Open Source Summit Europe 2022

KICS is an Open Source project created to help Keep Infrastructure as Code Secure ( https://kics.io/ ). With today's DevOps best practices, we see a lot of re-use of other IaC snippets and templates (e.g. HELM charts). Which it turn, make IaC to vulnerable to the similar problems as we see in software packages and theirs dependencies. How often do developers or DevOps read the Docker file that just reused, went through the files of the HELM chart they just applied to Kubernetes or made sure they used the official node.js / python container instead of taking the first result available on Docker Hub ? We anticipate that in the future we'll see more and more risks we already know in the software dependency world, applied to the IaC world, which makes the risk be part of a much lower level of your software stack.stack. This session would discuss those risks, and how to leverage IaC scanning to avoid software supply chain problems in your infrastructure.