-facf-477d-a5c1-b010789459ce
�[38;2;187;33;36m[1]:�[0m ../../path/examples/outposts/prerequisites/main.tf:�[38;2;34;187;51m24�[0m
023:
�[38;2;240;173;78m 024: module "ssm_bastion_ec2" {
�[0m 025: source = "terraform-aws-modules/ec2-instance/aws"
Results Summary:
�[38;2;187;33;36mHIGH�[0m: 3
�[38;2;255;114;19mMEDIUM�[0m: 17
�[38;2;237;213;126mLOW�[0m: 8
�[38;2;91;192;222mINFO�[0m: 36
TOTAL: 64
Results saved to file /path/results.json
Generating Reports: Done
Scan duration: 20.438463634s
See also[edit]
Advertising:
