fix(kics): ignore kics issues

Author: ruzickap

.github/workflows/kube-linter.yml

@@ -0,0 +1,3 @@
+{
+  "ignore": ["**"]
+}

.jscpd.json

@@ -1,2 +1,3 @@
 .*.myexample.dev
+.*.mylabs.dev
 https://github.com/ruzickap/k8s-flux-repository

.lycheeignore

@@ -6,6 +6,7 @@ BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects
 DISABLE_LINTERS:
   - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead
   - SPELL_CSPELL
+  - TEKTON_TEKTON_LINT # It can not be easily configured / disabled per files/dirs
   - TERRAFORM_TERRASCAN # Hard to configure - no documentation of the config file
 
 # Remove: To receive reports as email, please set variable EMAIL_REPORTER_EMAIL

.mega-linter.yml

@@ -4,7 +4,10 @@
       "pattern": "https://github.com/ruzickap/k8s-flux-repository"
     },
     {
-      "pattern": ".*myexample.dev.*"
+      "pattern": "(https|http)://.*.myexample.dev"
+    },
+    {
+      "pattern": "https://.*.mylabs.dev"
     }
   ]
 }

.mlc_config.json

@@ -0,0 +1,25 @@
+---
+rules: # error | warning | off
+  no-duplicate-param: warning
+  no-invalid-name: warning
+  no-invalid-param-type: warning
+  no-pipeline-missing-parameters: warning
+  no-pipeline-missing-task: warning
+  no-pipeline-task-cycle: warning
+  no-extra-param: warning
+  no-missing-workspace: warning
+  no-undefined-result: warning
+  no-missing-param: warning
+  no-duplicate-resource: warning
+  no-resourceversion: warning
+  no-duplicate-env: warning
+  no-undefined-volume: warning
+  no-latest-image: warning
+  prefer-beta: warning
+  prefer-kebab-case: warning
+  no-unused-param: warning
+  no-missing-resource: warning
+  no-undefined-param: warning
+  prefer-when-expression: warning
+  no-deprecated-resource: warning
+  no-missing-hashbang: warning

.tektonlintrc.yaml

@@ -1,4 +1,4 @@
-misconfigurations:
+vulnerabilities:
   # │ glob-parent  │ CVE-2020-28469 │ HIGH     │ fixed  │ 3.1.0             │ 5.1.2         │ Regular expression denial of service                        │
   - id: CVE-2020-28469
   # │ json5        │ CVE-2022-46175 │ HIGH     │ fixed  │ 0.5.1             │ 2.2.2, 1.0.2  │ json5: Prototype Pollution in JSON5 via Parse Method        │
@@ -11,3 +11,91 @@ misconfigurations:
   - id: CVE-2022-24772
   # │ nth-check    │ CVE-2021-3803  │ HIGH     │ fixed  │ 1.0.2             │ 2.0.1         │ inefficient regular expression complexity                   │
   - id: CVE-2021-3803
+
+misconfigurations:
+  # Launch configuration with unencrypted block device.
+  - id: AVD-AWS-0008
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/workers.tf
+
+  # Launch configuration should not have a public IP address.
+  - id: AVD-AWS-0009
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/workers.tf
+
+  # EKS should have the encryption of secrets enabled
+  - id: AVD-AWS-0039
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/cluster.tf
+
+  # EKS Clusters should have the public access disabled
+  - id: AVD-AWS-0040
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/cluster.tf
+
+  # EKS cluster should not have open CIDR range for public access
+  - id: AVD-AWS-0041
+    paths:
+      - terraform/aws/aws.tf
+
+  # IAM policy should avoid use of wildcards and instead apply the principle of least privilege
+  - id: AVD-AWS-0057
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/workers.tf
+
+  # An egress security group rule allows traffic to /0.
+  - id: AVD-AWS-0104
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/cluster.tf
+
+  # An ingress security group rule allows traffic from /0
+  - id: AVD-AWS-0107
+    paths:
+      - terraform/aws/aws.tf
+
+  # aws_instance should activate session tokens for Instance Metadata Service.
+  - id: AVD-AWS-0130
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-eks.git?ref=v6.0.0/workers.tf
+
+   # Instances in a subnet should not receive a public IP address by default.
+  - id: AVD-AWS-0164
+    paths:
+      - git::https:/github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v2.15.0/main.tf
+
+   # Ensure AKS has an API Server Authorized IP Ranges enabled
+  - id: AVD-AZU-0041
+    paths:
+      - terraform/azure/azure.tf
+
+   # Ensure RBAC is enabled on AKS clusters
+  - id: AVD-AZU-0042
+    paths:
+      - terraform/azure/azure.tf
+
+   # Ensure AKS cluster has Network Policy configured
+  - id: AVD-AZU-0043
+    paths:
+     - terraform/azure/azure.tf
+
+  # Use Readonly Filesystem
+  - id: AVD-KSV-0014
+    paths:
+      - files/flux-repository/workloads/tekton-dashboard.yaml
+      - files/flux-repository/workloads/tekton.yaml
+
+  # No Manage Secrets
+  - id: AVD-KSV-0041
+    paths:
+      - files/flux-repository/workloads/tekton-dashboard.yaml
+      - files/flux-repository/workloads/tekton.yaml
+
+  # No Manage Networking Resources
+  - id: AVD-KSV-0056
+    paths:
+      - files/flux-repository/workloads/tekton-dashboard.yaml
+
+  # Manage webhookconfigurations
+  - id: AVD-KSV-0114
+    paths:
+      - files/flux-repository/workloads/tekton.yaml

