Since we first made KICS (Keeping Infrastructure as Code Secure) by Checkmarx available in November of 2020, we’ve seen over one million downloads, and the counter keeps clicking. In fact, KICS has been so effective and so popular that it was integrated into version 14.5 of the GitLab DevOps Platform as its default infrastructure-as-code scanning tool. As one developer said on Twitter: “IMO, KICS is one of the best IaC open source solution[s].”
After more than a million downloads, are there new capabilities to tempt developers who need to scan IaC files to detect insecure configurations that could expose applications, data, and services to attack? In a word: yes. In this blog post, we’ll focus on the auto-remediation capability that was made available in version 1.6. Here’s a video demonstration explaining how it works.
How to Use Auto-remediation
As shown in the video demonstration above, Checkmarx KICS auto-remediation is available within the free Checkmarx One™ Visual Studio Code plugin. This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx One™ account. With both the plugin and Docker installed on your local machine, it detects supported Infrastructure-as-Code (IaC) file types and initiates a KICS scan automatically.
Upon scan completion, the plugin highlights findings, and recommendations within the IaC file and through a single click, allows you to automatically apply KICS remediation recommendations to secure your IaC. To learn more, checkout the KICS Auto Scanning Extension for Visual Studio Code documentation.
If you’re not using VS Code as your IDE or don’t want to install the plugin, you can leverage auto-remediation within KICS itself for simple replacements and additions in one line.
The first step is to scan your project/file and generate a JSON report.
docker run -v /home/cosmicgirl/:/path/ kics scan -p /path/sample.tf -i "41a38329-d81b-4be4-aef4-55b2615d3282,a9dfec39-a740-4105-bbd6-721ba163c053,2bb13841-7575-439e-8e0a-cccd9ede2fa8" --no-progress -o /path/results --report-formats json
If KICS provides a remediation for a result, it will define the fields remediation and remediation_type. Here’s an example:
If your JSON report has any result with remediation, run the new KICS command: remediate. To allow KICS to remediate all reported issues, simply run:
docker run -v /home/cosmicgirl/:/path/ kics remediate --results /path/results/results.json -v
To specify which remediation KICS should fix, you can use the flag --include-ids. In this flag, you should point to the similarity_id of the result. For example:
docker run -v /home/cosmicgirl/:/path/ kics remediate --results /path/results/results.json --include-ids "f282fa13cf5e4ffd4bbb0ee2059f8d0240edcd2ca54b3bb71633145d961de5ce" -v
Have you downloaded KICS yet? You can do that right here. Want more KICS tips and tricks? Check out these other resources: