PickYourTechPickYourTech home
KICS logo

KICS

Secure your infrastructure-as-code before deployment with KICS

Application Security Testing (SAST/DAST/SCA)

Detect security flaws, compliance gaps, and misconfigurations across Terraform, Kubernetes, CloudFormation, and many other IaC frameworks early in the development cycle.

KICS banner

Overview

Overview

KICS (Keeping Infrastructure as Code Secure) is a static analysis engine that helps developers, DevOps, and security teams find vulnerabilities, compliance issues, and misconfigurations in infrastructure‑as‑code files before they are applied.

Capabilities

It supports a broad range of IaC platforms—including Terraform, Kubernetes manifests, Dockerfiles, CloudFormation, Ansible, Helm, OpenAPI, gRPC, Azure Resource Manager, CDK, Pulumi, Serverless Framework, and more—using built‑in rule sets aligned with industry standards. Scans run quickly from the command line or via a Docker image, producing detailed reports and exit codes that can be consumed by CI/CD pipelines.

Deployment

KICS can be executed locally, integrated into any CI system (GitHub Actions, GitLab CI, Jenkins, etc.), or used as part of automated compliance workflows. Being open source, it benefits from community contributions and can be extended with custom queries to enforce organization‑specific policies.

Highlights

Broad IaC language support including Terraform, CloudFormation, Kubernetes, Helm, Pulumi, and more
Built‑in compliance and security rule sets covering industry standards
Fast static analysis with low false‑positive rate
Seamless CI/CD integration via CLI and Docker image

Pros

  • Early detection reduces remediation cost
  • Extensive platform coverage for multi‑cloud environments
  • Open‑source community contributions keep rules up‑to‑date
  • Easy to embed in existing development and CI workflows

Considerations

  • Rule sets need periodic updates to stay current with new services
  • May generate false positives on highly customized modules
  • Primarily a CLI tool; no native graphical UI
  • Learning curve for creating custom policy queries

Managed products teams compare with

When teams consider KICS, these hosted platforms usually appear on the same shortlist.

Acunetix logo

Acunetix

Web vulnerability scanner for automated security testing of websites and web apps

AppCheck logo

AppCheck

Automated web application and infrastructure vulnerability scanning platform

Burp Suite logo

Burp Suite

Web application security testing platform

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • DevOps teams treating IaC as code
  • Security engineers needing automated compliance checks
  • Organizations adopting multiple cloud IaC tools
  • Projects with CI/CD pipelines that can run CLI utilities

Not ideal when

  • Small scripts without a defined IaC framework
  • Teams without automated build or deployment pipelines
  • Environments requiring real‑time runtime monitoring
  • Users looking for a full graphical dashboard solution

How teams use it

Pre‑commit security scanning

Developers catch misconfigurations before code is pushed, preventing vulnerable infrastructure from entering version control.

CI/CD compliance enforcement

Build pipelines automatically fail when KICS detects violations of PCI/DSS or CIS benchmarks.

Multi‑cloud audit

Security teams generate unified reports across Terraform, CloudFormation, and Azure ARM templates.

Policy as code validation

Custom security policies are tested against IaC files to ensure internal standards are met.

Tech snapshot

Open Policy Agent41%
HCL29%
Go23%
Bicep3%
HTML3%
Dockerfile1%

Tags

open-policy-agentvulnerability-detectionhacktoberfestiaccloudnativesecurity-toolsinfrastructure-as-codevulnerability-scannersgolangsecurityappsecdevsecops

Frequently asked questions

What file types does KICS analyze?

KICS supports Terraform, Kubernetes manifests, Dockerfiles, CloudFormation, Ansible, Helm charts, OpenAPI, gRPC, Azure Resource Manager, CDK, Pulumi, Serverless Framework, and several other IaC formats.

How can KICS be integrated into CI pipelines?

KICS provides a CLI and a Docker image that can be invoked in any CI system (GitHub Actions, GitLab CI, Jenkins, etc.) to scan IaC files and exit with a non‑zero code on findings.

Is KICS free to use?

Yes, KICS is released under an open‑source license and can be used without cost.

Can I add custom security rules?

KICS allows users to write custom queries in its query language to extend or modify the default rule set.

Where can I find documentation and community support?

The official repository includes a docs folder, and the community discusses issues on GitHub and the Checkmarx forums.

Project at a glance

Active
Visit siteView repo
Stars
2,559
Watchers
2,559
Forks
356
LicenseApache-2.0
Repo age5 years old
Last commityesterday
Primary languageOpen Policy Agent

Last synced yesterday