.trivyignore.yaml

@@ -215,6 +215,7 @@ spec:
             httpGet:
               path: /health
               port: 9097
+          # kics-scan ignore-line
           name: tekton-dashboard
           ports:
             - containerPort: 9097
@@ -309,6 +310,3 @@ spec:
             resource: git-source
       taskRef:
         name: pipeline0-task
-
----
-

files/flux-repository/workloads/tekton-dashboard.yaml

@@ -23,6 +23,7 @@ spec:
       tls:
         credentialName: ingress-cert-${LETSENCRYPT_ENVIRONMENT}
         mode: SIMPLE
+        # kics-scan ignore-line
         privateKey: sds
         serverCertificate: sds
 ---

files/flux-repository/workloads/tekton-services.yaml

@@ -1,3 +1,5 @@
+# kics-scan ignore
+
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -648,6 +650,3 @@ spec:
         - configMap:
             name: config-logging
           name: config-logging
-
----
-

files/flux-repository/workloads/tekton.yaml

@@ -27,11 +27,13 @@ resource "aws_security_group" "security_group" {
   vpc_id      = module.vpc.vpc_id
   tags        = var.tags
 
+  # kics-scan ignore-line
   ingress {
     from_port = 22
     to_port   = 22
     protocol  = "tcp"
 
+    # kics-scan ignore-line
     cidr_blocks = [
       "0.0.0.0/0",
     ]

terraform/aws/aws.tf

@@ -2,6 +2,7 @@ data "azurerm_resource_group" "resource_group" {
   name = var.resource_group_name
 }
 
+# kics-scan ignore-line
 resource "azurerm_kubernetes_cluster" "kubernetes_cluster" {
   name                = "${var.prefix}-${var.kubernetes_cluster_name}-${replace(var.dns_zone_name, ".", "-")}"
   location            = var.location

terraform/azure/azure.tf

@@ -1,3 +1,5 @@
+# kics-scan ignore
+
 resource "kubernetes_namespace" "external-dns" {
   metadata {
     name = "external-dns"

terraform/modules/k8s_initial_config/external-dns.tf

@@ -1,3 +1,5 @@
+# kics-scan ignore
+
 resource "kubernetes_service_account" "tiller" {
   metadata {
     name      = "tiller"

terraform/modules/k8s_initial_config/helm.tf

@@ -0,0 +1,5 @@
+config {
+  # module = false
+  # force = false
+  disabled_by_default = true
+}