Skip to content

Configuration

Configuration File

KICS allow you to provide all configurations either as command line arguments or as code.

Here is a Configuration file example:

{
  "path": "assets/iac_samples",
  "verbose": true,
  "log-file": true,
  "type": "Dockerfile,Kubernetes",
  "queries-path": "assets/queries",
  "exclude-paths": [
     "foo/",
     "bar/",
  ],
  "output-path": "results"
}

The same example now in YAML format passing type as an array of strings:

path: assets/iac_samples
verbose: true
log-file: true
type:
  - Dockerfile
  - Kubernetes
queries-path: "assets/queries"
exclude-paths:
  - "foo/"
  - "bar/"
output-path: "results"

πŸ“   flags that can receive multiple values can be either provided as a comma separated string or an array as in the example above


Supported Formats

KICS supports the following formats for the configuration files.

  • JSON
  • TOML
  • YAML
  • HCL

Notice that format is about the content and not the file extension.

KICS is able to infer the format without the need of file extension.


Templates

JSON Format

{
  "exclude-categories": "exclude categories by providing its name",
  "exclude-paths": "exclude paths or files from scan",
  "exclude-queries": "exclude queries by providing the query ID",
  "exclude-results": "exclude results by providing a list of similarity IDs of a result",
  "exclude-severities": "exclude results by providing the severity of a result",
  "libraries-path": "path to directory with libraries (default \"./assets/libraries\")",
  "log-file": true,
  "log-level": "INFO",
  "log-path": "path to the log file",
  "silent": false,
  "minimal-ui": false,
  "no-color": false,
  "no-progress": false,
  "output-name": "name used on report creations (default \"results\")",
  "output-path": "directory path to store reports",
  "path": "path to file or directory to scan",
  "payload-path": "file path to store source internal representation in JSON format",
  "preview-lines": 3,
  "queries-path": "path to directory with queries (default ./assets/queries) (default './assets/queries')",
  "report-formats": "formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json])",
  "type": "type of queries to use in the scan",
  "timeout": "number of seconds the query has to execute before being canceled",
  "verbose": true,
  "profiling": "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)",
  "disable-full-descriptions": "disable request for full descriptions and use default vulnerability descriptions"
}

YAML Format

exclude-categories: "exclude categories by providing its name"
exclude-paths: "exclude paths or files from scan"
exclude-queries: "exclude queries by providing the query ID"
exclude-results: "exclude results by providing a list of similarity IDs of a result"
exclude-severities: "exclude results by providing the severity of a result"
libraries-path: "path to directory with libraries (default "./assets/libraries")"
log-file: true
log-level: INFO
log-path: path to the log file
minimal-ui: false
no-color: false
no-progress: false
output-name: "name used on report creations (default \"results\")"
output-path: "directory path to store reports"
path: "path to file or directory to scan"
payload-path: "file path to store source internal representation in JSON format"
preview-lines: 3
profiling: "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
queries-path: "path to directory with queries (default ./assets/queries) (default './assets/queries')"
report-formats: "formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json])"
silent: false
type: "type of queries to use in the scan"
timeout: "number of seconds the query has to execute before being canceled"
verbose: true
disable-full-descriptions: "disable request for full descriptions and use default vulnerability descriptions"

TOML Format

exclude-categories = "exclude categories by providing its name"
exclude-paths = "exclude paths or files from scan"
exclude-queries = "exclude queries by providing the query ID"
exclude-results = "exclude results by providing a list of similarity IDs of a result"
exclude-severities = "exclude results by providing the severity of a result"
libraries-path = "path to directory with libraries (default \"./assets/libraries\")"
log-file = true
log-level = "INFO"
log-path = "path to the log file"
minimal-ui = false
no-color = false
no-progress = false
output-name = "name used on report creations (default \"results\")"
output-path = "directory path to store reports"
path = "path to file or directory to scan"
payload-path = "file path to store source internal representation in JSON format"
preview-lines = 3
profiling = "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
queries-path = "path to directory with queries (default ./assets/queries) (default './assets/queries')"
report-formats = "formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json])"
silent = false
type = "type of queries to use in the scan"
timeout = "number of seconds the query has to execute before being canceled"
verbose = true
disable-full-descriptions = "disable request for full descriptions and use default vulnerability descriptions"

HCL Format

"exclude-categories" = "exclude categories by providing its name"
"exclude-paths" = "exclude paths or files from scan"
"exclude-queries" = "exclude queries by providing the query ID"
"exclude-results" = "exclude results by providing a list of similarity IDs of a result"
"exclude-severities" = "exclude results by providing the severity of a result"
"libraries-path" = "path to directory with libraries (default \"./assets/libraries\")"
"log-file" = true
"log-level" = "INFO"
"log-path" = "path to the log file"
"minimal-ui" = false
"no-color" = false
"no-progress" = false
"output-name" = "name used on report creations (default \"results\")"
"output-path" = "directory path to store reports"
"path" = "path to file or directory to scan"
"payload-path" = "file path to store source internal representation in JSON format"
"preview-lines" = 3
"profiling" = "enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)"
"queries-path" = "path to directory with queries (default ./assets/queries) (default './assets/queries')"
"report-formats" = "formats in which the results will be exported (all, asff, codeclimate, csv, cyclonedx, glsast, html, json, junit, pdf, sarif, sonarqube) (default [json])"
"silent" = false
"type" = "type of queries to use in the scan"
"timeout" = "number of seconds the query has to execute before being canceled"
"verbose" = true
"disable-full-descriptions" = "disable request for full descriptions and use default vulnerability descriptions"

How to Use

You can enclose all your configurations in a file and use it in two different ways.

Command Argument File

  1. Create a file with any name/any extension. For the sake of example, let's call it kics-config.json
  2. Add the necessary configurations as shown in the templates section in any of the supported formats.
  3. Pass the configuration file as argument:
docker run -v {​​​​path_to_kics_config}​​​​:/kics -v {path_to_host_folder_to_scan}:/path checkmarx/kics scan -p "/path" --config /kics/kics-config.json

Configuration as Code

  1. Create a file named kics.config and place it in the root of your project repository.
  2. Add the necessary configurations as shown in the templates section in any of the supported formats.
  3. Invoke KICS without arguments (KICS will search for the specific file in the root)
docker run -v {path_to_host_folder_to_scan}:/path checkmarx/kics scan -p "/path"

Note: If more than one path is given, KICS will warn that --config must be used to explicit decide.

Environment variables

KICS also accepts environment variables to fill flags values. To use it you just need to have the flag with a KICS_ prefix. For example:

  • To use path flag as environment variable, you should have KICS_PATH on your environment;
  • To use multiple names variables, like --output-path, you should use it with KICS_ and each word separated by _, e.g.: KICS_OUTPUT_PATH

Flags precedence

KICS will use the following precende to fill flags:

  • CLI flags
  • Environment variables
  • Configuration file