KICS: A Developer-Friendly SAST Tool for Securing Infrastructure as Code

In the cloud-native era, where speed, scalability, and automation dominate, Infrastructure as Code (IaC) has emerged as a critical practice for DevOps and platform engineering teams. Tools like Terraform, Pulumi, and OpenTofu allow infrastructure to be defined, versioned, and deployed with the same rigor as application code.

But just like any other code, infrastructure code is prone to security misconfigurations, errors, and vulnerabilities. A single misconfigured security group or publicly accessible storage bucket can result in devastating data breaches. This is where SAST tools for IaC play a vital role.

Among the many open-source tools available, KICS (Keeping Infrastructure as Code Secure) stands out for its breadth of support, ease of use, and community-driven rules engine. In this article, we’ll explore what KICS is, how it works, and how it can be applied to a real-world IaC project to prevent security issues before deployment.

🔍 What is KICS?

KICS is an open-source static code analysis tool developed by Checkmarx for scanning IaC files and detecting security vulnerabilities and misconfigurations. It performs static analysis, meaning it analyzes code without executing it. This makes it fast, safe, and ideal for early development stages.

Supported technologies include:

• ✅ Terraform
• ✅ Pulumi
• ✅ CloudFormation
• ✅ Kubernetes
• ✅ Ansible
• ✅ Dockerfile
• ✅ Azure ARM Templates

With over 1,500+ pre-built security queries, KICS checks for:

• Open ports to the public internet
• Unencrypted storage
• Hardcoded secrets
• Privilege escalation risks
• Misconfigured IAM policies

⚙️ How KICS Works

KICS scans your infrastructure code and compares it to a database of misconfiguration rules written in YAML or JSON. Each finding includes:

• 🔎 Description of the vulnerability
• 🔒 Security context (CIS Benchmarks, etc.)
• 📍 File name and line number
• 🛠️ Suggested remediation
• ⚠️ Severity (Low, Medium, High, Critical)

It runs via:

• Docker (checkmarx/kics)
• CLI (kics scan -p ./path)
• GitHub Actions / GitLab / Jenkins

🚧 Example: Terraform Scan

Here's a common misconfiguration in Terraform:

resource "aws_security_group" "open_sg" {
  name        = "open-sg"
  description = "Allow SSH from all"
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Run KICS:
docker run -v $(pwd):/path checkmarx/kics:latest scan -p /path


Output:
[CRITICAL] aws_security_group.open_sg allows 0.0.0.0/0 for SSH
Remediation: Restrict to known IPs only.


CI/CD Integration Example (GitHub Actions)
`name: KICS Scan

on:
push:
branches:
- main

jobs:
kics-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run KICS Scan
uses: checkmarx/kics-action@v1
with:
path: './'
`

📊 Reporting Formats

KICS supports:

JSON: for automation

HTML: for humans

SARIF: for GitHub Advanced Security

Export to your security dashboards or ticket systems easily.

✅ TL;DR:

KICS scans your IaC code (Terraform, Pulumi, K8s, Docker, etc.) for vulnerabilities and misconfigurations. It's open-source, fast, supports CI/CD, and helps you fix issues before deployment. Say goodbye to insecure cloud deployments!