
kics
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
The Lens
KICS finds security vulnerabilities and misconfigurations in infrastructure-as-code, in the same family as Checkov. The name stands for Keeping Infrastructure as Code Secure, and it covers Terraform, Kubernetes, Docker, CloudFormation, Ansible, and more against a large library of queries. Open source, maintained by Checkmarx, free.
You run it as a binary or container in CI, and it flags issues with a severity and a description of the fix. Queries are written in a rego-like format, so you can extend the ruleset for your own standards. It's stateless and fast, built to gate pull requests.
KICS is free and open source. Checkmarx sells a broader commercial application security platform, but KICS stands on its own. In practice the choice is usually Checkov versus KICS: both are strong, Checkov has the larger community and policy library, KICS covers a slightly different set of platforms. Try both against your repos and keep whichever flags more of what you care about.
The catch: same noise problem as any IaC scanner. The default ruleset is broad, and an existing codebase will surface plenty of findings you'll want to triage or suppress. The tool is easy; tuning it to your risk tolerance is the actual work.
Free vs Self-Hosted vs Paid
fully freeSelf-hosted (free): KICS under Apache-2.0, from Checkmarx. A binary or container that scans Terraform, Kubernetes, Docker, CloudFormation, Ansible, and more against a large query library. Queries are extensible in a rego-like format.
Commercial: Checkmarx sells a broader application security platform, but KICS stands alone.
The call: The real choice is usually Checkov versus KICS. Both are strong; try both on your repos and keep the one that flags more of what matters to you.
Free and open source. Checkmarx sells a separate, broader commercial AppSec platform.
Get tools like this every Wednesday
One featured tool, three on the radar. No fluff.
Similar Tools

Find secrets with Gitleaks 🔑

Open source secret management platform

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

Deepsec is a security harness for finding vulnerabilities in your codebase powered by coding agents

Find, verify, and analyze leaked credentials

About
- Owner
- Checkmarx (Organization)
- Stars
- 2,662
- Forks
- 374
Explore Further
More tools in the directory
openclaw
Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
381.5k ★everything-claude-code
The agent harness performance optimization system. Skills, instincts, memory, security, and research-first development for Claude Code, Codex, Opencode, Cursor and beyond.
225.3k ★hermes-agent
The agent that grows with you
208.2k ★