igbuend/kics

Checkmarx KICS (Keeping Infrastructure as Code Secure)

When to Use KICS

Ideal scenarios:

• Infrastructure as Code (IaC) security scanning
• Cloud configuration analysis (AWS, Azure, GCP, Oracle)
• Kubernetes manifest security review
• Dockerfile security hardening
• Terraform/OpenTofu security assessment
• Ansible playbook security validation
• CI/CD pipeline IaC security gates
• Compliance checking (CIS, PCI-DSS, NIST, SOC2)

Complements other tools:

• Use alongside application security scanners (Semgrep, CodeQL)
• Combine with SARIF Issue Reporter for detailed findings
• Use with cloud posture management tools

When NOT to Use

Do NOT use this skill for:

• Application source code vulnerability scanning (use Semgrep or CodeQL)
• Secrets detection (use Gitleaks)
• Dependency vulnerability scanning (use OSV-Scanner or Depscan)
• Runtime cloud posture assessment (use CSPM tools)
• Binary or compiled code analysis

Installation

# Binary download (Linux)
wget https://github.com/Checkmarx/kics/releases/latest/download/kics_linux_amd64.tar.gz
tar -xzf kics_linux_amd64.tar.gz
sudo mv kics /usr/local/bin/

# Binary download (macOS)
wget https://github.com/Checkmarx/kics/releases/latest/download/kics_darwin_amd64.tar.gz
tar -xzf kics_darwin_amd64.tar.gz
sudo mv kics /usr/local/bin/

# Homebrew
brew install kics

# Docker
docker pull checkmarx/kics:latest

# Verify
kics version

Core Workflow

1. Quick Scan

# Scan current directory
kics scan -p .

# Scan specific path
kics scan -p /path/to/iac

# Scan with minimal output
kics scan -p . --silent

# No color output (for CI)
kics scan -p . --no-color

2. SARIF Output

# Generate SARIF report
kics scan -p /path/to/iac \
  --report-formats sarif \
  --output-path results.sarif

# Multiple formats (JSON + SARIF)
kics scan -p /path/to/iac \
  --report-formats json,sarif \
  --output-path .

# Named output
kics scan -p /path/to/iac \
  --report-formats sarif \
  --output-name kics-results

# All formats
kics scan -p /path/to/iac \
  --report-formats all \
  --output-path ./reports

3. Platform-Specific Scans

# AWS CloudFormation
kics scan -p ./cloudformation --type CloudFormation

# Terraform
kics scan -p ./terraform --type Terraform

# Kubernetes manifests
kics scan -p ./k8s --type Kubernetes

# Dockerfile
kics scan -p ./docker --type Dockerfile

# Ansible
kics scan -p ./ansible --type Ansible

# Azure Resource Manager
kics scan -p ./arm --type AzureResourceManager

# Google Deployment Manager
kics scan -p ./gdm --type GoogleDeploymentManager

# Helm charts
kics scan -p ./charts --type Helm

4. Severity Filtering

# Only high and critical
kics scan -p . --minimal-ui --fail-on high,critical

# Exclude info findings
kics scan -p . --exclude-severities info

# Specific severities in SARIF
kics scan -p . \
  --fail-on high,critical \
  --report-formats sarif \
  --output-path results.sarif

Configuration

Config File

Create .kics.yml or kics.config:

# Paths to scan
path: ./infrastructure

# Query selection
exclude-queries:
  - 487f4be7-3fd9-4506-a07a-96c39d0b30ad  # Specific query ID

# Severity settings
fail-on:
  - high
  - critical

# Output settings
output-path: ./kics-results
report-formats:
  - sarif
  - json
  - html

# Exclude paths
exclude-paths:
  - "./tests/**"
  - "./examples/**"
  - "**/.terraform/**"

# Exclude results by similarity ID
exclude-results:
  - abc123def456

# Platform filters
type:
  - Terraform
  - Kubernetes
  - Dockerfile

# CI mode
ci: true
no-color: true
minimal-ui: true

Use config:

kics scan --config .kics.yml

Inline Suppressions

# Terraform - suppress specific finding
resource "aws_s3_bucket" "example" {
  # kics-scan ignore-line
  bucket = "my-bucket"
  acl    = "public-read"  # Suppressed above
}

# Suppress entire block
# kics-scan ignore-block
resource "aws_security_group" "example" {
  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# Kubernetes - suppress finding
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  # kics-scan ignore-line
  hostNetwork: true  # Suppressed
  containers:
    - name: app
      image: nginx:latest  # kics-scan ignore-line

CI/CD Integration (GitHub Actions)

name: KICS IaC Scan

on:
  push:
    branches: [main]
    paths:
      - '**.tf'
      - '**.yaml'
      - '**.yml'
      - 'Dockerfile*'
  pull_request:
    paths:
      - '**.tf'
      - '**.yaml'
      - '**.yml'
      - 'Dockerfile*'

jobs:
  kics:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run KICS
        uses: checkmarx/[email protected]
        with:
          path: .
          output_path: kics-results
          output_formats: 'sarif,json,html'
          fail_on: high,critical
          enable_comments: true  # PR comments
          exclude_paths: 'tests/**,examples/**'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: kics-results/results.sarif
          category: kics

