KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud-native project.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
How it Works
What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:
Fully customizable and adjustable heuristics rules called queries. These can be easily edited, extended, and added.
Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.
KICS is 100% open source is written in Golang using Open Policy Agent (OPA).
Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.
So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.
High-Level Architecture
KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.
At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.
Command Line Interface => Provides CLI input to KICS.
Parser => responsible for parsing input IaC files (terraform and others)
IaC Providers => Converts IaC language into normalized JSON
Queries Execution Engine => applies REGO queries against normalized JSON
Security Queries => pre-built REGO queries for each security and misconfiguration
Writer => Writes results into JSON format
Execution Flow
The sequence diagram below depicts the interaction of the main KICS components:
Changelog v1.7.8
🚀 New features and improvements
feat(engine): added github workflows scan in #6664
feat(query): unpinned actions full length commit sha in #6698
feat(query): ansible hosts ansible tower exposed to internet in #6691
feat(query): ansible config allow unsafe lookups in #6626
feat(query): ansible playbooks communication over http in #6687
feat(panic): add panic handler to terraform parser by @liorj-orca in #6726
🐛 Bug fixes
fix(workflows): fixed action’s pin in #6689
fix(query): ca certificate identifier is outdated tf aws in #6683
fix(engine): added condition to check if gitignore is not empty to fix unit tests in #6706
fix(query): dockercompose Host Namespace is Shared in #6719
fix(test): e2e name in #6685
📦 Dependency updates bumps
ci(deps): bump golang from 1.20.7-alpine to 1.21.0-alpine in #6623
👻 Maintenance
update(docs): adding github icon into readme and docs website in #6722
update(comments): comments related to files extensions updated in #6696
docs(queries): update queries catalog in #6699