Skip to main content

KICS

KICS (Keeping Infrastructure as Code Secure) = open-source IaC scanner โดย Checkmarx — ตรวจ Terraform + K8s + CloudFormation + Ansible + Helm

ทำไม KICS?

  • 🔍 2,400+ pre-built queries ครอบคลุม IaC หลาย platform
  • 🆓 Open-source + ฟรี
  • 🧩 Custom queries ผ่าน Rego
  • 📊 Detailed reports + remediation suggestions
  • 🌐 รองรับ Terraform, K8s, Docker, CloudFormation, Ansible, Helm, ARM, OpenAPI

Install

# macOS
brew install kics

# Linux
docker run -v $(pwd):/path checkmarx/kics:latest scan -p /path

# Binary
curl -sfL https://raw.githubusercontent.com/Checkmarx/kics/master/install.sh | bash

Verify:

kics version

Basic Scan

kics scan -p . -o ./results

Options:

# Specific path
kics scan -p ./terraform -o ./results

# Multiple paths
kics scan -p ./terraform,./k8s -o ./results

# Exclude paths
kics scan -p . --exclude-paths ./modules/legacy

# Specific platform
kics scan -p . --type Terraform

# Severity filter
kics scan -p . --include-severities HIGH,CRITICAL

ตัวอย่าง Output

Files scanned: 12
Parsed files: 12
Queries loaded: 2400
Queries failed to execute: 0

------------------------------------

S3 Bucket Logging Disabled, Severity: HIGH
=========================================
Description: Server Access Logging should be enabled on S3 buckets
Platform: Terraform

Issues:
  main.tf:5
    resource "aws_s3_bucket" "data" {
      bucket = "my-data"
    }

Remediation: Add aws_s3_bucket_logging resource

------------------------------------

S3 Bucket Without Server-Side Encryption, Severity: CRITICAL
============================================================
Description: S3 Bucket should have Server-Side Encryption enabled
Platform: Terraform

Issues:
  main.tf:5

Remediation: Add aws_s3_bucket_server_side_encryption_configuration

------------------------------------

Total Results: 5 (HIGH: 2, CRITICAL: 1, MEDIUM: 2)

Output Formats

# JSON
kics scan -p . --output-formats json -o ./results

# SARIF (GitHub)
kics scan -p . --output-formats sarif -o ./results

# HTML report
kics scan -p . --output-formats html -o ./results

# JUnit (for CI)
kics scan -p . --output-formats junit -o ./results

# Multiple
kics scan -p . --output-formats json,sarif,html -o ./results

Query Selection

# Run specific query by ID
kics scan -p . --include-queries 8d56eb76-7901-4a4a-a4ad-6a2dbe2afdc0

# Exclude queries
kics scan -p . --exclude-queries 8d56eb76-7901-4a4a-a4ad-6a2dbe2afdc0

# Categories
kics scan -p . --include-categories "Encryption,Networking"

Categories

KICS organizes queries by category:

  • Access Control
  • Availability
  • Backup
  • Best Practices
  • Build Process
  • Encryption
  • Insecure Configurations
  • Insecure Defaults
  • Networking and Firewall
  • Observability
  • Resource Management
  • Secret Management
  • Supply-Chain

Custom Queries (Rego)

KICS uses Rego (same as OPA):

custom-queries/no-public-s3/query.rego
package Cx

CxPolicy[result] {
  resource := input.document[i].resource.aws_s3_bucket[name]
  resource.acl == "public-read"

  result := {
    "documentId": input.document[i].id,
    "searchKey": sprintf("aws_s3_bucket[%s].acl", [name]),
    "issueType": "IncorrectValue",
    "keyExpectedValue": "ACL should not be 'public-read'",
    "keyActualValue": sprintf("ACL is '%s'", [resource.acl]),
  }
}
custom-queries/no-public-s3/metadata.json
{
  "id": "00000000-0000-0000-0000-000000000001",
  "queryName": "S3 Bucket Public ACL",
  "severity": "CRITICAL",
  "category": "Insecure Configurations",
  "descriptionText": "S3 bucket should not have public ACL",
  "platform": "Terraform"
}
kics scan -p . --queries-path ./custom-queries