      - name: Upload Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: kics-results
          path: kics-results/

Common Use Cases

1. Terraform Security Audit

# Comprehensive Terraform scan
kics scan -p ./terraform \
  --type Terraform \
  --report-formats sarif,html \
  --output-path ./security-audit \
  --fail-on high,critical

# Review HTML report
open ./security-audit/results.html

# Process SARIF with other tools
sarif summary ./security-audit/results.sarif

2. Kubernetes Hardening

# Scan all K8s manifests
kics scan -p ./k8s \
  --type Kubernetes \
  --report-formats sarif \
  --output-name k8s-security

# Focus on critical issues
kics scan -p ./k8s \
  --type Kubernetes \
  --fail-on high,critical \
  --exclude-severities low,medium,info

3. Multi-Cloud Infrastructure

# Scan mixed IaC
kics scan -p ./infrastructure \
  --type Terraform,CloudFormation,AzureResourceManager \
  --report-formats sarif,json \
  --output-path ./reports

4. Dockerfile Security

# Scan all Dockerfiles
kics scan -p . \
  --type Dockerfile \
  --report-formats sarif \
  --output-name dockerfile-scan

# Include docker-compose
kics scan -p . \
  --type Dockerfile,DockerCompose \
  --report-formats sarif

Understanding Output

SARIF Structure

KICS SARIF v2.1.0 includes:

• Rules: Each query/check (1500+ built-in queries)
• Results: Specific IaC misconfigurations found
• Properties:
  • Severity: HIGH, MEDIUM, LOW, INFO
  • Category: Security, Best Practices, etc.
  • Platform: Terraform, K8s, Dockerfile, etc.
  • CWE mapping
  • Remediation guidance

Result Categories

| Category | Examples | |----------|----------| | Access Control | Overly permissive IAM, public resources | | Encryption | Unencrypted storage, weak TLS | | Networking | Open security groups, exposed ports | | Secret Management | Hardcoded credentials, exposed secrets | | Resource Configuration | Missing logging, backup disabled | | Best Practices | Missing tags, resource limits | | Insecure Defaults | Default passwords, debug mode |

Advanced Features

Custom Queries

Create custom query in custom-queries/:

# custom-queries/require_tags.rego
package Cx

CxPolicy[result] {
  resource := input.document[i].resource.aws_instance[name]
  not resource.tags

  result := {
    "documentId": input.document[i].id,
    "searchKey": sprintf("aws_instance[%s]", [name]),
    "issueType": "MissingAttribute",
    "keyExpectedValue": "Tags should be defined",
    "keyActualValue": "Tags are not defined"
  }
}

Use custom queries:

kics scan -p ./terraform \
  --queries-path ./custom-queries \
  --report-formats sarif

Query Information

# List all queries
kics list-platforms

# Show query details
kics show-query <query-id>

# Generate queries documentation
kics generate-documentation

Results Management

# Generate baseline
kics scan -p . --report-formats json -o baseline.json

# Compare against baseline
kics scan -p . --exclude-results $(cat baseline.json | jq -r '.results[].similarity_id')

Compliance Frameworks

KICS maps findings to:

• CIS Benchmarks: AWS, Azure, GCP, Kubernetes
• PCI-DSS: Payment card industry standards
• HIPAA: Healthcare compliance
• GDPR: Data protection requirements
• SOC 2: Security controls
• NIST: Cybersecurity framework

# Filter by compliance
kics scan -p . --include-queries "CIS*" --report-formats sarif

Performance Optimization

# Parallel scanning (default: number of CPUs)
kics scan -p . --parallel 8

# Limit file size
kics scan -p . --file-size-limit 1000  # KB

# Exclude large directories
kics scan -p . --exclude-paths "**/node_modules/**,**/.terraform/**"

# Minimal UI for speed
kics scan -p . --minimal-ui --silent --no-progress

Limitations

• Runtime issues: Can't detect runtime misconfigurations
• Custom modules: Limited visibility into external Terraform modules
• Context awareness: May flag acceptable exceptions
• False positives: Generic rules may not fit all use cases
• Remediation: Provides guidance but doesn't auto-fix

Rationalizations to Reject

| Shortcut | Why It's Wrong | |----------|----------------| | "KICS found nothing = IaC is secure" | KICS has 1500+ queries but can't cover every misconfiguration | | "Suppress all LOW/MEDIUM findings" | Lower severity findings can combine to create critical risks | | "Skip IaC scanning in CI" | IaC defines infrastructure; security issues here affect entire environment | | "Only scan before deployment" | Early detection in development prevents costly late-stage fixes | | "Ignore platform-specific queries" | Platform-specific checks catch cloud provider misconfigurations |

References

• Repository: https://github.com/Checkmarx/kics
• Documentation: https://docs.kics.io/
• Query Library: https://docs.kics.io/latest/queries/
• GitHub Action: https://github.com/checkmarx/kics-github-action
• SARIF Documentation: https://github.com/Checkmarx/kics/blob/master/docs/results.md
• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks