Add Security Scans (#20)

kchason · web-flow · commit 25aefb13efff · 2025-06-23T08:53:15.000-04:00
* Add KICS scan for image

* Only scan Dockerfile

* Fix report upload

* Bump KICS version
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -25,6 +25,23 @@ jobs:
         with:
           dockerfile: Dockerfile
 
+      # Scan the Dockerfile with KICS to check for security issues.
+      - name: Docker Scan
+        uses: Checkmarx/kics-github-action@v2.1.10
+        with:
+          path: Dockerfile
+          fail_on: high,medium
+          output_path: results
+          output_formats: 'json,sarif'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      
+      # Upload the results of the KICS scan as a build artifact.
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results/results.sarif
+
   test:
     runs-on: ubuntu-latest
     steps:
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,6 @@
 # Environments
 venv/
 virtualenv/
+
+# Security Artifacts
+results.json
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,27 @@
+# Contribution Guide
+
+Contributions in the form of issues and pull requests are welcome. Please read the following guidelines before contributing.
+
+## Pre-commit Hooks
+
+This project uses [pre-commit](https://pre-commit.com/) to run a series of checks before committing code. To install the pre-commit hooks, run the following command:
+
+```bash
+pre-commit install
+```
+
+Run the following command to run the pre-commit hooks on all files:
+
+```bash
+pre-commit run --all-files
+```
+
+## Security Testing
+
+This project uses [KICS](https://docs.kics.io/latest/getting-started/) to scan for security issues in the infrastructure such as the `Dockerfile`. To run the scan, run the following command:
+
+```bash
+docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path/Dockerfile -o "/path/"
+```
+
+This will generate a `results.json` file as well as print the contents to the console. Any findings above a `low` severity should be addressed before committing code as they will fail the CI pipeline.
diff --git a/Dockerfile b/Dockerfile
@@ -12,6 +12,11 @@ WORKDIR /opt/workspace
 # Copy in the entrypoint file
 COPY entrypoint.py /opt/workspace/entrypoint.py
 
+# Setup a user with the appropriate permissions
+RUN useradd -ms /bin/bash case &&\
+    chown -R case:case /opt/workspace
+USER case
+
 # Define the base path for the validation path
 ENV CASE_PATH="/opt/json/"
 ENV CASE_VERSION="case-1.4.0"
