KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud-native project.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
How it Works
What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:
Fully customizable and adjustable heuristics rules called queries. These can be easily edited, extended, and added.
Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.
KICS is 100% open source is written in Golang using Open Policy Agent (OPA).
Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.
So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.
High-Level Architecture
KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.
At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.
Command Line Interface => Provides CLI input to KICS.
Parser => responsible for parsing input IaC files (terraform and others)
IaC Providers => Converts IaC language into normalized JSON
Queries Execution Engine => applies REGO queries against normalized JSON
Security Queries => pre-built REGO queries for each security and misconfiguration
Writer => Writes results into JSON format
Execution Flow
The sequence diagram below depicts the interaction of the main KICS components:
Changelog v1.10
🐛 Bug fixes
fix(docker): experimental-queries.json: no such file or directory in #6755
fix(query): terraform alb_is_not_integrated_with_waf in #6636
fix(query): dockerfile unpinned_package_version_in_pip_install in #6637
👻 Maintenance
docs(experimentalfeature): update docs for experimental queries by @asofsilva in #6748