Checkmarx KICS (Keeping Infrastructure as Code Secure)

When to Use KICS

Ideal scenarios:

Infrastructure as Code (IaC) security scanning
Cloud configuration analysis (AWS, Azure, GCP, Oracle)
Kubernetes manifest security review
Dockerfile security hardening
Terraform/OpenTofu security assessment
Ansible playbook security validation
CI/CD pipeline IaC security gates
Compliance checking (CIS, PCI-DSS, NIST, SOC2)

Complements other tools:

Use alongside application security scanners (Semgrep, CodeQL)
Combine with SARIF Issue Reporter for detailed findings
Use with cloud posture management tools

When NOT to Use

Do NOT use this skill for:

Application source code vulnerability scanning (use Semgrep or CodeQL)
Secrets detection (use Gitleaks)
Dependency vulnerability scanning (use OSV-Scanner or Depscan)
Runtime cloud posture assessment (use CSPM tools)
Binary or compiled code analysis

Installation

# Binary download (Linux)
wget https://github.com/Checkmarx/kics/releases/latest/download/kics_linux_amd64.tar.gz
tar -xzf kics_linux_amd64.tar.gz
sudo mv kics /usr/local/bin/

# Binary download (macOS)
wget https://github.com/Checkmarx/kics/releases/latest/download/kics_darwin_amd64.tar.gz
tar -xzf kics_darwin_amd64.tar.gz
sudo mv kics /usr/local/bin/

# Homebrew
brew install kics

# Docker
docker pull checkmarx/kics:latest

# Verify
kics version

Core Workflow

1. Quick Scan

# Scan current directory
kics scan -p .

# Scan specific path
kics scan -p /path/to/iac

# Scan with minimal output
kics scan -p . --silent

# No color output (for CI)
kics scan -p . --no-color

2. SARIF Output

# Generate SARIF report
kics scan -p /path/to/iac \
  --report-formats sarif \
  --output-path results.sarif

# Multiple formats (JSON + SARIF)
kics scan -p /path/to/iac \
  --report-formats json,sarif \
  --output-path .

# Named output
kics scan -p /path/to/iac \
  --report-formats sarif \
  --output-name kics-results

# All formats
kics scan -p /path/to/iac \
  --report-formats all \
  --output-path ./reports

3. Platform-Specific Scans

# AWS CloudFormation
kics scan -p ./cloudformation --type CloudFormation

# Terraform
kics scan -p ./terraform --type Terraform

# Kubernetes manifests
kics scan -p ./k8s --type Kubernetes

# Dockerfile
kics scan -p ./docker --type Dockerfile

# Ansible
kics scan -p ./ansible --type Ansible

# Azure Resource Manager
kics scan -p ./arm --type AzureResourceManager

# Google Deployment Manager
kics scan -p ./gdm --type GoogleDeploymentManager

# Helm charts
kics scan -p ./charts --type Helm

4. Severity Filtering

# Only high and critical
kics scan -p . --minimal-ui --fail-on high,critical

# Exclude info findings
kics scan -p . --exclude-severities info

# Specific severities in SARIF
kics scan -p . \
  --fail-on high,critical \
  --report-formats sarif \
  --output-path results.sarif

Configuration

Config File

Create .kics.yml or kics.config:

# Paths to scan
path: ./infrastructure

# Query selection
exclude-queries:
  - 487f4be7-3fd9-4506-a07a-96c39d0b30ad  # Specific query ID

# Severity settings
fail-on:
  - high
  - critical

# Output settings
output-path: ./kics-results
report-formats:
  - sarif
  - json
  - html

# Exclude paths
exclude-paths:
  - "./tests/**"
  - "./examples/**"
  - "**/.terraform/**"

# Exclude results by similarity ID
exclude-results:
  - abc123def456

# Platform filters
type:
  - Terraform
  - Kubernetes
  - Dockerfile

# CI mode
ci: true
no-color: true
minimal-ui: true

Use config:

kics scan --config .kics.yml

Inline Suppressions

# Terraform - suppress specific finding
resource "aws_s3_bucket" "example" {
  # kics-scan ignore-line
  bucket = "my-bucket"
  acl    = "public-read"  # Suppressed above
}

# Suppress entire block
# kics-scan ignore-block
resource "aws_security_group" "example" {
  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# Kubernetes - suppress finding
apiVersion: v1
kind: Pod
metadata:
  name: example
spec:
  # kics-scan ignore-line
  hostNetwork: true  # Suppressed
  containers:
    - name: app
      image: nginx:latest  # kics-scan ignore-line

CI/CD Integration (GitHub Actions)

name: KICS IaC Scan

on:
  push:
    branches: [main]
    paths:
      - '**.tf'
      - '**.yaml'
      - '**.yml'
      - 'Dockerfile*'
  pull_request:
    paths:
      - '**.tf'
      - '**.yaml'
      - '**.yml'
      - 'Dockerfile*'

jobs:
  kics:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Run KICS
        uses: checkmarx/kics-github-action@v2.1.1
        with:
          path: .
          output_path: kics-results
          output_formats: 'sarif,json,html'
          fail_on: high,critical
          enable_comments: true  # PR comments
          exclude_paths: 'tests/**,examples/**'

