The Israeli companies specialized at Security in the DevoPS environment Checkmarx has expanded its portfolio of the Software KICS designed for infrastructure as Code (IAC). The acronym stands for Keeping Infrastructure as Code Secure. The Open Source application searches for static code analysis after vulnerabilities such as the code stored in code or passwords in plain text.
Especially in the cloud-native environment, but also in the classical data center, the IAC designated and managing the infrastructure about code increasing popularity. Benefits include the simple connection of procedures from software development such as versioning.
Weak points in plain text
The KICS tool examines the code with methods of static code analysis after vulnerabilities such as misconfigurations to reduce the risk for data leaks. The software is looking for hard-coded passwords or closing in the code. In addition, it should trace incorrect configurations and compliance problems.
The software can be integrated into the CI / CD process (Continuous Integration, Continuous Delivery) to scan the code from the beginning and at each change. KICS offers for integration into Github Actions and Gitlab CI.
Open for everything)
Both the scanning engine and the queries designated as queries (queries) for KICs are available as an open source project. The explanatory goal is the further development involving Security and DevoPS experts as well as software developers. In addition, CHECKMARX will provide a dedicated team that should focus around the care of the project.
KICS Nomalisert platform-specific IAC statements in JSON, and the Query Execution Engine leaves Rego queries.
The queries for traces of vulnerabilities probably cover more than a dozen basic categories such as trapping, port security and final administration. KICS offers a kind of library for the queries, which is designed for flexible customization and expandability. According to Checkmarx, developers can easily integrate new IAC tools in the process.
To start there are a good 1000 queries and KICS searches for vulnerabilities in IAC For Ansible, AWS Cloudformation, Docker, Kubernetes and Terraform.
Further details can be found in the official qualification. A deeper insight promises the documentation, and the source code can be found on Github.