ci: pin wolfi digest, add KICS test workflow at repo root

[bsgrigorov]

• Pin Chainguard wolfi-base by digest in kics-github-action Dockerfile
• Add .github/workflows/test-kics.yaml with path filters (push, PR, dispatch)
• Root Dependabot; remove nested .github from vendored action; remove SYNKUBE.md

Made-with: Cursor

[github-actions]

KICS version: v2.1.20

Category Results CRITICAL 0 HIGH 1 MEDIUM 3 LOW 1 INFO 0 TRACE 0 TOTAL 5	Metric Values Files scanned 2 Files parsed 2 Files failed to scan 0 Total executed queries 1100 Queries failed to execute 0 Execution time 34

Queries Results

Query Name Query Id Severity Platform Cwe Risk Score Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value Resource Type Resource Name Remediation Remediation Type Passwords And Secrets - Generic Password 487f4be7-3fd9-4506-a07a-eae252180c08 HIGH Common 798 7.8 Secret Management false Query to find passwords and secrets in infrastructure code. .github/actions/kics-github-action/test/samples/positive1.tf 12 RedundantAttribute Hardcoded secret key should not appear in source Hardcoded secret key appears in source AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b MEDIUM Terraform 732 5.9 Insecure Configurations false The Active Directory Administrator is not configured for a SQL server .github/actions/kics-github-action/test/samples/positive1.tf 6 MissingAttribute azurerm_sql_server[positive2] A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]' A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]' azurerm_sql_server mysqlserver1 Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 MEDIUM Terraform 732 5.4 Access Control false Admin user is enabled for Container Registry .github/actions/kics-github-action/test/samples/positive2.tf 11 IncorrectValue azurerm_container_registry[positive2].admin_enabled 'admin_enabled' equal 'false' 'admin_enabled' equal 'true' azurerm_container_registry containerRegistry1 {"after":"false","before":"true"} replacement SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf MEDIUM Terraform 778 6.4 Observability false Make sure that for SQL Servers, 'Auditing' is set to 'On' .github/actions/kics-github-action/test/samples/positive1.tf 6 MissingAttribute azurerm_sql_server[positive2] 'azurerm_sql_server.positive2.extended_auditing_policy' should exist 'azurerm_sql_server.positive2.extended_auditing_policy' does not exist azurerm_sql_server mysqlserver1 SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 LOW Terraform 522 2.9 Best Practices false Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict .github/actions/kics-github-action/test/samples/positive1.tf 18 IncorrectValue azurerm_sql_active_directory_administrator[positive3].login 'azurerm_sql_active_directory_administrator[positive3].login' should not be predictable' 'azurerm_sql_active_directory_administrator[positive3].login' is predictable azurerm_sql_active_directory_administrator positive3