      - name: Upload SARIF
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: kics-results/results.sarif
          category: kics

      - name: Upload Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: kics-results
          path: kics-results/

Common Use Cases

1. Terraform Security Audit

# Comprehensive Terraform scan
kics scan -p ./terraform \
  --type Terraform \
  --report-formats sarif,html \
  --output-path ./security-audit \
  --fail-on high,critical

# Review HTML report
open ./security-audit/results.html

# Process SARIF with other tools
sarif summary ./security-audit/results.sarif

2. Kubernetes Hardening

# Scan all K8s manifests
kics scan -p ./k8s \
  --type Kubernetes \
  --report-formats sarif \
  --output-name k8s-security

# Focus on critical issues
kics scan -p ./k8s \
  --type Kubernetes \
  --fail-on high,critical \
  --exclude-severities low,medium,info

3. Multi-Cloud Infrastructure

# Scan mixed IaC
kics scan -p ./infrastructure \
  --type Terraform,CloudFormation,AzureResourceManager \
  --report-formats sarif,json \
  --output-path ./reports

4. Dockerfile Security

# Scan all Dockerfiles
kics scan -p . \
  --type Dockerfile \
  --report-formats sarif \
  --output-name dockerfile-scan

# Include docker-compose
kics scan -p . \
  --type Dockerfile,DockerCompose \
  --report-formats sarif

Understanding Output

SARIF Structure

KICS SARIF v2.1.0 includes:

Rules: Each query/check (1500+ built-in queries)
Results: Specific IaC misconfigurations found
Properties:
- Severity: HIGH, MEDIUM, LOW, INFO
- Category: Security, Best Practices, etc.
- Platform: Terraform, K8s, Dockerfile, etc.
- CWE mapping
- Remediation guidance

Result Categories

Category	Examples
Access Control	Overly permissive IAM, public resources
Encryption	Unencrypted storage, weak TLS
Networking	Open security groups, exposed ports
Secret Management	Hardcoded credentials, exposed secrets
Resource Configuration	Missing logging, backup disabled
Best Practices	Missing tags, resource limits
Insecure Defaults	Default passwords, debug mode

Advanced Features

Custom Queries

Create custom query in custom-queries/:

# custom-queries/require_tags.rego
package Cx

CxPolicy[result] {
  resource := input.document[i].resource.aws_instance[name]
  not resource.tags

  result := {
    "documentId": input.document[i].id,
    "searchKey": sprintf("aws_instance[%s]", [name]),
    "issueType": "MissingAttribute",
    "keyExpectedValue": "Tags should be defined",
    "keyActualValue": "Tags are not defined"
  }
}

Use custom queries:

kics scan -p ./terraform \
  --queries-path ./custom-queries \
  --report-formats sarif

Query Information

# List all queries
kics list-platforms

# Show query details
kics show-query <query-id>

# Generate queries documentation
kics generate-documentation

Results Management

# Generate baseline
kics scan -p . --report-formats json -o baseline.json

# Compare against baseline
kics scan -p . --exclude-results $(cat baseline.json | jq -r '.results[].similarity_id')

Compliance Frameworks

KICS maps findings to:

CIS Benchmarks: AWS, Azure, GCP, Kubernetes
PCI-DSS: Payment card industry standards
HIPAA: Healthcare compliance
GDPR: Data protection requirements
SOC 2: Security controls
NIST: Cybersecurity framework

# Filter by compliance
kics scan -p . --include-queries "CIS*" --report-formats sarif

Performance Optimization

# Parallel scanning (default: number of CPUs)
kics scan -p . --parallel 8

# Limit file size
kics scan -p . --file-size-limit 1000  # KB

# Exclude large directories
kics scan -p . --exclude-paths "**/node_modules/**,**/.terraform/**"

# Minimal UI for speed
kics scan -p . --minimal-ui --silent --no-progress

Limitations

Runtime issues: Can't detect runtime misconfigurations
Custom modules: Limited visibility into external Terraform modules
Context awareness: May flag acceptable exceptions
False positives: Generic rules may not fit all use cases
Remediation: Provides guidance but doesn't auto-fix

Rationalizations to Reject

Shortcut	Why It's Wrong
"KICS found nothing = IaC is secure"	KICS has 1500+ queries but can't cover every misconfiguration
"Suppress all LOW/MEDIUM findings"	Lower severity findings can combine to create critical risks
"Skip IaC scanning in CI"	IaC defines infrastructure; security issues here affect entire environment
"Only scan before deployment"	Early detection in development prevents costly late-stage fixes
"Ignore platform-specific queries"	Platform-specific checks catch cloud provider misconfigurations

References

Repository: https://github.com/Checkmarx/kics
Documentation: https://docs.kics.io/
Query Library: https://docs.kics.io/latest/queries/
GitHub Action: https://github.com/checkmarx/kics-github-action
SARIF Documentation: https://github.com/Checkmarx/kics/blob/master/docs/results.md
CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks