KICS

KICS (Keeping Infrastructure as Code Secure) manages identifying security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of infrastructure-as-code (IaC). This open-source tool integrates into CI/CD pipelines, making it a crucial component for cloud-native projects.

Technically, KICS employs a robust and extensible architecture, allowing for fully customizable and adjustable heuristics rules, known as queries. These queries can be easily edited, extended, and added, enabling quick support for new IaC solutions such as Terraform, Ansible, and CloudFormation. The tool can be run as a CLI or integrated into GitHub Actions, Codefresh, and other CI tools, facilitating automated scans during each code commit or pull request.

Operationally, KICS requires minimal setup and can be configured to scan specific paths, exclude certain files or directories, and generate reports in various formats, including JSON and SARIF. This flexibility is crucial for integrating KICS into existing workflows without significant overhead. However, it's important to note that running KICS with extensive queries or large codebases can impact execution time, and enabling performance profilers (CPU or MEM) may further affect scan times.

From a technical details perspective, KICS supports multiple output formats and can be configured to ignore certain exit codes to ensure continuous integration pipelines are not disrupted. For example, in GitHub Actions, KICS can be set up to scan specific directories, generate SARIF files, and upload these files for further analysis, all within a single workflow. Additionally, KICS allows for verbose scanning and logging at various levels, providing detailed insights into the scanning process and any issues detected.