The default IaC scanner generates a false-positive alert for "attribute 'security_opt' should be defined"
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
- The KICS IaC scanner generates a false positive alert when scanning a
.gitlab-ci.ymlfile with aservicessection. - The alert says "Security Opt Not Set; attribute
security_optshould be defined.". - However,
security_optis not a valid setting inservicesblocks: https://docs.gitlab.com/ci/services/#available-settings-for-services.
Steps to reproduce
-
Create a new GitLab repository with default settings.
-
Create a
.gitlab-ci.ymlpipeline file with oneteststage. -
Include a
servicessection; e.g.,
services:
- name: docker:20.10.24-dindIt shouldn't matter what type of service is defined.
- Include the SAST IaC analyzer template below the
servicessection:
include:
- template: Jobs/SAST-IaC.gitlab-ci.yml- Run the pipeline.
Example Project
- This example project demonstrates the issue: https://gitlab.com/hedsnz/kics-iac-security-opt-false-positive
What is the current bug behavior?
A false-positive alert is generated:
{
"version": "15.1.4",
"vulnerabilities": [
{
"id": "769265c311376860b4cbd02ac578b307824d74570aa156670e08a8baaab63f24",
"category": "sast",
"name": "Security Opt Not Set",
"description": "Attribute 'security_opt' should be defined.",
"cve": "kics_id:610e266e-6c12-4bca-9925-1ed0cd29742b:6:0",
"severity": "Medium",
"scanner": {
"id": "kics",
"name": "kics"
},
"location": {
"file": ".gitlab-ci.yml",
"start_line": 6
},
"identifiers": [
{
"type": "kics_id",
"name": "Security Opt Not Set",
"value": "610e266e-6c12-4bca-9925-1ed0cd29742b",
"url": "https://docs.docker.com/compose/compose-file/compose-file-v3/#security_opt"
}
]
},
...
}What is the expected correct behavior?
- No alert related to
security_optshould be generated forservicessections of GitLab pipelines.
Relevant logs and/or screenshots
See the pipeline artifact kics-iac-sast:sast in the pipelines section of the repo: https://gitlab.com/hedsnz/kics-iac-security-opt-false-positive/-/pipelines.
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
N/A
Results of GitLab application Check
N/A
Possible fixes
It seems that the analyzer is confusing GitLab's pipeline yaml with valid Docker yaml, which does allow for the inclusion of security_opt in the services section:
https://docs.docker.com/reference/compose-file/services/#security_opt.
I'm not sure whether this should be addressed on the GitLab side or the upstream KICS side.