kics
by Checkmarx
KICS is an open-source tool that detects security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development lifecycle of infrastructure-as-code.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
Primary Use Case
KICS is primarily used by DevOps engineers, security teams, and cloud architects to scan infrastructure-as-code templates such as Terraform, CloudFormation, and others for security and compliance issues before deployment. It helps integrate security checks early in CI/CD pipelines to ensure cloud infrastructure is secure and compliant from the start.
- Detects security vulnerabilities in infrastructure-as-code
- Identifies compliance issues and governance risks
- Scans cloud infrastructure configurations for misconfigurations
- Supports multiple IaC platforms including Terraform
- Open source with extensive query library for checks
- Provides CLI and Docker-based scanning options
- Integrates with CI/CD pipelines
- Comprehensive documentation and community support
Installation
- Download the latest release from the GitHub releases page
- Install via Docker by pulling the checkmarx/kics image
- Alternatively, build from source using Go (if applicable)
- Add KICS binary to your system PATH for CLI usage
Usage
>_ kics scan -p <path-to-iac-files>Scans the specified directory or file containing infrastructure-as-code templates for vulnerabilities and misconfigurations.
>_ kics scan --output-path <output-directory>Runs a scan and saves the results to the specified output directory.
>_ docker run -v $(pwd):/src checkmarx/kics scan -p /srcRuns KICS scan inside a Docker container against the current directory mounted as /src.
- Integrate KICS scans into CI/CD pipelines for early detection of IaC misconfigurations and vulnerabilities.
- Use KICS query library to customize compliance checks aligned with organizational policies.
- Combine KICS with runtime security tools to create a comprehensive cloud security posture management solution.
- Leverage KICS open-source nature to contribute custom queries for emerging cloud services and IaC frameworks.
- Employ KICS reports to educate development and DevOps teams on secure infrastructure coding practices.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about kics. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
unleash
Unleash/unleash
Open-source feature management platform
the-practical-linux-hardening-guide
trimstray/the-practical-linux-hardening-guide
This guide details creating a secure Linux production system. OpenSCAP (C2S/CIS, STIG).
how-to-secure-anything
veeral-patel/how-to-secure-anything
How to systematically secure anything: a repository about security engineering
404StarLink
knownsec/404StarLink
404StarLink - 推荐优质、有意义、有趣、坚持维护的安全开源项目
steampipe
turbot/steampipe
Zero-ETL, infinite possibilities. Live query APIs, code & more with SQL. No DB required.
Security-101
microsoft/Security-101
8 Lessons, Kick-start Your Cybersecurity Learning.