Installation
Installation¶
There are multiple ways to get KICS up and running:
Docker¶
KICS is available as a Docker image and can be used as follows:
To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the -p KICS parameter (see Scan Command Options section below)
docker pull checkmarx/kics:latest
docker run -t -v "{path_to_host_folder_to_scan}":/path checkmarx/kics scan -p /path -o "/path/"
You can see the list of available tags in dockerhub
ℹ️ UBI Based Images
When using UBI8 based image, the KICS process will run under the kics
user and kics
group with default UID=1000 and GID=1000, when using bind mount to share host files with the container, the UID and GID can be overriden to match current user with the -u
flag that overrides the username:group or UID:GID. e.g:
docker run -it -u $UID:$GID -v $PWD:/path checkmarx/kics:ubi8 scan -p /path/assets/queries/dockerfile -o /path -v
Another option is rebuilding the dockerfile providing build arguments e.g: --build-arg UID=999 --build-arg GID=999 --build-arg KUSER=myuser --build-arg KUSER=mygroup
Build from Sources¶
- Download and install Go from https://golang.org/dl/
- Clone the repository:
shell git clone https://github.com/Checkmarx/kics.git
- Build the binaries:
shell cd kics make build
- Kick a scan!
shell ./bin/kics scan -p '<path-of-your-project-to-scan>' --report-formats json -o ./results
[Deprecated] Homebrew¶
KICS is available on Checkmarx homebrew-tap only for versions until 1.5.1. It can be used as follows:
brew install Checkmarx/tap/kics
To use KICS default queries add the KICS_QUERIES_PATH environmental variable to your shell profile, e.g:
echo 'export KICS_QUERIES_PATH=/usr/local/opt/kics/share/kics/assets/queries' >> ~/.zshrc
Custom Queries¶
You can provide your own path to the queries directory with -q
CLI option (see CLI Options section below), otherwise the default directory will be used The default ./assets/queries is built-in in the image. You can use this to provide a path to your own custom queries. Check create a new query guide to learn how to define your own queries.
Password and Secrets¶
Since the Password and Secrets mechanism uses generic regexes, we advise you to tweak the rules of the secret to your context. Please, see the Password and Secrets documentation to know how you can use your own rules.
Note: KICS does not execute scan by default as of version 1.3.0.
Note: KICS deprecated the availability of binaries in the GitHub releases assets as of version 1.5.2, it is advised to update all systems (pipelines, integrations, etc.) to use the KICS Docker Images.
Next Steps¶
- Understand how to configure KICS so you can have a better KICS experience.
- Explore KICS commands to see what you can do with KICS.
- Explore supported platforms to see which files you can scan with KICS.
- Explore the queries internals for better understanding how KICS works.
- Create a new query to learn how to create your own custom queries.
- Explore the output results format and quickly fix the issues detected.
- Contribute if you want to go the extra mile.