ci: run KICS in parallel to Megalinter to gain performance

.cspell.json

@@ -8,15 +8,20 @@
     "awscli",
     "backports",
     "blockquotes",
+    "certdir",
+    "checkmarx",
     "codeowners",
+    "companys",
     "concat",
     "devskim",
     "dind",
     "gitter",
+    "instancelifecycle",
     "kics",
     "jsonencode",
     "markdownlint",
     "Niek",
+    "noexec",
     "npalm",
     "oxsecurity",
     "shuf",

.github/workflows/ci.yml

@@ -82,8 +82,6 @@ jobs:
           TERRAFORM_TERRASCAN_ARGUMENTS: "--non-recursive"
           # format issues fail the build
           TERRAFORM_TERRAFORM_FMT_DISABLE_ERRORS: false
-          # ignore: "tags not used", "access analyzer not used", "shield advanced not used"
-          TERRAFORM_KICS_ARGUMENTS: "--exclude-queries e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10,e592a0c5-5bdb-414c-9066-5dba7cdea370,084c6686-2a70-4710-91b1-000393e54c12"
           # it's an auto-generated file
           MARKDOWN_MARKDOWNLINT_FILTER_REGEX_EXCLUDE: (CHANGELOG.md)
           PAT: ${{ secrets.GITHUB_TOKEN }}
@@ -102,6 +100,15 @@ jobs:
             megalinter-reports
             mega-linter.log
 
+  kics:
+    runs-on: ubuntu-latest
+    container:
+      image: checkmarx/kics:v1.6.12-debian
+    steps:
+      - uses: actions/checkout@v3
+      # ignore: "tags not used", "access analyzer not used", "shield advanced not used"
+      - run: kics scan -p . -o . --exclude-queries e38a8e0a-b88b-4902-b3fe-b0fcb17d5c10,e592a0c5-5bdb-414c-9066-5dba7cdea370,084c6686-2a70-4710-91b1-000393e54c12
+
   tflint:
     runs-on: ubuntu-latest
 

.mega-linter.yml

@@ -2,6 +2,8 @@
 DISABLE_LINTERS:
   # Has some problems reading referenced policy files. I created a separate workflow for TfLint as it creates valuable output.
   - TERRAFORM_TFLINT
+  # Super slow linter, but useful. We disable it here and run it in parallel to Megalinter saves some minutes.
+  - TERRAFORM_KICS
   # Nice linter to report CVEs and other cool stuff. But it reports problems with the Terraform code which can't be disabled by
   # configuration.
   - REPOSITORY_TRIVY

examples/runner-certificates/main.tf

@@ -2,6 +2,8 @@ data "aws_availability_zones" "available" {
   state = "available"
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.70"
@@ -70,4 +72,4 @@ module "runner" {
   vpc_id    = module.vpc.vpc_id
   subnet_id = element(module.vpc.public_subnets, 0)
 
-}
+}

examples/runner-default/main.tf

@@ -7,16 +7,19 @@ data "aws_security_group" "default" {
   vpc_id = module.vpc.vpc_id
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.19.0"
 
   name = "vpc-${var.environment}"
   cidr = "10.0.0.0/16"
 
-  azs             = [data.aws_availability_zones.available.names[0]]
-  private_subnets = ["10.0.1.0/24"]
-  public_subnets  = ["10.0.101.0/24"]
+  azs                     = [data.aws_availability_zones.available.names[0]]
+  private_subnets         = ["10.0.1.0/24"]
+  public_subnets          = ["10.0.101.0/24"]
+  map_public_ip_on_launch = false
 
   enable_nat_gateway = true
   single_nat_gateway = true
@@ -122,7 +125,7 @@ module "runner" {
   # docker-mirror-check:
   #    image: docker:20.10.16
   #    stage: build
-  #    variables: 
+  #    variables:
   #        DOCKER_TLS_CERTDIR: ''
   #    script:
   #        - |

examples/runner-docker/main.tf

@@ -2,6 +2,8 @@ data "aws_availability_zones" "available" {
   state = "available"
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.19.0"

examples/runner-multi-region/main.tf

@@ -2,6 +2,8 @@ data "aws_availability_zones" "available_main_region" {
   state = "available"
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc_main_region" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.70"
@@ -61,6 +63,8 @@ module "runner_main_region" {
   cache_bucket_name_include_account_id = false
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc_alternate_region" {
   providers = {
     aws = aws.alternate_region

examples/runner-pre-registered/main.tf

@@ -2,6 +2,8 @@ data "aws_availability_zones" "available" {
   state = "available"
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.70"
@@ -13,8 +15,9 @@ module "vpc" {
   private_subnets = ["10.0.1.0/24"]
   public_subnets  = ["10.0.101.0/24"]
 
-  enable_nat_gateway = true
-  single_nat_gateway = true
+  enable_nat_gateway      = true
+  single_nat_gateway      = true
+  map_public_ip_on_launch = false
 
   enable_s3_endpoint = true
 

examples/runner-public/main.tf

@@ -2,6 +2,8 @@ data "aws_availability_zones" "available" {
   state = "available"
 }
 
+# VPC Flow logs are not needed here
+# kics-scan ignore-line
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "3.19.0"