IaC static code scanning
I'm using Kics to scan my Terraform code for bad practices and shift-left security (i.e., fixing issues before AWS Security Hub can blame my deployment). But a co-worker is using Checkov, and I was wondering if it was better than Kics, so the best way to check is by a battle!
The test was done with a Git repository that contains a lot of really bad IaC code. Not only the test was done with Kics and Checkov, but also with tfsec, trivy, and Snyk.
How much findings each of them found?
Quite surprising that Snyk detected a lot less issues than Kics and Checkov.
Both Kics and Checkov are really good choices, and they support multiple export formats (Kics support a little more export formats), so choosing of the two will be based on which one feeds for reporting needs, or if you want to use Checkov with a Bridgecrew account, which enable to scan not just a Docker Compile or Dockerfile, but also the actual content of the container.
Hum... La version de Kics lancée par GitHub Actions détecte pas mal plus de problèmes. https://github.com/CollabInfra/security-tools-showdown/pull/1
Thanks for sharing. Excellent article Pascal Robert 🙌🏽. Trivy is a very good tool for image scanning and security issues on IaC. This can explain why it shows less bugs than Checkov.
Intéressant comme chiffres! Et plusieurs de ces outils s'intègre bien avec un tool comme DefectDojo