In an effort to better secure cloud-native apps, software security company Checkmarx has launched a new open-source static analysis solution. The new Keeping Infrastructure as Code Secure (KICS) solution enables developers to write secure infrastructure as code (IaC) by automatically detecting issues from the start.
According to the company, as organizations move to the cloud they are utilizing IaC to provision infrastructure faster and provide scalability. However, developers are struggling to manage IaC’s security, compliance and configuration risks.
KICS aims to address this by automatically detecting issues, hard-coded keys, passwords, compliance issues, and misconfigurations.
“As development processes evolve and organizations accelerate their cloud adoption, developers are taking on more security responsibility while also delivering software faster than ever before. This is an impossible balance to strike by solely relying on manual, time-consuming code reviews,” said Maty Siman, CTO and founder of Checkmarx. “KICS was built with this in mind, enabling development teams to automatically identify IaC issues when fixing is quickest, cheapest, and easiest. As the newest addition to the Checkmarx product portfolio, developers now have a single destination for securing all components that make up today’s complex applications.”
The solution offers a large library of queries which are fully customizable. As an open-source project, the scanning engine and queries are open to a community of DevOps experts. And the solution provides seamless integration with CI/CD pipelines including GitHub Actions and GitLab CI. In addition, it supports Terraform, Kubernetes, Docker, AWS CloudFormation, and Ansible.
“Checkmarx is a strong advocate of open source projects, and creating KICS in this manner gives the community the opportunity to steer its direction and foster innovation across the industry. We’re excited to watch this passionate community embrace and contribute to KICS as it becomes an essential addition to every developer’s cloud-native security toolkit,” said Siman.