Implement KICS scans for repository #5
widhalmtAnnotations
1 error and 12 warnings
|
kics
Path does not exist: results-dir/results.sarif
|
|
kics
The following actions uses node12 which is deprecated and will be forced to run on node16: actions/checkout@v2. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
|
|
kics
The following actions use a deprecated Node.js version and will be forced to run on node20: actions/checkout@v2. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
|
[HIGH] Passwords And Secrets - Generic Password:
molecule/elasticsearch_test_modules/converge.yml#L53
Query to find passwords and secrets in infrastructure code.
|
|
[HIGH] Passwords And Secrets - Generic Password:
molecule/elasticstack_default/converge.yml#L21
Query to find passwords and secrets in infrastructure code.
|
|
[MEDIUM] Communication Over HTTP:
roles/elasticsearch/tasks/main.yml#L252
Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks
|
|
[MEDIUM] Communication Over HTTP:
molecule/elasticsearch_no-security/verify.yml#L27
Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks
|
|
[MEDIUM] Communication Over HTTP:
molecule/elasticsearch_no-security/verify.yml#L14
Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks
|
|
[LOW] Unpinned Actions Full Length Commit SHA:
.github/workflows/kics.yml#L37
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Unpinned Actions Full Length Commit SHA:
.github/workflows/kics.yml#L27
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Unpinned Package Version:
roles/beats/tasks/metricbeat.yml#L72
Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
|
|
[LOW] Unpinned Package Version:
roles/beats/tasks/filebeat.yml#L58
Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
|
|
[LOW] Unpinned Package Version:
roles/beats/tasks/filebeat.yml#L70
Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service
|