Tool integration

KICS Integration Guide

IaC security scanner from Checkmarx

Get a Free API Key

Scan Terraform, CloudFormation, K8s, Ansible, and Dockerfiles for misconfigurations.

CLI toolSARIF

Install & scan

$ go install github.com/Checkmarx/kics/v2/cmd/console@latest
$ console scan -p . --report-formats sarif -o . --output-name kics

Run KICS in CI

Scan on every push and upload the results to Vulnetix:

- name: Run KICS
  run: docker run -v ${{ github.workspace }}:/path checkmarx/kics:latest scan -p /path --report-formats sarif -o /path --output-name kics
- name: Upload to Vulnetix
  run: vulnetix upload --file kics.sarif

How Vulnetix compares — better together

Vulnetix does not replace KICS. Keep running it. Vulnetix sits on top of KICS — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

KICS is strongest at its core category and also carries features in Container & Image Scanning, Secret Scanning, SBOM Generation — just like Vulnetix spans categories.

CapabilityVulnetixKICS
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile~ Scans Dockerfile and Docker Compose for misconfigs, not image-layer CVEs
IaC / misconfigurationTerraform, k8s, CloudFormationCore: 2,400+ Rego queries across 20+ IaC platforms (docs.kics.io)
Secret scanning1,000+ rules, source + binary + git history~ Dedicated secrets-detection query category for hardcoded creds in IaC
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable~ Emits CycloneDX (XML) output of findings, not a full dependency SBOM (docs.kics.io/latest/results)
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What KICS does well

Where Vulnetix adds to it: Vulnetix runs its own IaC engine and also ingests KICS SARIF, deduping its misconfig findings into the single cross-scanner queue, then layers exploit-intel, versioned VEX, SSVC and Safe Harbour autofix that KICS does not provide. Better together: KICS stays the deep IaC rule engine; Vulnetix is the ASPM layer above it, not a replacement.

No migration, no rip-and-replace. KICS keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise KICS results in Vulnetix

Upload KICS SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

KICS documentation ↗  ·  Source repository ↗

Wire KICS into your CI/CD pipeline →