feat(lab6): Checkov + KICS scans + custom policy by RII6 · Pull Request #6 · RII6/DevSecOps-Intro

RII6 · 2026-06-26T20:41:07Z

Goal

Adds Checkov and KICS security scan results for Terraform and Ansible, along with a custom Checkov policy for AWS RDS deletion protection.

Documented Task 1 Checkov scan results for Terraform, identifying overly permissive IAM policies as the highest-leverage issue.
Documented Task 2 KICS scan results for Ansible and provided a comparison of Checkov vs KICS capabilities.
Created my-custom-policy.yaml to enforce the deletion_protection attribute on aws_db_instance resources.
Added notes to the submission detailing lab instruction errors (missing Pulumi state file and incorrect jq JSON array/path parsing).

Ran Checkov locally against labs/lab6/vulnerable-iac/terraform and verified output structure.
Ran KICS via Docker against labs/lab6/vulnerable-iac/ansible and parsed results with corrected jq paths.
Verified the custom Checkov policy (CKV2_CUSTOM_1) successfully fires on unencrypted_db and weak_db in the vulnerable Terraform sample.

See submissions/lab6.md for the full breakdown, module-leverage analysis, and JSON snippet proofs.

Task 1 — Checkov on Terraform + Pulumi with top-5 rules and module-leverage analysis
Task 2 — KICS on Ansible with Checkov-vs-KICS comparison
Bonus — Custom Checkov policy demonstrably firing on the vulnerable sample

feat(lab6): Checkov + KICS scans + custom policy

140e35b