// the find
Checkmarx/kics
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
KICS (Keeping Infrastructure as Code Secure) is a static analysis tool that scans IaC files — Terraform, Kubernetes manifests, Dockerfiles, CloudFormation, Ansible, Helm, and about a dozen more — against a library of OPA/Rego rules to flag security misconfigurations before they reach production. It's backed by Checkmarx and is actively embedded in GitLab's built-in IaC scanning. Target audience is platform/DevOps engineers who want shift-left security without buying a commercial SAST product.
The query library is genuinely wide: 2,600+ rules across 20+ platforms, each with positive/negative test fixtures and a metadata.json that maps findings to CWE and severity — you're not just getting a grep, you're getting traceable results. Writing custom rules is straightforward Rego, and the existing queries are readable enough to copy-paste as a starting point. The Go binary is fast and ships as a single Docker image or a pre-commit hook, so CI integration is a `kics scan -p .` away. GitLab shipping this as their native IaC scanner is meaningful real-world validation that it handles messy, large repos without exploding.
OPA/Rego is not a natural fit for every IaC format — the parsers convert everything into a generic JSON AST before evaluation, which means false positives when the abstraction leaks (complex Terraform locals or dynamic blocks frequently confuse it). The rule set is maintained by Checkmarx engineers with community contributions, so newer providers (OpenTofu-specific resources, recent AWS services) lag behind what ships in the actual providers. There's no built-in auto-fix or remediation suggestion — you get a line number and a severity, then you're on your own. Documentation for writing queries references the internal AST format, which requires reading source and existing queries to understand rather than any formal schema.