KICS is 100% open source is written in Golang using Open Policy Agent (OPA).

Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.

So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.

High-Level Architecture

KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.

At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.

  • Command Line Interface => Provides CLI input to KICS.
  • Parser => responsible for parsing input IaC files (terraform and others)
  • IaC Providers => Converts IaC language into normalized JSON
  • Queries Execution Engine => applies REGO queries against normalized JSON
  • Security Queries => pre-built REGO queries for each security and misconfiguration
  • Writer => Writes results into JSON format

Execution Flow

The sequence diagram below depicts the interaction of the main KICS components:

 

Changelog v1.6.1

🚀 New features and improvements

added 2 queries for CloudFormation and Terraform

update(coverage): code coverage improvements (#5744)
feat(workflows): add workflow to check latest software versions (#5823)

🐛 Bug fixes

fix(query): fix query descriptionText for s3 logging disabled kms rotation and iam policies (#5810) by @tomk-orca
fix(query): fix queries expected value to ‘should be…’ (#5816) by @liorj-orca
fix(query): fix dockerfile security query regex (#5826)
fix(query): change s3 bucket acl grants write acp security query (#5780)
fix(query): remove string check in open api security query (#5831)
fix(query): change s3 bucket with all permissions security query (#5781)
fix(query): update s3 bucket policy accepts http requests security query (#5832)
fix(query): updated lambda_function_with_privileged_role (#5833)
fix(query): fix responses with wrong http status code security query (#5834)
fix(query): fixed Docker queries related to issues 5115, 5116, and 5118 (#5295)
fix(bug): bug in get metrics script (#5796)
fix(bug): add support for certificate body process from tfvar (#5837)
fix(terraform data source): added data resources resolver (#5839)

📦 Dependency updates bumps

build(deps): bump github.com/GoogleCloudPlatform/terraformer from 0.8.21 to 0.8.22 (#5817) by @tomk-orca
build(deps): bump github.com/spf13/viper from 1.12.0 to 1.13.0 (#5766)
build(deps): bump k8s.io/client-go from 0.24.3 to 0.25.1 (#5804)
build(deps): bump github.com/aws/aws-sdk-go from 1.44.91 to 1.44.101 (#5809)
build(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.44.0 (#5777)

ci(deps): bump actions/upload-artifact from 2 to 3 (#5764)
ci(deps): bump golang from 1.19.0-alpine to 1.19.1-alpine (#5767)
ci(deps): bump docker/setup-buildx-action from 1 to 2 (#5770)

👻 Maintenance

chore(gitlab-ci): add –ci flag to gitlab examples (#5682) by @sluetze
update(docs): correct the GH action name (#5818) by @konstruktoid
update(docs): improve information in the configuration docs (#5829) by @VladMasarik
update(docs): update remediate docs (#5794)
update(docs): docker hub docs information update (#5800)
update(docs): community tab added into the docs.kics.io website (#5806)
update(docs): update information about github action versions (#5842)
update(workflows): gh action tag update for 1.6 kics version (#5841)
update(workflows): delete branching process for major versions (#5812)

Install & Use

© 2021 Checkmarx Ltd. All Rights Reserved.