kics v1.4.8 releases: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations

by do son · Published March 6, 2021 · Updated November 24, 2021

kics

KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud-native project.

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

How it Works

What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:

Fully customizable and adjustable heuristics rules called queries. These can be easily edited, extended, and added.
Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.

KICS is 100% open source is written in Golang using Open Policy Agent (OPA).

Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.

So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.

High-Level Architecture

KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.

At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.

Command Line Interface => Provides CLI input to KICS.
Parser => responsible for parsing input IaC files (terraform and others)
IaC Providers => Converts IaC language into normalized JSON
Queries Execution Engine => applies REGO queries against normalized JSON
Security Queries => pre-built REGO queries for each security and misconfiguration
Writer => Writes results into JSON format

Execution Flow

The sequence diagram below depicts the interaction of the main KICS components:

Changelog v1.4.8

🚀 Added

added 30 new queries (Terraform, Ansible and Cloudformation)
feat(report): added sonarqube report (#4418) (#4539)
feat(report): added expected value to PDF report (#4552)
feat(docs & passwords and secrets): consideration of kics-scan ignore command and LinesIgnore (#4485) (#4419) (#4503)
feat(ci): add pre-commit hook (#4520)

✨ Changed

refactor(core): changed tests to use a constants platforms (#4534)

🔧 Fixed

increased results accuracy
fix(scan): not reporting error when progress bar fails to close (#4551)
fix(parser): fixed YAML parser panic with wrong type for interface (#4536)
fix(password and secrets): fixed MS Teams regex hardcoded team_name (#4537)

💪 For The Bolder

build(deps): bump github.com/open-policy-agent/opa from 0.33.0 to 0.34.2 (#4469) (#4506)
build(deps): bump github.com/moby/buildkit from 0.9.2 to 0.9.3 (#4538)