Checkmarx KICS (Keeping Infrastructure as Code Secure) is a free, open source static analysis tool that scans infrastructure-as-code files — Terraform, CloudFormation, Kubernetes manifests, Docker and Dockerfile configurations, Helm charts, Ansible playbooks, and several other formats — for security misconfigurations, compliance violations, and best-practice deviations before that infrastructure is ever provisioned. It was originally developed by Checkmarx and released as an open source project, and it's built around a large library of pre-written queries that check IaC files against known-risky patterns, such as an S3 bucket configured for public read access or a security group rule that opens SSH to the entire internet.
What does KICS actually check for in IaC files?
KICS parses infrastructure-as-code files into a common intermediate representation and then runs a large, community-maintained library of queries against that representation, covering categories like insecure network configuration (overly permissive security groups, publicly exposed storage), missing encryption settings (unencrypted storage volumes or databases), weak IAM policy grants, missing logging or monitoring configuration, and outdated or insecure default settings across various cloud providers and platforms. Because the queries are written in a declarative query language (Rego, the same policy language used by Open Policy Agent) rather than hardcoded in the scanner's source, the rule set is genuinely extensible — teams can write custom queries for organization-specific requirements without needing to modify KICS itself.
What formats and platforms does KICS support?
KICS supports a wide range of IaC and configuration formats: Terraform (across AWS, Azure, GCP, and other providers), AWS CloudFormation, Kubernetes YAML manifests, Docker and Dockerfile syntax, Helm charts, Ansible, and several others, with new formats and providers added over time as the project has matured. This breadth is one of KICS's main selling points relative to narrower, single-format scanners: a platform team standardizing on Terraform for cloud infrastructure and Kubernetes manifests for workload configuration can run one tool against both rather than maintaining separate scanners with separate rule sets and separate output formats to reconcile.
How does KICS fit into a CI/CD pipeline?
KICS is designed to run as a command-line tool, which makes it straightforward to wire into a CI/CD pipeline as a pre-merge or pre-apply gate — scanning a Terraform plan or a Kubernetes manifest change in a pull request before it's approved, rather than catching a misconfiguration after terraform apply has already provisioned the resource. This "shift left" placement matters specifically for infrastructure because IaC misconfigurations are often much cheaper to fix in a pull request diff than after the resource exists in a live cloud account — reverting a public S3 bucket policy after data has already been exposed doesn't undo the exposure. KICS also ships with a results format and severity classification that's straightforward to feed into existing pipeline gating logic, failing a build when a query with a certain severity threshold is triggered.
How does KICS compare to other IaC scanning tools?
KICS occupies similar territory to other open source IaC scanners like Checkov and tfsec, all of which apply a similar model: parse IaC into a structured representation, run a rule library against it, report violations by severity. The meaningful differences between them tend to be in rule library breadth and freshness, format coverage, query language (KICS uses Rego, others use Python-based or custom rule definitions), and how actively each project's rule set is maintained against newly discovered cloud misconfiguration patterns. For teams already using Checkmarx's broader AppSec platform, KICS's integration with that ecosystem is a natural fit; for teams evaluating IaC scanning independently of any specific vendor's platform, the practical decision usually comes down to which tool's rule library best matches the specific cloud providers and IaC formats in active use, since all three tools cover the core misconfiguration categories reasonably well.
Is running an open source IaC scanner enough on its own?
It's a strong foundation but not a complete AppSec program by itself — IaC scanning catches misconfigurations in how infrastructure is defined, but it doesn't cover vulnerabilities in application code, dependency risk in the software running on that infrastructure, or runtime behavior once the infrastructure is live and traffic is flowing through it. Teams that treat IaC scanning as one layer in a broader pipeline — alongside SAST for application code, SCA for dependencies, and DAST for runtime testing — get a meaningfully more complete picture than teams that scan infrastructure definitions and stop there, since a perfectly configured cloud environment can still be running a vulnerable application on top of it.
How Safeguard Helps
Safeguard's platform brings infrastructure-as-code scanning together with application-level SAST, dependency scanning, and dynamic testing in one pipeline, so a misconfigured Terraform module and a vulnerable application dependency show up in the same risk view instead of two disconnected tool outputs a team has to manually correlate. See the SAST/DAST product page for how static analysis coverage extends across code and infrastructure definitions, and see how our approach compares in the Checkmarx and Snyk comparison.
FAQ
Is Checkmarx KICS free to use?
Yes — KICS is released as an open source project and is free to download and run, distinct from Checkmarx's broader commercial AppSec platform offerings.
What does KICS stand for?
Keeping Infrastructure as Code Secure — the name reflects its focus on scanning IaC definitions (Terraform, CloudFormation, Kubernetes manifests, and others) rather than application source code directly.
What rule language does KICS use for its queries?
KICS queries are written in Rego, the policy language originally developed for Open Policy Agent, which lets teams write and extend custom queries without modifying the scanner's own source code.
Does KICS replace the need for SAST or SCA tools?
No — KICS scans infrastructure-as-code definitions for misconfigurations specifically; it doesn't analyze application source code for logic vulnerabilities or scan software dependencies for known CVEs, which is why it's typically run alongside SAST and SCA tooling rather than instead of them.