CI/CD Integration

GitHub Actions

.github/workflows/kics.yml
on: pull_request

jobs:
  kics:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Run KICS
        uses: checkmarx/kics-github-action@master
        with:
          path: .
          output_path: results
          output_formats: sarif,json
          fail_on: high,critical

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results/results.sarif

GitLab CI

.gitlab-ci.yml
kics:
  image: checkmarx/kics:latest
  script:
    - kics scan -p . -o ./results --output-formats json,html
  artifacts:
    paths:
      - results/
    when: always

Docker

docker run --rm -v $(pwd):/path checkmarx/kics:latest \
  scan -p /path --output-formats json -o /path/results

Disable Specific Issues

Inline disable

# kics-scan disable=8d56eb76-7901-4a4a-a4ad-6a2dbe2afdc0
resource "aws_s3_bucket" "test" {
  bucket = "test-no-logging-needed"
}

Config file

.kics.config
exclude-queries:
  - 8d56eb76-7901-4a4a-a4ad-6a2dbe2afdc0
exclude-paths:
  - ./modules/legacy

Compare with Other Scanners

FeatureKICSCheckovTrivytfsec
Queries2,400+750+1,000+200+ (in Trivy)
PlatformsTF, K8s, CFN, ARM, Helm, Ansible, Docker, OpenAPITF, K8s, CFN, ARM, BicepTF, K8s, DockerTF (now in Trivy)
SpeedMediumSlowFastFast
Custom queriesRegoPythonRegoCustom
Output formatsManyManyManyFew
Maintained byCheckmarxBridgecrewAquaAqua

→ KICS = strong on multi-platform coverage

Multi-Platform Scan

# Scan everything in repo
kics scan -p .
# จะ detect ทุก platform อัตโนมัติ

หรือเฉพาะ platform:

kics scan -p . --type Terraform,Kubernetes,Dockerfile

Performance Tuning

Parallel Scan

kics scan -p . --queries-paths-default --parallel 8

Cache

# KICS auto-cache queries — first run ช้าหน่อย

Specific Files Only

kics scan -p ./main.tf,./variables.tf

Best Practices

✅ DO:
- Run KICS ใน CI ทุก PR
- Use SARIF + GitHub Code Scanning
- Filter by severity (HIGH, CRITICAL)
- Exclude false positives ใน .kics.config
- Combine with Trivy/Checkov

❌ DON'T:
- ห้าม run all queries (slow)
- ห้าม ignore HIGH/CRITICAL
- ห้าม skip update queries (security gaps)

ตัวอย่าง Workflow

#!/bin/bash
# scripts/scan.sh
set -e

echo "1. Format check..."
terraform fmt -check -recursive

echo "2. Validate..."
terraform validate

echo "3. TFLint..."
tflint --recursive

echo "4. KICS scan..."
kics scan -p . \
  --include-severities HIGH,CRITICAL \
  --output-formats json,html \
  -o ./scan-results

echo "5. Trivy scan..."
trivy config --severity HIGH,CRITICAL .

echo "6. Plan..."
terraform plan

ตัวอย่าง Real PR Comment

KICS สามารถ comment PR กับ details:

## KICS Scan Results

**3 issues found** (1 CRITICAL, 2 HIGH)

### CRITICAL: S3 Bucket Public Access
- File: `main.tf:5`
- Description: S3 bucket should not be public
- Remediation: Set `acl = "private"`

### HIGH: Missing Encryption
- File: `main.tf:25`
- Description: RDS should have encryption enabled
- Remediation: Set `storage_encrypted = true`

### HIGH: Open Security Group
- File: `main.tf:50`
- Description: Security group allows 0.0.0.0/0 on port 22
- Remediation: Restrict CIDR to internal range

สรุป

  • KICS = open-source IaC scanner โดย Checkmarx
  • 2,400+ queries, 8+ platforms (Terraform, K8s, Docker, etc.)
  • ใช้ Rego สำหรับ custom queries
  • Integration: GitHub Actions, GitLab CI, pre-commit
  • Filter by severity, category, query ID
  • ใช้คู่กับ Trivy/Checkov ครอบคลุมที่สุด

ต่อไป → Terrascan