KICS Accuracy Benchmark

The values below were obtained after scanning 150 open source projects with KICS (1.2.x) covering the supported IaC technologies (c.f., Terraform, Ansible, Kubernetes, Docker, AWS Cloudformation).

IaC Technology Query Accuracy1 Query Coverage2 Scanned IaC files​ Number of Results​ Average Scan Time​ (s) Average Project Size (MB)
Terraform​ 99.7%​ 46% 1176​ 709 6.6 33.4​
Docker​ 98.8%​​ 68%​ 1017​ 5109 11 0.7
Kubernetes​ 99.3%​​ 88.7%​ 6089​ 21753 7 90
CloudFormation​ 95%​ 73%​ 1769​ 5343 10.2 4.8
Ansible ​ 100% ​ 54%​ 3367​ 1320 23.3 4.1

1 Query Accuracy = TP results / results

2 Query Coverage = Query with results / Queries



Global Measures

Measure Value
Average Accuracy 98.6%
Total Number of Results 34234
Average Query Coverage 66.4%
Total Scanned IaC Files 13418
Average Scan Time (s) 11.2
Average Project Size (MB) 26.6

KICS Profiling

Running Kics with --profiling flag will log the CPU/MEM metrics used for:

  • Getting Queries
  • Parsing Files
  • Scanning Vulnerabilities
  • Generating Reports

Keep in mind that profiling will periodically stop KICS to retrieve the wanted metrics, meaning KICS execution time will increase substantially.


CPU Profiling

Flag: --profiling CPU

9:43AM INF Scanning with Keeping Infrastructure as Code Secure dev
9:43AM INF Total CPU usage for get_queries: 6.56s <-
9:43AM INF Inspector initialized, number of queries=1385
9:43AM INF Total CPU usage for get_sources: 200.00ms <-
9:43AM INF Total CPU usage for inspect: 15.43s <-
9:43AM INF Results saved to file results/results.json fileName=results.json
9:43AM INF Results saved to file results/results.sarif fileName=results.sarif
9:43AM INF Results saved to file results/results.html fileName=results.html
9:43AM INF Total CPU usage for generate_report: 290.00ms <-
9:43AM INF Files scanned: 221
9:43AM INF Parsed files: 221
9:43AM INF Queries loaded: 1385
9:43AM INF Queries failed to execute: 0
9:43AM INF Inspector stopped
9:43AM INF Scan duration: 21.1476197s

MEM Profiling

Flag: --profiling MEM

9:43AM INF Scanning with Keeping Infrastructure as Code Secure dev
9:43AM INF Total MEM usage for get_queries: 237.96MB <-
9:43AM INF Inspector initialized, number of queries=1385
9:43AM INF Total MEM usage for get_sources: 280.53MB <-
9:43AM INF Total MEM usage for inspect: 335.44MB <-
9:43AM INF Results saved to file results/results.json fileName=results.json
9:43AM INF Results saved to file results/results.sarif fileName=results.sarif
9:43AM INF Results saved to file results/results.html fileName=results.html
9:43AM INF Total MEM usage for generate_report: 333.38MB <-
9:43AM INF Files scanned: 221
9:43AM INF Parsed files: 221
9:43AM INF Queries loaded: 1385
9:43AM INF Queries failed to execute: 0
9:43AM INF Inspector stopped
9:43AM INF Scan duration: 21.1476197s