Description
Is your feature request related to a problem? Please describe.
I've been trying kics out on our Kubernetes gitops repositories. We're using Kustomize overlays to keep our dev and prod environments aligned as much as possible. This leads to some false positives from kics that I'd rather not deal with manually.
Because the namespace is configured in the Kustomize.yaml file rather than on individual resources, we get
- "Namespaces like 'default', 'kube-system' or 'kube-public' should not be used",
because some things are specified in the base only, or in the overlays only, we get false positives for:
- Memory requests should be defined for each container.
- Check if Readiness Probe is not configured
In all kics found 551 vulnerabilities, of which I'd guess 400+ are false positives. Would be awesome if kics could help eliminate this chaff.
Describe the solution you'd like
pay attention to the existence of kustomization.yaml files and run the scan on overlays only after all Kustomize patches are applied
Describe alternatives you've considered
Only alternative I can see would be to not use Kustomize at all.
Additional context
I'm running kics in GitLab SaaS using the official Jobs/SAST-IaC.latest.gitlab-ci.yml ci template