Skip to content



There are multiple ways to get KICS up and running:


KICS is available as a Docker image and can be used as follows:

To scan a directory/file on your host you have to mount it as a volume to the container and specify the path on the container filesystem with the -p KICS parameter (see Scan Command Options section below)

docker pull checkmarx/kics:latest
docker run -v {​​​​path_to_host_folder_to_scan}​​​​:/path checkmarx/kics:latest scan -p "/path" -o "/path/"

You can see the list of available tags in dockerhub

ℹ️ UBI Based Images

When using UBI7 based image, the KICS process will run under the kics user and kics group with default UID=1000 and GID=1000, when using bind mount to share host files with the container, the UID and GID can be overriden to match current user with the -u flag that overrides the username:group or UID:GID. e.g:

docker run -it -u $UID:$GID -v $PWD:/path checkmarx/kics:ubi7 scan -p /path/assets/queries/dockerfile -o /path -v

Another option is rebuilding the dockerfile providing build arguments e.g: --build-arg UID=999 --build-arg GID=999 --build-arg KUSER=myuser --build-arg KUSER=mygroup


KICS is avaiable on Checkmarx homebrew-tap. It can be used as follows:

brew install Checkmarx/tap/kics 

To use KICS default queries add KICS_QUERIES_PATH env to your ~/.zshrc, ~/.zprofile:

echo 'export KICS_QUERIES_PATH=/usr/local/opt/kics/share/kics/assets/queries' >> ~/.zshrc

Custom Queries

You can provide your own path to the queries directory with -q CLI option (see CLI Options section below), otherwise the default directory will be used The default ./assets/queries is built-in in the image. You can use this to provide a path to your own custom queries. Check create a new query guide to learn how to define your own queries.

One-liner Install Script

Run the following command to download and install kics. It will detect your current OS and download the appropriate binary package, defaults installation to ./bin and the queries will be placed alongside the binary in ./bin/assets/queries:

curl -sfL '' | bash

If you want to place it somewhere else like /usr/local/bin:

sudo curl -sfL '' | bash -s -- -b /usr/local/bin


KICS release process is pretty straightforward. When we're releasing a new version, we'll pack KICS executables for Linux, Windows and macOS operating systems. Our security queries will be included in the ZIP files and tarballs, so that you can scan your IaC code with the out-of-the-box queries.

So all you need is:

  1. Go to KICS releases
  2. Download KICS binaries based on your OS
  3. Extract files
  4. Run kics executable with the cli options as described below (note that kics binary should be located in the same directory as queries directory) shell ./kics scan -p '<path-of-your-project-to-scan>' -o '<output-results.json>'

Build from Sources

  1. Download and install Go from
  2. Clone the repository: shell git clone
  3. Build the binaries: shell cd kics make build
  4. Kick a scan! shell ./bin/kics scan -p '<path-of-your-project-to-scan>' --report-formats json -o ./results

Note: KICS does not execute scan by default anymore.

Next Steps