KICS (Keeping Infrastructure as Code Secure) is a free, open source solution for static code analysis of IaC. It’s like magic.
Developed by Checkmarx and the open source community, KICS is simple to install, run, and integrate into your CI, and understanding your results is easy.
complexity solved

Free, Fast, Scalable Open Source IaC Scanning

KICS automatically parses common IaC files of any type to detect insecure configurations that could expose your applications, data, or services to attack.

That means you can let anyone on your team write IaC files, and then vet the files to ensure they are secure before rolling them out. Instead of setting security guidelines in your IT governance policies and hoping engineers and developers follow them when creating IaC files, you can automatically enforce IaC security with KICS.

Plus, because KICS is an open source tool that supports all mainstream IaC platforms—Terraform, CloudFormation, Ansible, Helm, and more—and integrates with a variety of software development tools, it makes it possible to add IaC security scanning to your existing workflows without friction. Now, your developers don’t have to slow down to ensure IaC security.


Enforce API Design Best Practices

KICS is not just a tool for securing individual IaC files. It goes further, assessing your overall API design for misconfigurations, allowing you to identify risks in path definitions, authentication schema, and transport encryption.

That means you can set API security standards for your organization and enforce them through IaC scanning. KICS runs scans automatically at application build time, so you can systematically review your APIs without slowing down your software delivery pipeline.

You can take full advantage of APIs and ensure they can evolve over time to meet changing needs without exposing your applications to API security flaws.


A Highly Extensible Solution

As an open source, platform-agnostic IaC scanning tool, KICS can grow seamlessly along with your development and deployment operations.

Developers can extend KICS with new checks using a simple, industry-standard query language. In addition, they can quickly onboard new items to automated scanning workflows while also extending IaC scanning capabilities into new parts of their application stack or new types of IaC resources by taking advantage of KICS’ modular design.

KICS offers a flexible, extensible solution for integrating IaC security scanning into your existing software delivery cycle. With KICS, you can keep moving fast and scaling up without worrying that IaC files are spreading security vulnerabilities across your environment.

Suggested Platforms

KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in the following IaC solutions: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, and Helm. We’ve recently expanded KICS’ functionality to include Open API 3.0 specifications through The OpenAPI Initiative (formerly Swagger), with over 1,500 editable queries available.

Terraform Kubernetes Docker AWS Cloudformation Ansible Helm OpenAPI

KICS is:


KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in popular IaC solutions and OpenAPI 3.0 specifications.

Open Source

KICS is open source and always will be. Both the scanning engine and the security queries are clear and open to the software development community.


1,500+ fully customizable and adjustable heuristic rules, or queries, can be easily edited, extended, and added to. What’s more, our robust but simple architecture allows for support of new IaC solutions.


KICS is an open source community project, and anyone can contribute. Start making a difference in minutes by sharing your expertise with our community of thousands of security experts and software developers.


Explore our product documentation for installation and integration instructions to get you up and running quickly. You can also take the next step and explore our contribution options and roadmap.


KICS is powered by Checkmarx—the global Application Security Testing leader—in partnership with the open source community.

Protect Your Organization Better Today—for Free

Download KICS and protect your IaC, your APIs, and your entire organization from flaws and misconfigurations.
Skip to content