kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations
kics
KICS stands for Keeping Infrastructure as Code Secure, it is open source and is a must-have for any cloud-native project.
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
How it Works
What makes KICS really powerful and popular is its built-in extensibility. This extensibility is achieved by:
- Fully customizable and adjustable heuristics rules called queries. These can be easily edited, extended, and added.
- Robust but yet simple architecture, which allows quick addition of support for new Infrastructure as Code solutions.
KICS is 100% open source is written in Golang using Open Policy Agent (OPA).
Golang speed, simplicity, and reliability made it the perfect choice for writing KICS, while Rego as a query language, was a native choice to implement security queries.
So far have written 1000+ ready-to-use queries that cover a wide range of vulnerabilities checks for AWS, GCP, Azure and other cloud providers.
High-Level Architecture
KICS has a pluggable architecture with an extensible pipeline of parsing IaC languages, which allows easy integration of new IaC languages and queries.
At a high very level, KICS is composed of the following main components: a command-line interface, parser, queries execution engine, IaC providers, security queries, and results writer.
- Command Line Interface => Provides CLI input to KICS.
- Parser => responsible for parsing input IaC files (terraform and others)
- IaC Providers => Converts IaC language into normalized JSON
- Queries Execution Engine => applies REGO queries against normalized JSON
- Security Queries => pre-built REGO queries for each security and misconfiguration
- Writer => Writes results into JSON format
