KICS (Keeping Infrastructure as Code Secure) is an open-source IaC security scanner developed by Checkmarx. With 2.6k GitHub stars, 141 contributors, and support for 20+ IaC platforms, it brings enterprise security expertise to an open-source tool. Notable users include GitLab, Cisco, and Orca Security.
It finds security vulnerabilities, compliance issues, and infrastructure misconfigurations.
What is KICS?
KICS is a static analysis tool that scans Infrastructure as Code files for security issues.
Developed by Checkmarx, it brings enterprise security expertise to an open-source tool.
The name stands for “Keeping Infrastructure as Code Secure” - reflecting its focus on preventing misconfigurations before deployment.
Key Features
Multi-Platform Support
KICS scans multiple IaC platforms:
- Terraform - HCL and JSON
- CloudFormation - AWS templates
- Kubernetes - Manifests, Helm
- Docker - Dockerfiles
- Ansible - Playbooks
- OpenAPI/Swagger - API definitions (2.0 and 3.0)
- ARM Templates - Azure
- Azure Blueprints - Azure governance
- Google Deployment Manager - GCP
- AWS SAM - Serverless applications
- Pulumi - Multi-cloud IaC
- Crossplane - Kubernetes-native cloud infrastructure
- Knative - Serverless workloads
- Serverless Framework - FaaS deployments
2400+ Security Queries
Pre-built queries for:
- Cloud security best practices
- CIS Benchmarks
- NIST compliance
- SOC 2 requirements
- GDPR technical controls
Extensible Query System
Write custom queries in Rego:
package Cx
CxPolicy[result] {
resource := input.document[i].resource.aws_s3_bucket[name]
not resource.versioning.enabled
result := {
"documentId": input.document[i].id,
"resourceType": "aws_s3_bucket",
"resourceName": name,
"searchKey": sprintf("aws_s3_bucket[%s]", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": "versioning should be enabled",
"keyActualValue": "versioning is not enabled"
}
}
Installation
Docker (Recommended)
docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path
Binary
# Download latest release
curl -sfL 'https://raw.githubusercontent.com/Checkmarx/kics/master/install.sh' | bash
# Scan
./kics scan -p .
Homebrew
brew install kics
Usage
Basic Scan
# Scan directory
kics scan -p ./infrastructure
# Scan specific file types
kics scan -p . --type terraform,kubernetes
# Exclude paths
kics scan -p . --exclude-paths "tests/,examples/"
Output Formats
# JSON output
kics scan -p . -o json --output-path results.json
# HTML report
kics scan -p . -o html --output-path report.html
# SARIF (for GitHub)
kics scan -p . -o sarif --output-path results.sarif
CI/CD Integration
GitHub Actions
- name: KICS Scan
uses: checkmarx/kics-github-action@v1.7
with:
path: terraform/
output_path: kics-results/
output_formats: 'json,sarif'
fail_on: high
GitLab CI
kics:
stage: security
image: checkmarx/kics:latest
script:
- kics scan -p . --ci
artifacts:
paths:
- results.json
Query Categories
KICS organizes queries by category:
| Category | Description |
|---|---|
| Access Control | IAM, permissions, authentication |
| Availability | High availability, redundancy |
| Best Practices | General security hygiene |
| Encryption | Data encryption, key management |
| Insecure Configurations | Security misconfigurations |
| Networking | Network security, firewalls |
| Observability | Logging, monitoring |
Suppressing Findings
Inline suppression:
# kics-scan ignore
resource "aws_s3_bucket" "example" {
bucket = "my-bucket"
}
Configuration file:
# kics.config
exclude-queries:
- a227ec01-f97a-4084-91a4-47b350c1db54
exclude-paths:
- "tests/"
Comparison with Checkov
| Feature | KICS | Checkov |
|---|---|---|
| Query Language | Rego | Python/YAML |
| Maintained by | Checkmarx | Prisma Cloud |
| Focus | Enterprise security | Cloud security |
| License | Apache 2.0 | Apache 2.0 |
When to Use KICS
KICS is ideal for:
- Organizations familiar with Checkmarx
- Teams preferring Rego for custom queries
- Multi-cloud infrastructure environments
- API security scanning (OpenAPI)