kics
kics documentation
- Version in MegaLinter: 1.7.1
- Visit Official Web Site
- See How to configure kics rules
- See How to disable kics rules in files
- See Index of problems detected by kics
Configuration in MegaLinter
- Enable kics by adding
REPOSITORY_KICS
in ENABLE_LINTERS variable - Disable kics by adding
REPOSITORY_KICS
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_KICS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_KICS_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_KICS_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_KICS_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_KICS and its pre/post commands | None |
REPOSITORY_KICS_CONFIG_FILE | kics configuration file nameUse LINTER_DEFAULT to let the linter find it |
kics.config |
REPOSITORY_KICS_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_KICS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_KICS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_KICS_CLI_EXECUTABLE | Override CLI executable | ['kics'] |
MegaLinter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 113 | ||
cupcake | MegaLinter for the most commonly used languages | 81 | ||
security | Optimized for security | 21 | ||
terraform | Optimized for TERRAFORM based projects | 51 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
kics is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using kics configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make kics analyze only updated files
Example calls
kics scan --path .
Help content
Keeping Infrastructure as Code Secure
Usage:
kics [command]
Available Commands:
generate-id Generates uuid for query
help Help about any command
list-platforms List supported platforms
remediate Auto remediates the project
scan Executes a scan analysis
version Displays the current version
Flags:
--ci display only log messages to CLI output (mutually exclusive with silent)
-h, --help help for kics
-f, --log-format string determines log format (pretty,json) (default "pretty")
--log-level string determines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO")
--log-path string path to generate log file (info.log)
--no-color disable CLI color output
--profiling string enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)
-s, --silent silence stdout messages (mutually exclusive with verbose and ci)
-v, --verbose write logs to stdout too (mutually exclusive with silent)
Use "kics [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM checkmarx/kics:alpine as kics
COPY --link --from=kics /app/bin/kics /usr/bin/
RUN mkdir -p /opt/kics/assets
ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/assets/libraries
COPY --from=kics /app/bin/assets /opt/kics/assets/