README
¶
Generating new KICS rules
This script is useful for creating the files in the directory structure needed for KICS to properly execute the rules.
The script prompts the user to enter in the following information when executed:
- - this is the local directory where the repository has been cloned. Default is:
~/dev/kics - - iac platform this rule belongs to. Default is
terraform - - cloud provider the rule being created applies to. Default is
aws - - name of the rule directory that will be created. Example:
db_snapshot_public - - number of examples that will be added. Each negative example needs its own file.
When run the following files will be created in the following location:
.
├── <path to repo>
│ └── assets
│ └── queries
│ └── <iac platform>
│ └── <cloud provider>
│ └── <rule>
│ ├── query.rego
│ ├── metadata.json
│ └── test
│ ├── positive.tf
│ ├── negative<one per number of failing examples>.tf
│ └── results.json
Generating the contents
To actually generate the contents of the file you can use this custom GPT model. When given a Python or YAML check, the GPT will produce the following files:
- query.rego
- metadata.json
- negative.tf (might have multiple files depending on how many cases there are)
- positive.tf
- results.json
These then can be manually copied and pasted into the files generated by this script and the rules can be committed into the repository.
Please note: You will need to run KICS locally once you add the rule to ensure the Rego logic is correct and properly flags the failing Terraform as expected. If it does not you can try prompting the GPT model with more details or manually edit the rego yourself.
Directories