There are multiple ways to get KICS up and running:
KICS is available as a Docker image and can be used as follows:
To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the -p KICS parameter (see Scan Command Options section below)
docker pull checkmarx/kics:latest
docker run -v {path_to_host_folder_to_scan}:/path checkmarx/kics:latest scan -p "/path" -o "/path/results.json"You can provide your own path to the queries directory with -q CLI option (see CLI Options section below), otherwise the default directory will be used The default ./assets/queries is built-in in the image.
KICS release process is pretty straightforward. When we're releasing a new version, we'll pack KICS executables for both Linux and Windows operating systems. Our security queries will be included in the ZIP files and tarballs, so that you can scan your IaC code with the out-of-the-box queries
So all you need is:
- Go to KICS releases
- Download KICS binaries based on your OS
- Extract files
- Run kics executable with the cli options as described below (note that kics binary should be located in the same directory as queries directory)
./kics scan -p <path-of-your-project-to-scan> -o <output-results.json>
- Download and install Go from https://golang.org/dl/
- Clone the repository:
git clone https://github.com/Checkmarx/kics.gitcd kics - Kick a scan!
go run ./cmd/console/main.go scan -p <path-of-your-project-to-scan> -o <output-results.json>
KICS can interpret the following commands:
generate-id Generates uuid for query
help Help about any command
scan Executes a scan analysis
version Displays the current versionExecutes a scan analysis
Usage:
kics scan [flags]
kics scan [command]
Available Commands:
list-platforms List supported platforms
Flags:
--config string path to configuration file
-e, --exclude-paths strings exclude paths from scan
supports glob and can be provided multiple times or as a quoted comma separated string
example: './shouldNotScan/*,somefile.txt'
-x, --exclude-results strings exclude results by providing the similarity ID of a result
can be provided multiple times or as a comma separated string
example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...'
-h, --help help for scan
-l, --log-file writes log messages to info.log
--no-progress hides the progress bar
-o, --output-path string file path to store result in json format
-p, --path string path or directory path to scan
-d, --payload-path string path to store internal representation JSON file
-q, --queries-path string path to directory with queries (default "./assets/queries")
-t, --type strings case insensitive list of platform types to scan
(Ansible, CloudFormation, Dockerfile, Kubernetes, Terraform)
-v, --verbose increase verbosityThe other commands have no further options.
- Understand how to configure KICS so you can have a better KICS experience.
- Explore the queries internals for better understanding how KICS works.
- Explore the output results format and quickly fix the issues detected.
- Contribute if you want to go the extra mile.