KICS 1.6.0 has been released!

KICS 1.6.0 is the most advanced KICS version available. This version includes features such as:

  • Scanning of new IaC technologies and frameworks like Crossplane, Knative, Pulumi, and Serverless.

  • Auto remediation for Terraform files

  • Dynamic scan of Kubernetes clusters

To learn more about KICS 1.6.0 highlights, refer to the sections below:

Support scanning Crossplane

KICS now helps you to Keep your Crossplane Infrastructure as Code Secure! Scan your Crossplane control planes for finding undesired misconfigurations and security vulnerabilities.

Support scanning Knative

Now you can have a more comprehensive security posture view while using KICS to scan your Knative-based serverless deploys.

Support scanning Pulumi

KICS now helps you to Keep your Pulumi Infrastructure as code Secure! Through this new support, KICS exposes misconfigurations and security vulnerabilities in Pulumi YAML templates.

Support scanning Serverless Framework

Now you can have a more comprehensive security posture view while using KICS to scan your Serverless-based deploys.

KICS Auto-Remediation

KICS introduces in 1.6.0 its engine for auto-remediation of IaC files. It has the ability to provide auto-remediation for single-line replacements and additions.

As of release 1.6.0, only Terraform files and vulnerabilities are supported. However, the extensibility of this feature will allow for covering more technologies and adding more complex remediation sorts really soon.

Learn more about it here.

Dynamic scanning of Kubernetes clusters

Now you can scan your deployed Kubernetes cluster by using KICS 1.6.0. KICS accesses your cluster API through provided authentication (either config file, service account token, or certificates) and is able to scan the cluster constituents like pods, services, and more, based on the selection of (a combination of) namespaces, apiVersion or Kinds.

Learn more about it here.

Breaking Changes in 1.6.0

KICS 1.6.0 is a major version and it is released with a few changes that can break integrations with external tools, pipelines or other. Below is a prime of such changes:

    • Exclude paths scanning with .gitignore file. KICS now reads .gitignore file in the root of the project to exclude from the scan the paths therein.
    • Consistency between scanning with and without the -t flag. -t or โ€“type flag is used to instruct KICS to scan only files of specific technologies. Before v1.6.0, KICS with -t flag would scan the project and, in case there were no files of the specified technologies, it would terminate with a message โ€œNo files were scannedโ€ and no other output. From v1.6.0, KICS will keep its behavior consistent whether -t flag is used or not. It will always output a results file, even if it is an โ€œemptyโ€ results report (created due to no files being scanned).
    • Masking Secrets. Now whenever Kics finds a secret in the IaC files, the results are shown as masked instead of plain text with the corresponding value.

See more details here.

https://github.com/Checkmarx/kics/releases/tag/v1.6.0

Spread the love:.

The KICS project is powered by Checkmarx, global leader of Application Security Testing.