Integrate KICS for IaC

[kaplanlior]

KICS is a IaC security tool, which supports many platforms.

https://github.com/checkmarx/kics

[prabhu]

@kaplanlior, since checkmarx is a direct competitor to Qwiet.AI (ShiftLeft) it is very hard to get this project into this org. However, I understand the need for better IaC scanning so will look into some options such as moving sast-scan back to the AppThreat org (doable) or creating a separate IaC meta tool (time consuming)

[kaplanlior]

As KICS is 100% open source, I don't see a reason not to use it, same as GitLab did:
https://docs.gitlab.com/ee/user/application_security/iac_scanning/#supported-languages-and-frameworks

Thanks for the fast response

[prabhu]

@kaplanlior Will definitely look into this.

[prabhu]

@kaplanlior My proposal is to create a new mirror of sast-scan into the AppThreat org. It will be uncreatively called scan. I will add some enhancements such as integrating kics and upgrading versions of python, go etc to keep the project going a bit more. WDYT?

Long term, however, this approach to merely invoking various tools has to change. With rosa, I am experimenting to make the analysis "Risk-oriented" which means lots of traditional findings would get triaged out and de-prioritized. Perhaps the data from kics might help but not sure.

[kaplanlior]

Good luck with the proposed changes. I support anything that would allow you in integrate KICS for IaC Security.

Regarding rosa, sounds interesting. If you want to collaborate around KICS, I'm open to that.