Tools/Checkmarx/kics

kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.

2.7kemergingOpen Policy AgentApache License 2.0

The Lens

KICS finds security vulnerabilities and misconfigurations in infrastructure-as-code, in the same family as Checkov. The name stands for Keeping Infrastructure as Code Secure, and it covers Terraform, Kubernetes, Docker, CloudFormation, Ansible, and more against a large library of queries. Open source, maintained by Checkmarx, free.

You run it as a binary or container in CI, and it flags issues with a severity and a description of the fix. Queries are written in a rego-like format, so you can extend the ruleset for your own standards. It's stateless and fast, built to gate pull requests.

KICS is free and open source. Checkmarx sells a broader commercial application security platform, but KICS stands on its own. In practice the choice is usually Checkov versus KICS: both are strong, Checkov has the larger community and policy library, KICS covers a slightly different set of platforms. Try both against your repos and keep whichever flags more of what you care about.

The catch: same noise problem as any IaC scanner. The default ruleset is broad, and an existing codebase will surface plenty of findings you'll want to triage or suppress. The tool is easy; tuning it to your risk tolerance is the actual work.

Free vs Self-Hosted vs Paid

fully free

Self-hosted (free): KICS under Apache-2.0, from Checkmarx. A binary or container that scans Terraform, Kubernetes, Docker, CloudFormation, Ansible, and more against a large query library. Queries are extensible in a rego-like format.

Commercial: Checkmarx sells a broader application security platform, but KICS stands alone.

The call: The real choice is usually Checkov versus KICS. Both are strong; try both on your repos and keep the one that flags more of what matters to you.

Free and open source. Checkmarx sells a separate, broader commercial AppSec platform.

Self-hosting ops:trivial

Get tools like this every Wednesday

One featured tool, three on the radar. No fluff.

Similar Tools

Score
57/100 · C+
Adoption17/30
Maintenance10/25
Community5/20
License15/15
Analysis10/10

About

Owner
Checkmarx (Organization)
Stars
2,662
Forks
374

Explore Further

More tools in the directory