Stats
Actions
Tags
From qa-iac
Configures KICS (Keeping Infrastructure as Code Secure) for IaC scanning - Checkmarx open-source tool covering Terraform, Kubernetes, Helm, Dockerfile, Docker Compose, OpenAPI, Ansible, ARM, CloudFormation, Pulumi, Crossplane, Knative. CLI / Docker / GitHub Action / pre-commit integrations. Output to JSON / SARIF / HTML / JUnit. Use as a complement to Checkov + tfsec - KICS catches different rule classes (broader IaC + OpenAPI / Pulumi / Crossplane support).
How this skill is triggered — by the user, by Claude, or both
Slash command
/qa-iac:kics-policyThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
KICS (Keeping Infrastructure as Code Secure) covers Terraform,
KICS (Keeping Infrastructure as Code Secure) covers Terraform, Kubernetes, Helm, Dockerfile, Docker Compose, OpenAPI, Ansible, ARM, CloudFormation, Pulumi, Crossplane, Knative - comparable breadth to Checkov.
KICS's specific strengths:
# Docker (recommended)
docker pull checkmarx/kics:latest
# Or binary
curl -sfL https://raw.githubusercontent.com/Checkmarx/kics/master/install.sh | sh
# Scan a directory (Docker)
docker run -v "$PWD:/path" checkmarx/kics scan -p /path --output-path /path/results
# Or via binary
kics scan -p . --output-path ./kics-results
# Specific platform
kics scan -p . -t terraform,kubernetes
# JSON
kics scan -p . --report-formats json --output-path results/
# SARIF (GitHub Code Scanning)
kics scan -p . --report-formats sarif --output-path results/
# JUnit XML
kics scan -p . --report-formats junit --output-path results/
# HTML (human-readable)
kics scan -p . --report-formats html --output-path results/
# Multiple
kics scan -p . --report-formats json,sarif,html --output-path results/
# Fail only on HIGH+
kics scan -p . --fail-on high,critical
# Don't fail; just report
kics scan -p . --no-progress --silent
In code:
# main.tf
resource "aws_s3_bucket" "public_data" {
# kics-scan ignore-line
acl = "public-read"
bucket = "my-public-data"
}
For block-level:
# kics-scan disable=15ffbacc-fa42-4f6f-a57d-2feac7365caa
resource "aws_s3_bucket" "public_logs" {
acl = "public-read"
bucket = "my-public-logs"
}
The disable directive references the specific KICS query ID (visible in the output).
KICS queries are written in Rego (same as OPA):
# custom-queries/aws/cost_center_tag/query.rego
package Cx
CxPolicy[result] {
resource := input.document[i].resource.aws_instance[name]
not resource.tags.cost_center
result := {
"documentId": input.document[i].id,
"searchKey": sprintf("aws_instance[%s]", [name]),
"issueType": "MissingAttribute",
"keyExpectedValue": "Should have a cost_center tag",
"keyActualValue": "tags.cost_center is missing",
}
}
kics scan -p . -q ./custom-queries/
jobs:
kics:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: checkmarx/kics-github-action@v2
with:
path: .
fail_on: high,critical
output_formats: sarif
output_path: kics-results.sarif
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: kics-results.sarif
KICS's distinguishing feature: scan OpenAPI specs for security issues:
kics scan -p ./api-spec.yaml -t openapi
Catches:
For most teams, this is the unique reason to use KICS alongside Checkov.
kics scan -p ./pulumi-project/ -t pulumi
kics scan -p ./crossplane-config/ -t crossplane
For Pulumi shops, KICS provides scanning that Checkov / tfsec don't.
| Anti-pattern | Why it fails | Fix |
|---|---|---|
| KICS as only IaC scanner | Misses Checkov / tfsec-specific findings. | Use multiple (Step 7 + iac-policy-checker). |
kics-scan ignore-line without comment justifying | Skips invisible. | Always include reason. |
Skipping --fail-on severity in CI | All findings (including LOW) fail; team disables. | Start --fail-on high,critical (Step 4). |
| Running on every PR with full output | Output overwhelming; team ignores. | Severity threshold + JSON/SARIF for triage. |
| Custom queries without tests | Bugs let bad config through. | Test custom queries via OPA test pattern. |
kics.io and github.com/Checkmarx/kics.checkov-policy,
tfsec-policy - sister scanners.policy-as-code-runner -
custom OPA / Rego.iac-policy-checker -
combines results.npx claudepluginhub testland/qa --plugin qa-iacProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.