Skip to content


GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

kics documentation

kics - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_KICS_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_KICS_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_KICS_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_KICS_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_KICS_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_KICS and its pre/post commands None
REPOSITORY_KICS_CONFIG_FILE kics configuration file nameUse LINTER_DEFAULT to let the linter find it kics.config
REPOSITORY_KICS_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_KICS_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_KICS_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_KICS_CLI_EXECUTABLE Override CLI executable ['kics']

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 121 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 84 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 55 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

kics is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using kics configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make kics analyze only updated files

Example calls

kics scan --path .

Help content

Keeping Infrastructure as Code Secure

  kics [command]

Available Commands:
  analyze        Determines the detected platforms of a certain project
  generate-id    Generates uuid for query
  help           Help about any command
  list-platforms List supported platforms
  remediate      Auto remediates the project
  scan           Executes a scan analysis
  version        Displays the current version

      --ci                  display only log messages to CLI output (mutually exclusive with silent)
  -h, --help                help for kics
  -f, --log-format string   determines log format (pretty,json) (default "pretty")
      --log-level string    determines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO")
      --log-path string     path to generate log file (info.log)
      --no-color            disable CLI color output
      --profiling string    enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)
  -s, --silent              silence stdout messages (mutually exclusive with verbose and ci)
  -v, --verbose             write logs to stdout too (mutually exclusive with silent)

Use "kics [command] --help" for more information about a command.

Installation on mega-linter Docker image

  • Dockerfile commands :
FROM checkmarx/kics:alpine as kics
COPY --link --from=kics /app/bin/kics /usr/bin/kics
ENV KICS_QUERIES_PATH=/usr/bin/assets/queries KICS_LIBRARIES_PATH=/usr/bin/assets/libraries
COPY --from=kics /app/bin/assets /usr/bin/assets