Skip to content

Checkmarx/kics-cdk-validator-plugin

Repository files navigation

CDK Kics Validator Plugin


cdk-constructs: Experimental

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.


Installing

TypeScript/JavaScript

npm install @checkmarx/cdk-validator-kics

Usage

To use this plugin in your CDK application add it to the CDK App.

import { KicsValidator } from '@checkmarx/cdk-validator-kics/lib/plugin';
new App({
  policyValidationBeta1: [
    new KicsValidator(),
  ],
});

By default the KicsValidator plugin comes with the kics CloudFormation queries builtin.

To disable specific categories provide the excludeCategories property.

new KicsValidator({
  excludeCategories: [
    QueryCategory.ENCRYPTION,
  ],
});

It is also possible to disable individual queries by providing the query id.

new KicsValidator({
  excludeQueries: [
    'a227ec01-f97a-4084-91a4-47b350c1db54', // S3 Bucket Without Versioning
  ],
});

Severity

Kics queries can fall under 6 different severities, critical, high, medium, low, info, and trace. This plugin allows you to configure how the severities are handled.

To completely exclude certain severities, use the excludeSeverities property. Any queries that fall under these severities will not appear in the results, even if they fail.

new KicsValidator({
  excludeSeverities: [
    Severity.INFO,
    Severity.TRACE,
  ],
});

Alternatively, you can use the failureSeverities parameter when initiating a scan, enabling you to precisely define the criteria for considering a scan unsuccessful based on the severity of its results. Any result with a severity lower than the specified ones will not prompt a failure.

Please note that scans configured to only fail on certain severity levels might not display results falling below those specified levels.

By default this is set to [Severity.CRITICAL, Severity.HIGH, Severity.MEDIUM].

new KicsValidator({
  failureSeverities: [
    Severity.CRITICAL,
    Severity.HIGH,
    Severity.MEDIUM,
  ],
});