Checkmarx Unveils New Open Source IaC Scanning Engine

Software security solutions provider Checkmarx today launched a new open-source static analysis tool designed to allow developers to write more secure infrastructure-as-code (IaC). The new  KICS (Keeping Infrastructure as Code Secure) solution expands Checkmarx application security testing (AST) product line, providing a single platform for securing proprietary code, open source components, and critical infrastructure for both traditional and cloud-native applications.

IaC is the management of infrastructure in a "descriptive model" that generates the same environment every time it is applied. It emerged as a way to solve the problem of environment drift in the release pipeline, and has become is a key DevOps practice to support continuous delivery.

The adoption of IaC has been on the rise in recent years as organizations transition to the cloud and look for ways to make the provisioning of infrastructure faster and more scalable. But as a resent Verizon report ("2020 Data Breach Investigations Report") underscores, the benefits of IaC come with significant security, compliance, and configuration risks that developers are struggling to address. According to the report, error-related issues (e.g. misconfigurations and mis-deliveries) are now the second most common cause of data breaches.

The KICS tool was designed to detects vulnerabilities, hard-coded keys and passwords, compliance issues, and misconfigurations automatically from the start of the IaC build cycle, making it possible for developers to remediate these flaws before their code reaches production. This release of the KICS tool supports a range of IaC technologies, including Terraform, Kubernetes, Docker, AWS CloudFormation, and Ansible. KICS also offers more than 1,200 customizable and adjustable queries that cover more than a dozen categories ranging from encryption and key management to network ports security.

"As development processes evolve and organizations accelerate their cloud adoption, developers are taking on more security responsibility while also delivering software faster than ever before," said Maty Siman, Checkmarx CTO and founder, in a statement. "This is an impossible balance to strike by solely relying on manual, time-consuming code reviews. KICS was built with this in mind, enabling development teams to automatically identify IaC issues when fixing is quickest, cheapest, and easiest. As the newest addition to the Checkmarx product portfolio, developers now have a single destination for securing all components that make up today's complex applications."

The list of KICS capabilities includes:

  • Built-in extensibility: KICS provides a large library of queries, all of which are customizable and adjustable. Plus, the KICS architecture allows for the quick addition of support for new IaC tools, the company says.
  • Community-sourced: As an open-source project, both the scanning engine and queries for KICS are clear and open to a community of thousands of security and DevOps experts and software developers--which makes it possible for KICS to scale at a rapid pace.
  • Seamless CI/CD integration: KICS can be integrated with any CI/CD pipeline, the company says, including GitHub Actions and GitLab CI. This means it can apply vulnerability and misconfiguration checks to IaC while keeping developers within their preferred tools.

Checkmarx is a strong advocate of open-source, and creating KICS "gives the community the opportunity to steer its direction and foster innovation across the industry, Siman said. "We're excited to watch this passionate community embrace and contribute to KICS as it becomes an essential addition to every developer's cloud-native security toolkit."

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].