Skip to content

Technologies

KICS support scanning multiple technologies, in the next sections you will find more details about each technology.

Ansible

KICS supports scanning Ansible files with .yaml extension.

CDK

AWS Cloud Development Kit is a software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation.

It has all the advantages of using AWS CloudFormation.

KICS currently support scanning AWS Cloudformation templates. In this guide, we will describe how to scan a simple CDK defined infrastructure following the Working With the AWS CDK in Go documentation.

Make sure all prerequisites are met.

Create a project

  1. Create a new CDK project using the CLI. e.g:
mkdir test-cdk
cd test-cdk
cdk init app --language go
  1. Download dependencies
go mod download
  1. Synthetize CloudFormation template
cdk synth > cfn-stack.yaml
  1. Execute KICS against the template and check the results. Note that KICS will recognized it as CloudFormation (for queries purpose).
docker run -v $PWD/cfn-stack.yaml:/path/cfn-stack.yaml -it checkmarx/kics:latest scan -p /path/cfn-stack.yaml

CloudFormation

KICS supports scanning CloudFormation templates with .json or .yaml extension.

Docker

KICS supports scanning Docker files named Dockerfile or with .dockerfile extension.

Helm

KICS supports scanning Helm by rendering charts and running Kubernetes queries against the rendered manifest.

The charts file structure must be as explained by Helm: https://helm.sh/docs/topics/charts/#the-chart-file-structure.

Results are displayed against original Helm files:

Service With External Load Balance, Severity: MEDIUM, Results: 1
Description: Service has an external load balancer, which may cause accessibility from other networks and the Internet
Platform: Kubernetes

        [1]: /charts/nginx-ingress/templates/controller-service.yaml:20

                019:     release: {{ template "nginx-ingress.releaseLabel" . }}
                020:   name: {{ template "nginx-ingress.controller.fullname" . }}
                021: spec:

Kubernetes

KICS supports scanning Kubernetes manifests with .yaml extension.

OpenAPI

KICS supports scanning Swagger 2.0 and OpenAPI 3.0 specs with .json and .yaml extension.

Terraform

KICS supports scanning Terraform's HCL files with .tf extension and input variables using terraform.tfvars or files with .auto.tfvars extension that are in same directory of .tf files.

Limitations

Ansible

At the moment, KICS does not support a robust approach to identifying Ansible samples. The identification of these samples is done through exclusion. When a YAML sample is not a CloudFormation, Helm, Kubernetes or OpenAPI sample, KICS recognize it as Ansible.

Thus, KICS recognize other YAML samples (that are not Ansible) as Ansible, e.g. GitHub Actions samples. However, you can ignore these samples by writing #kics-scan ignore on the top of the file. For more details, please read this documentation.

Terraform

Although KICS support variables and interpolations, KICS does not support functions and enviroment variables. In case of variables used as function parameters, it will parse as wrapped expression, so the following function call:

resource "aws_launch_configuration" "example" {
  image_id      = data.aws_ami.ubuntu.id
  instance_type = "${concat(list("${var.name}", "${var.other_name}"), var.node_tags)}"
  spot_price    = var.price
  user_data_base64 = "${var.data}=="
}

Considering var.data = "a123B" and var.price = 1.023, it would be parsed like the following example:

resource "aws_launch_configuration" "example" {
  image_id      = data.aws_ami.ubuntu.id
  instance_type = "${concat(list("${var.name}", "${var.other_name}"), var.node_tags)}"
  spot_price    = 1.023
  user_data_base64 = "a123B=="
}