Skip to main content

KICS Auto Scanning Extension for Visual Studio Code

Overview

Checkmarx’s KICS Auto Scanning extension for VS Code initiates KICS scans directly from the VS Code console. The scan runs automatically whenever an infrastructure file of a supported type is opened in VS Code. The file is rescanned each time that it is saved, either manually or by auto-save. The scan runs only on the file that is open in the editor.

The results are shown in the VS Code console, making it easy to remediate the vulnerabilities that are detected.

Note

KICS (Keeping Infrastructure as Code Secure) is a free, open source solution developed by Checkmarx and the open source community for static code analysis of IaC. KICS automatically parses common IaC files to detect insecure configurations that could expose your applications, data, or services to attack. KICS finds security vulnerabilities, compliance issues, and infrastructure misconfigurations in the following IaC solutions: Terraform, Kubernetes, Docker, AWS CloudFormation, Ansible, and Helm.

See KICS - Open Source Solution

Notice

This is a free tool provided by Checkmarx for all VS Code users, and does not require the user to submit credentials for a Checkmarx One account. This feature is bundled together with the Checkmarx extension, which is used by authenticated Checkmarx One users to import scan results into their VS Code IDE.

The plugin is available on marketplace. In addition, the code can be accessed here.

Main Features

  • Free tool, no Checkmarx account required

  • Run scans directly from your IDE

  • Scans are triggered automatically whenever a file is saved

  • Apply Auto Remediation to remediate IaC risks

Prerequisites

You must have Docker installed and running in your environment

Installing the KICS Auto Scanning Extension

To install the extension from marketplace:

  1. Open Visual Studio Code.

  2. In the main navigation, click on the Extensions icon.

  3. Search for theCheckmarxplugin, then clickInstallfor the plugin.

    6466371743.png

    The Checkmarx extension is installed and the Checkmarx icon appears in the left-side navigation panel.

    6466076856.png

Configuring the Extension

The extension is activated automatically upon installation and no configuration is required.

Notice

It is not necessary to configure the Checkmarx One Authentication settings in order to use the KICS Auto Scanning feature.

If you would like to customize the scan settings, you can use the following procedure:

  1. In the VS Code console, go to Settings > Extensions > Checkmarx > Checkmarx KICS Auto Scanning.

    6466142452.png
  2. By default the extension is configured to run a KICS scan whenever an infrastructure file of a supported type is opened or saved. If you would like to disable automatic scanning, deselect the Activate KICS Auto Scanning checkbox.

    Notice

    In this case, you will still be able to trigger scans manually from the command palette, as described below.

  3. If you would like to customize the scan parameters, enter the desired flags in the Additional Parameters field. For a list of available options, see Scan Command Options.

Scanning IaC Files

A scan runs automatically whenever an infrastructure file of a supported type is opened in VS Code. The file is rescanned each time that it is saved, either manually or by auto-save.

In addition, you can trigger a scan manually for the file that is open in your editor by opening the command palette and entering Checkmarx-ast: Run kics realtime scan ( you can enter search text and select the command).

Viewing KICS Results

Viewing KICS Vulnerabilities

Risks identified by KICS are shown in the file editor window with the KICS label and the severity level shown above the vulnerable code. The risks detected by KICS are also shown in the PROBLEMS section of the VS Code console.

kics_vscode02.png

Hover over the vulnerable code to show a tooltip with detailed info about the vulnerability.

kics_cscode03.png

Auto Remediation for IaC

KICS automatically generates recommended actions for remediating each risk. You can easily implement these changes in your code, by selecting the Quick Fix link in the hover window.

Notice

This feature is currently supported only for Terraform projects.

kics_vscode04.png

The dialog that opens, enables you to remediate the selected risk. In addition, where relevant, the dialog offers the option to remediate all risks in the specified line or in the entire file.

kics_vscode05.png

Viewing the Results Summary

When a scan is completed, a summary of the number of vulnerabilities identified, by severity level, is shown in the Checkmarx OUTPUT section of the VS Code console.

Image_705.png