KICS is 100% open source is written in Golang using Open Policy Agent (OPA).

Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.

So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.

High-Level Architecture

KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.

At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.

  • Command Line Interface => Provides CLI input to KICS.
  • Parser => responsible for parsing input IaC files (terraform and others)
  • IaC Providers => Converts IaC language into normalized JSON
  • Queries Execution Engine => applies REGO queries against normalized JSON
  • Security Queries => pre-built REGO queries for each security and misconfiguration
  • Writer => Writes results into JSON format

Execution Flow

The sequence diagram below depicts the interaction of the main KICS components:

 

Changelog v1.5.11

🐛 Bug fixes

fix(query): uncomment cloud formation test sample (#5320) by @lipeavelar
fix(queries): align descriptionText to similar queries across different platforms #2 (#5460) by @roi-orca
fix(secrets inspector): added mutex to lock addVulnerability (#5503)
fix(analyzer): discard possible Dockerfile when they are not actually a Dockerfile (#5470)
update(dockerfile): fix CVE-2022-1586 and CVE-2022-29810 (#5492)
fix(resolver): exclude resolve path call for the same path reference (#5511)

📦 Dependency updates bumps

build(deps): bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.39 (#5468) (#5472) (#5477) (#5490) (#5498) (#5508)
build(deps): bump github.com/gookit/color from 1.5.0 to 1.5.1 (#5469)
build(deps): bump golang.org/x/tools from 0.1.10 to 0.1.11 (#5467)
build(deps): bump github.com/hashicorp/go-getter from 1.6.1 to 1.6.2 (#5473)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.9 to 2.11.10 (#5476)
build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#5499)
build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#5507)

ci(deps): bump actions/setup-python from 3 to 4 (#5462)

👻 Maintenance

update(query): improved “Resource Not Using Tags” description (#5483)

Install & Use

© 2021 Checkmarx Ltd. All Rights Reserved.