DEV.co
Open-Source Security · Checkmarx

kics

KICS is an open-source static analysis tool that scans Infrastructure-as-Code files (Terraform, Kubernetes, Docker, CloudFormation, etc.) to detect security vulnerabilities, compliance issues, and misconfigurations. It uses Open Policy Agent rules and integrates into CI/CD pipelines to shift security scanning left in the development cycle.

Source: GitHub — github.com/Checkmarx/kics
2.7k
GitHub stars
372
Forks
Open Policy Agent
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryCheckmarx/kics
OwnerCheckmarx
Primary languageOpen Policy Agent
LicenseApache-2.0 — OSI-approved
Stars2.7k
Forks372
Open issues323
Latest releasev2.1.20 (2026-03-03)
Last updated2026-07-07
Sourcehttps://github.com/Checkmarx/kics

What kics is

KICS performs policy-as-code scanning on 20+ IaC frameworks using OPA rules, written primarily in Go, and outputs structured findings with severity levels. It runs as a CLI tool or Docker container and supports multiple output formats for integration into SAST/DevSecOps workflows.

Quickstart

Get the kics source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Checkmarx/kics.gitcd kics# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Early-stage IaC security validation in CI/CD

Scan Terraform, Kubernetes manifests, and CloudFormation templates on every commit or pull request to catch misconfigurations before deployment.

Multi-cloud compliance scanning

Audit infrastructure code across AWS, Azure, GCP, and on-premises platforms simultaneously using unified rule sets for regulatory compliance (CIS, PCI-DSS, HIPAA).

Developer-friendly shift-left security

Provide engineering teams with actionable, query-based findings directly in their repositories and development workflows without requiring dedicated security infrastructure.

Implementation considerations

  • Requires integration into existing CI/CD pipeline (GitHub Actions, GitLab CI, Jenkins, etc.); baseline setup is straightforward via Docker or CLI.
  • OPA rule customization and policy extensions demand familiarity with Rego language; out-of-box rule set may not align perfectly with organizational standards.
  • Performance on large repositories (10k+ IaC files) is unknown; testing required before enterprise-wide rollout.
  • Maintenance of rule versions and query updates should be tracked; v2.1.20 is recent, but frequency of patch vs. major releases is not detailed.
  • Suppression and allowlist mechanisms must be documented internally to prevent alert fatigue and maintain developer confidence.

When to avoid it — and what to weigh

  • Runtime vulnerability scanning needed — KICS scans static code only; it does not detect runtime exploits, privilege escalation, or behavioral anomalies in running containers or workloads.
  • Proprietary custom IaC dialects — If your infrastructure uses custom DSLs or non-standard IaC formats not listed in the supported platforms, rule coverage will be limited.
  • High-fidelity false-positive filtering at scale — Large codebases with many suppressed findings may require significant custom policy tuning; baseline noise management at enterprise scale is not clearly addressed.
  • Managed SaaS with vendor support — KICS is open-source community-driven; commercial support and managed hosting are not directly provided by Checkmarx through the core project.

License & commercial use

Apache License 2.0 (Apache-2.0). This is a permissive OSI-approved license that allows commercial use, modification, and distribution with minimal restrictions.

Apache-2.0 permits commercial use of KICS without license fees or vendor permission. However, Checkmarx (the sponsoring organization) offers commercial products and support services separately; clarify whether your use qualifies for community support or requires a commercial SLA before large-scale deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

KICS is a scanning tool—it does not deploy or execute code. Key considerations: (1) Rule accuracy depends on OPA policy quality; false negatives are possible if rules miss new attack vectors or misconfiguration patterns. (2) Output may contain sensitive infrastructure details; restrict scan reports to authorized personnel. (3) Supply chain trust: verify checksums of KICS releases before use in critical pipelines. (4) No built-in encrypted policy management; custom secrets in IaC may be exposed in scan output if rules are too verbose.

Alternatives to consider

Terraform Cloud/Enterprise (by HashiCorp)

Native Terraform policy enforcement via Sentinel language; tighter integration with HCL workflows but narrower IaC scope (Terraform-only) and vendor lock-in.

Bridgecrew/Checkov (Palo Alto Networks)

Larger rule database, commercial support available, and stronger enterprise integrations; similar OSS model but more actively marketed with managed options.

CloudSploit / AquaSecurity Trivy

Trivy focuses on container and image scanning; CloudSploit covers AWS-specific misconfigurations. Both narrower scope than KICS but simpler deployment for focused use cases.

Software development agency

Build on kics with DEV.co software developers

Ready to integrate policy-as-code scanning into your CI/CD pipeline? Deploy KICS in minutes and catch misconfigurations before production. Start with the Docker image or CLI tool today.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

kics FAQ

Can I use KICS in a commercial product or SaaS without paying Checkmarx?
Yes, Apache-2.0 allows commercial use, redistribution, and modification without fees. No royalties or vendor permission required. However, review any commercial support or SLA needs separately with Checkmarx.
Does KICS detect runtime security issues or only static misconfigurations?
KICS scans only static Infrastructure-as-Code files. It cannot detect runtime exploits, privilege escalation, or behavioral threats in running systems. Pair it with runtime security tools for comprehensive coverage.
How do I suppress false positives or customize rules for my organization?
Unknown from provided data. Likely via OPA policy customization or configuration files, but specifics require documentation review at docs.kics.io.
What is the typical scan performance on large codebases?
Unknown. No benchmark data provided. Testing on representative repo sizes before enterprise adoption is strongly recommended.

Work with a software development agency

Adopting kics is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Shift Security Left with KICS

Ready to integrate policy-as-code scanning into your CI/CD pipeline? Deploy KICS in minutes and catch misconfigurations before production. Start with the Docker image or CLI tool today.