KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud-native project.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
How it Works
What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:
Fully customizable and adjustable heuristics rules called queries. These can be easily edited, extended, and added.
Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.
KICS is 100% open source is written in Golang using Open Policy Agent (OPA).
Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.
So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.
High-Level Architecture
KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.
At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.
Command Line Interface => Provides CLI input to KICS.
Parser => responsible for parsing input IaC files (terraform and others)
IaC Providers => Converts IaC language into normalized JSON
Queries Execution Engine => applies REGO queries against normalized JSON
Security Queries => pre-built REGO queries for each security and misconfiguration
Writer => Writes results into JSON format
Execution Flow
The sequence diagram below depicts the interaction of the main KICS components:
Changelog v1.6.9
🚀 New features and improvements
feat(query): add aws sso security queries support in #6096
feat(query): add password and secrets detection for sendgrid api key in #6118
🐛 Bug fixes
fix(e2e): update e2e test 44 description in #6114
fix(query): update query searchline to avoid duplicate similarity id in #6111
fix(dep): fix git version on dockerfile in #6092
📦 Dependency updates bumps
build(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.0 in #6094
build(deps): bump github.com/getsentry/sentry-go from 0.14.0 to 0.17.0 in #6082
build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 in #6073
build(deps): bump github.com/emicklei/proto from 1.11.0 to 1.11.1 in #6074
ci(deps): bump golang from 1.19.4-alpine to 1.19.5-alpine in #6080
ci(deps): bump docker/build-push-action from 3.2.0 to 3.3.0 in #6089
👻 Maintenance
docs(queries): update queries catalog in #6120
Update community meetings in #6117
community dates update in #6119