kics configuration in MegaLinter
kics documentation
- Version in MegaLinter: 1.7.1
- Visit Official Web Site
- See How to disable kics rules in files
- See Index of problems detected by kics
Configuration in MegaLinter
- Enable kics by adding
TERRAFORM_KICSin ENABLE_LINTERS variable - Disable kics by adding
TERRAFORM_KICSin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| TERRAFORM_KICS_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| TERRAFORM_KICS_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
| TERRAFORM_KICS_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
| TERRAFORM_KICS_CLI_LINT_MODE | Override default CLI lint mode - file: Calls the linter for each file- project: Call the linter from the root of the project |
file |
| TERRAFORM_KICS_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".tf"] |
| TERRAFORM_KICS_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| TERRAFORM_KICS_PRE_COMMANDS | List of bash commands to run before the linter | None |
| TERRAFORM_KICS_POST_COMMANDS | List of bash commands to run after the linter | None |
| TERRAFORM_KICS_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| TERRAFORM_KICS_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| TERRAFORM_KICS_CLI_EXECUTABLE | Override CLI executable | ['kics'] |
MegaLinter Flavours
This linter is available in the following flavours
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 113 |   |
| cupcake | MegaLinter for the most commonly used languages | 81 |   |
|
| security | Optimized for security | 21 |   |
|
| terraform | Optimized for TERRAFORM based projects | 51 |   |
Behind the scenes
How are identified applicable files
- File extensions:
.tf
How the linting is performed
- kics is called one time by identified file (
fileCLI lint mode)
Example calls
kics scan --path myfile.tf
Help content
Keeping Infrastructure as Code Secure
Usage:
kics [command]
Available Commands:
generate-id Generates uuid for query
help Help about any command
list-platforms List supported platforms
remediate Auto remediates the project
scan Executes a scan analysis
version Displays the current version
Flags:
--ci display only log messages to CLI output (mutually exclusive with silent)
-h, --help help for kics
-f, --log-format string determines log format (pretty,json) (default "pretty")
--log-level string determines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO")
--log-path string path to generate log file (info.log)
--no-color disable CLI color output
--profiling string enables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)
-s, --silent silence stdout messages (mutually exclusive with verbose and ci)
-v, --verbose write logs to stdout too (mutually exclusive with silent)
Use "kics [command] --help" for more information about a command.
Installation on mega-linter Docker image
- Dockerfile commands :
FROM checkmarx/kics:alpine as kics
COPY --link --from=kics /app/bin/kics /usr/bin/
RUN mkdir -p /opt/kics/assets
ENV KICS_QUERIES_PATH=/opt/kics/assets/queries KICS_LIBRARIES_PATH=/opt/kics/assets/libraries
COPY --from=kics /app/bin/assets /opt/kics/assets/