Overview¶
Checkmarx’s KICS Auto Scanning extension for VS Code initiates KICS scans directly from their VS Code console. The scan runs automatically whenever an infrastructure file of a supported type is saved, either manually or by auto-save. The scan runs only on the file that is open in the editor.
The results are shown in the VS Code console, making it easy to remediate the vulnerabilities that are detected.
📝 KICS (Keeping Infrastructure as Code Secure) is a free, open source solution developed by Checkmarx and the open source community for static code analysis of IaC. KICS automatically parses common IaC files to detect insecure configurations that could expose your applications, data, or services to attack. KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in the following IaC solutions: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, and Helm. See KICS - Open Source Solution
❗️This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx AST account. This feature is bundled together with the Checkmarx extension, which is used by authenticated AST users to import scan results into their VS Code IDE.
The plugin is available on marketplace. In addition, the code can be accessed here.
Main Features¶
Free tool, no Checkmarx account required
Run scans directly from your IDE
Scans are triggered automatically whenever a file is saved
Prerequisites¶
You must have Docker installed and running in your environment
Installing the KICS Auto Scanning Extension¶
To install the extension from marketplace:
- Open Visual Studio Code.
- In the main navigation, click on the Extensions icon.
- Search for the Checkmarx plugin, then click Install for the plugin.
The Checkmarx extension is installed and the Checkmarx icon appears in the left-side navigation panel.
Configuring the Extension¶
The extension is activated automatically upon installation and no configuration is required.
❗️It is not necessary to configure the Checkmarx AST Authentication settings in order to use the KICS Auto Scanning feature.
If you would like to customize the scan settings, you can use the following procedure:
-
In the VS Code console, go to Settings > Extensions > Checkmarx > Checkmarx KICS Auto Scanning.
-
By default the extension is configured to run a KICS scan whenever an infrastructure file of a supported type that is open in your editor is saved. If you would like to disable automatic scanning, deselect the Activate KICS Auto Scanning checkbox. NOTE In this case, you will still be able to trigger scans manually from the command palette, as described below.
-
If you would like to customize the scan parameters, enter the desire flags in the Additional Parameters field. For a list of available options, see Scan Command Options.
Triggering a Scan Manually¶
You can trigger a scan manually for the file that is open in your editor by opening the command palette and entering Checkmarx-ast: Run kics realtime scan ( you can enter search text and select the command).
Viewing KICS Results¶
Viewing the Results Summary¶
When a scan is completed, a summary of the number of vulnerabilities identified by severity level is shown in the OUTPUT section of the VS Code console.
Example of results summary:
1: CxINFO - 2:04:47 PM]Results summary:
2: Total Results": 141,
3: "HIGH": 10,
4: "INFO": 4,
5: "LOW": 62,
6: "MEDIUM": 65
Viewing KICS Vulnerability Details¶
Detailed information about the vulnerabilities that were detected is shown in the file editor window. The vulnerable code is highlighted according the severity level of the vulnerability, as follows:
- High - red
- Medium - orange
- Info - green
- Low - blue
Hover over the vulnerable code to show a tooltip with detailed info about the vulnerability.
YouTube Demo¶
https://youtu.be/sFD-9CQXfs0