Scan Terraform, CloudFormation, K8s, Ansible, and Dockerfiles for misconfigurations.
Install & scan
$ go install github.com/Checkmarx/kics/v2/cmd/console@latest $ console scan -p . --report-formats sarif -o . --output-name kics
Run KICS in CI
Scan on every push and upload the results to Vulnetix:
- name: Run KICS
run: docker run -v ${{ github.workspace }}:/path checkmarx/kics:latest scan -p /path --report-formats sarif -o /path --output-name kics
- name: Upload to Vulnetix
run: vulnetix upload --file kics.sarif
How Vulnetix compares — better together
Vulnetix does not replace KICS. Keep running it. Vulnetix sits on top of KICS — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
KICS is strongest at its core category and also carries features in Container & Image Scanning, Secret Scanning, SBOM Generation — just like Vulnetix spans categories.
| Capability | Vulnetix | KICS |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ~ Scans Dockerfile and Docker Compose for misconfigs, not image-layer CVEs |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✓ Core: 2,400+ Rego queries across 20+ IaC platforms (docs.kics.io) |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ Dedicated secrets-detection query category for hardcoded creds in IaC |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ~ Emits CycloneDX (XML) output of findings, not a full dependency SBOM (docs.kics.io/latest/results) |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What KICS does well
- Broadest IaC platform coverage of any open-source scanner — 20+ technologies including Terraform/OpenTofu, Kubernetes, Docker/Compose, CloudFormation, Ansible, Helm, OpenAPI, gRPC, ARM/Bicep, Pulumi, CDK, Serverless and GitHub Workflows
- 2,400+ built-in queries written in OPA Rego, so teams already using Conftest/Gatekeeper can extend rules without a new DSL
- Rich output ecosystem: 10+ formats including SARIF 2.1.0, CycloneDX, JUnit, HTML/PDF, GitLab SAST, SonarQube and AWS ASFF for easy CI wiring
- Backed by Checkmarx with an active OSS community and first-class GitHub Action
Where Vulnetix adds to it: Vulnetix runs its own IaC engine and also ingests KICS SARIF, deduping its misconfig findings into the single cross-scanner queue, then layers exploit-intel, versioned VEX, SSVC and Safe Harbour autofix that KICS does not provide. Better together: KICS stays the deep IaC rule engine; Vulnetix is the ASPM layer above it, not a replacement.
No migration, no rip-and-replace. KICS keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise KICS results in Vulnetix
Upload KICS SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.