KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud-native project.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
How it Works
What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:
Fully customizable and adjustable heuristics rules called queries. These can be easily edited, extended, and added.
Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.
KICS is 100% open source is written in Golang using Open Policy Agent (OPA).
Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.
So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.
High-Level Architecture
KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.
At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.
Command Line Interface => Provides CLI input to KICS.
Parser => responsible for parsing input IaC files (terraform and others)
IaC Providers => Converts IaC language into normalized JSON
Queries Execution Engine => applies REGO queries against normalized JSON
Security Queries => pre-built REGO queries for each security and misconfiguration
Writer => Writes results into JSON format
Execution Flow
The sequence diagram below depicts the interaction of the main KICS components:
Changelog v1.5.11
🐛 Bug fixes
fix(query): uncomment cloud formation test sample (#5320) by @lipeavelar
fix(queries): align descriptionText to similar queries across different platforms #2 (#5460) by @roi-orca
fix(secrets inspector): added mutex to lock addVulnerability (#5503)
fix(analyzer): discard possible Dockerfile when they are not actually a Dockerfile (#5470)
update(dockerfile): fix CVE-2022-1586 and CVE-2022-29810 (#5492)
fix(resolver): exclude resolve path call for the same path reference (#5511)
📦 Dependency updates bumps
build(deps): bump github.com/aws/aws-sdk-go from 1.44.29 to 1.44.39 (#5468) (#5472) (#5477) (#5490) (#5498) (#5508)
build(deps): bump github.com/gookit/color from 1.5.0 to 1.5.1 (#5469)
build(deps): bump golang.org/x/tools from 0.1.10 to 0.1.11 (#5467)
build(deps): bump github.com/hashicorp/go-getter from 1.6.1 to 1.6.2 (#5473)
build(deps): bump github.com/tdewolff/minify/v2 from 2.11.9 to 2.11.10 (#5476)
build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (#5499)
build(deps): bump github.com/spf13/cobra from 1.4.0 to 1.5.0 (#5507)
ci(deps): bump actions/setup-python from 3 to 4 (#5462)
👻 Maintenance
update(query): improved “Resource Not Using Tags” description (#5483)
