KICS by checkmarx- Keeping Infrastructure as Code Secure
The Checkmarx infrastructure-as-code engine (aptly named KICS for Keeping Infrastructure as Code Secure) finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in following Infrastructure as Code technologies: Terraform, Kubernetes, Docker, AWS CloudFormation, and Ansible. As the engine is capable of analyzing any JSON, XML and YML files, support of new configurations requires adding queries, and do not require any engine modification. From day one the KICS has been built for extensibility. First, it includes over 1000 fully customizable and adjustable heuristics rules, called queries. These can be easily edited, extended, and added. Second, its robust but yet simple architecture allows quick addition of support for new Infrastructure as Code solutions.
Motivation
Helps find vulnerabilities early in the development process (Shift-left)
Supports multiple tools (Terraform, ,Crossplane,k8s, docker, AWS CloudFormation, ansible, pulumi, HELM)
Can be easily integrated with already working projects
OPA (Rego) integrated.
create your own policies
prerequisites
Docker
CI/CD knowledge
KICS
All – KICS Queries List
Secret scanning explained
secret scanning is highly maintained by CHECKMARX, it is the only query written in GO and it involves REGEX
here are the rules it checks for the current version: kics/regex_rules.json at master. Checkmarx/kics at the time of writing these lines we have injected and tested secrets for Terraform, KICS found it and alerted us for High and Medium severity .
it is important to note that when we use the flag –include-queries, Password and Secrets scanning is not included by default. we need to state password and secret detection for the relevant tool
Terraform Example –include-queries “Secret Management”
Useage Examples:
Native Windows
Install golang
wget -O go.msi https://go.dev/dl/go1.19.4.windows-amd64.msi
./go.msi
Clone KICS repo
git clone https://github.com/Checkmarx/kics.git
cd kics
Run a scan (use only when kics set as working directory)
go run ./cmd/console/main.go scan -p ‘<path-of-your-project-to-scan>’ –report-formats json -o ./results
Self use
for directory:
docker run -t -v {path_to_host_folder_to_scan}:/path checkmarx/kics:latest scan -p /path -o “/path/”
for file:
docker run -t -v {path_to_host_folder}:/path checkmarx/kics:latest scan -p /path/{filename}.{extention} -o “/path/”
Available results output: JSON,SARIF, GITLAB SAST, JUNIT, SONARQUBE(JSON), HTML, PDF, CSV, CLI, CODE-CLIMATE.
ELAD A\ELAD H