We rely on KICS as part of the Infrastructure as Code scanning feature at GitLab where we wrap the KICS binary in an Alpine image.

Background

This used to work prior to v2.1.4, when CGO_ENABLED=0 was removed via this commit. The flag enabled images that use a different C library (musl in Alpine) to run the KICS binary since the dependencies were statically linked. However, since this removal, Alpine-based images are breaking.

Expected Behavior

• KICS binary should work in Alpine-based images

Actual Behavior

• KICS binary fails with the error: sh: /usr/local/bin/kics: not found
• This is due to missing shared library dependencies that were previously statically linked.

Steps to Reproduce the Problem

1. Create a test Dockerfile

FROM alpine:latest
COPY --from=checkmarx/kics:v2.1.4 /app/bin/assets /usr/local/bin/assets
COPY --from=checkmarx/kics:v2.1.4 /app/bin/kics /usr/local/bin/kics

1. Build and run

docker build -t kics-alpine-test .
docker run --rm -it kics-alpine-test

1. Observe the error when invoking kics:

$ ./usr/local/bin/kics 
/bin/sh: ./usr/local/bin/kics: not found

1. Checking library dependencies reveals the issue:

$ ldd /usr/local/bin/kics 
	/lib/ld-linux-aarch64.so.1 (0xffff8683e000)
Error loading shared library libresolv.so.2: No such file or directory (needed by /usr/local/bin/kics)
	libc.so.6 => /lib/ld-linux-aarch64.so.1 (0xffff8683e000)
Error relocating /usr/local/bin/kics: __vfprintf_chk: symbol not found
Error relocating /usr/local/bin/kics: __fprintf_chk: symbol not found