Checkmarx announced the launch of KICS (Keeping
Infrastructure as Code Secure), an open source static analysis solution
that enables developers to write more secure infrastructure as code
(IaC). With KICS, Checkmarx expands its AST product line, providing a
single platform for securing proprietary code, open source components,
and critical infrastructure for both traditional and cloud-native
applications.
The
adoption of IaC has risen considerably in recent years as organizations
transition to the cloud and seek ways to make the provisioning of
infrastructure faster and more scalable. However, with all the benefits
of IaC comes a multitude of security, compliance, and configuration
risks that developers are struggling to address. This is realized when
considering that error-related issues (e.g. misconfigurations and
misdeliveries) are now the second biggest cause of data breaches.
KICS
automatically detects vulnerabilities, hard-coded keys and passwords,
compliance issues, and misconfigurations from the very start of the IaC
build cycle, allowing developers to easily remediate these flaws before
reaching production. As the most comprehensive IaC scanning engine
available, KICS supports the top IaC technologies including Terraform,
Kubernetes, Docker, AWS CloudFormation, and Ansible. Additionally, KICS
offers more than 1,200 fully customizable and adjustable queries, which
cover more than 12 categories ranging from encryption and key management
to network ports security.
"As
development processes evolve and organizations accelerate their cloud
adoption, developers are taking on more security responsibility while
also delivering software faster than ever before. This is an impossible
balance to strike by solely relying on manual, time-consuming code
reviews," said Maty Siman, CTO and Founder, Checkmarx. "KICS was built
with this in mind, enabling development teams to automatically identify
IaC issues when fixing is quickest, cheapest, and easiest. As the newest
addition to the Checkmarx product portfolio, developers now have a
single destination for securing all components that make up today's
complex applications."
Additional key features and benefits of KICS include:
- Built-in extensibility: KICS
provides the largest ‘library' of queries of any IaC scanning solution,
all of which are fully customizable and adjustable. Additionally, KICS'
robust, yet simple, architecture allows for the quick addition of
support for new IaC tools.
- Community-sourced: As
an open source project, both the scanning engine and queries for KICS
are clear and open to a community of thousands of security and DevOps
experts and software developers. Coupled with Checkmarx's dedicated team
that is constantly adding new features and vetting contributions, KICS
is able to scale at a rapid pace.
- Seamless CI/CD integration: KICS
can easily be integrated with any CI/CD pipeline, including GitHub
Actions and GitLab CI, applying vulnerability and misconfiguration
checks to IaC while keeping developers within their preferred tools.
Siman
continued, "Checkmarx is a strong advocate of open source projects, and
creating KICS in this manner gives the community the opportunity to
steer its direction and foster innovation across the industry. We're
excited to watch this passionate community embrace and contribute to
KICS as it becomes an essential addition to every developer's
cloud-native security toolkit."
"I'm
proud to welcome Checkmarx to the open source ecosystem with the
release of KICS, as the company brings its vast AST experience to the
community," said Lior Kaplan, open source advisor and evangelist. "KICS
is already seeing significant interest from the DevOps and security
experts who take part in open source, and this will continue to grow as
the project scales and expands to more infrastructure as code
platforms."
KICS is available for free today.