KICS allow you to provide all configurations either as command line arguments or as code. You can see all possible configurations in the CLI. You can disable scanning in certain parts of file using inline comments. More can be found in Running KICS section.
KICS supports JSON, TOML, YAML, and HCL formats for the configuration files, and it is able to infer the formats without the need of file extension.
📝 flags that can receive multiple values can be either provided as a comma separated string or an array as in the example above
{
"path": "assets/iac_samples",
"verbose": true,
"log-file": true,
"type": "Dockerfile,Kubernetes",
"queries-path": "assets/queries",
"exclude-paths": [
"foo/",
"bar/",
],
"output-path": "results"
}
The same example now in YAML format passing type
as an array of strings:
path: assets/iac_samples
verbose: true
log-file: true
type:
- Dockerfile
- Kubernetes
queries-path: "assets/queries"
exclude-paths:
- "foo/"
- "bar/"
output-path: "results"
path = "assets/iac_samples"
verbose = true
log-file = true
type = "Dockerfile,Kubernetes"
queries-path = "assets/queries"
exclude-paths = [ "foo/", "bar/" ]
output-path = "results"
"path" = "assets/iac_samples"
"verbose" = true
"log-file" = true
"type" = "Dockerfile,Kubernetes"
"queries-path" = "assets/queries"
"exclude-paths" = ["foo/", "bar/"]
"output-path" = "results"
You can enclose all your configurations in a file and use it in two different ways.
- Create a file with any name/any extension. For the sake of example, let's call it
kics-config.json
- Add the necessary configurations as shown in the templates section in any of the supported formats.
- Pass the configuration file as argument:
docker run -t -v {path_to_kics_config}:/kics -v {path_to_host_folder_to_scan}:/path checkmarx/kics scan -p /path --config /kics/kics-config.json
- Create a file named
kics.config
and place it in the root of your project repository. - Add the necessary configurations as shown in the templates section in any of the supported formats.
- Invoke KICS without arguments (KICS will search for the specific file in the root)
docker run -t -v {path_to_host_folder_to_scan}:/path checkmarx/kics scan -p /path
Note: If more than one path is given, KICS will warn that --config
must be used to explicit decide.
KICS also accepts environment variables to fill flags values. To use it you just need to have the flag with a KICS_
prefix. For example:
- To use path flag as environment variable, you should have
KICS_PATH
on your environment; - To use multiple names variables, like
--output-path
, you should use it withKICS_
and each word separated by_
, e.g.:KICS_OUTPUT_PATH
KICS will use the following precende to fill flags:
- CLI flags
- Environment variables
- Configuration file