Hello everyone! In this post, we are going to focus on the IaC (Infrastructure as Code) Security using kics. Kics is one of the popular IaC Security tool and implementing it in azure devops pipeline.
What is IaC and Why IaC security is important?
IaC, known as Infrastructure as Code, is a modern DevOps practice used to provision and manage IT infrastructure such as servers, networks, and storage through code. Popular IaC tools include Terraform and Ansible.
IaC Security is important because it embeds security checks directly into the IaC templates. This helps detect misconfigurations and security vulnerabilities early, before the infrastructure is provisioned in production. Implementing IaC Security using KICS ensures that security becomes part of the CI/CD pipeline instead of an afterthought.
What is KICS?
KICS (Keeping Infrastructure as Code Secure) is an open-source static analysis tool designed to scan Infrastructure as Code files and detect security misconfigurations, compliance issues, and best-practice violations.
Visit the official KICS documentation for more details: https://kics.io/#documentation
Prerequisites
Before implementing IaC Security using KICS in Azure DevOps, make sure the following prerequisites are met:
1. Docker is installed and configured on the build agent.
2. Install SARIF SAST Scans Tab for your Azure DevOps organization: https://marketplace.visualstudio.com/items?itemName=sariftools.scans
If you are using a different DevOps platform, install the respective SARIF extension supported by that platform.
For testing purposes, use the vulnerable Terraform file below and commit it to your test repository.
# File: vulnerable_s3.tf
provider "aws" {
region = "us-east-1"
}
resource "aws_s3_bucket" "public_bucket" {
bucket = "my-public-bucket-12345"
acl = "public-read"
tags = {
Name = "Public bucket"
Environment = "Dev"
}
}
resource "aws_s3_bucket_policy" "public_policy" {
bucket = aws_s3_bucket.public_bucket.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "PublicReadGetObject"
Effect = "Allow"
Principal = "*"
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.public_bucket.arn}/*"
}
]
})
}Azure DevOps Pipeline Configuration for KICS
Use the Azure DevOps pipeline example below to scan IaC files using KICS:
trigger:
- main
pool:
name: Self-hosted
steps:
- task: Docker@2
displayName: 'Run Kics'
inputs:
command: 'run'
arguments: '--rm -v $(System.DefaultWorkingDirectory):/scan -v $(System.DefaultWorkingDirectory)/kics-output:/output checkmarx/kics:latest scan -p /scan/vulnerable_s3.tf -o /output --report-formats json,sarif --ignore-on-exit results'
# Publish KICS Results
- task: PublishBuildArtifacts@1
displayName: 'Publish KICS Scan Results'
inputs:
pathToPublish: '$(System.DefaultWorkingDirectory)/kics-output/results.sarif'
artifactName: CodeAnalysisLogsMake the necessary changes based on your repository structure, IaC file paths, and preferred output formats. If you do not want the pipeline to fail on findings, use the –ignore-on-exit parameter.
After running the pipeline, the KICS results will be available in the SARIF SAST Scans tab.
Conclusion
Implementing IaC Security using KICS in Azure DevOps pipelines helps identify security risks early in the development lifecycle. By shifting security left and scanning IaC templates during CI/CD, teams can prevent costly misconfigurations before they reach production.
If you’re interested in collaborating with me on real-world testing, tool development, or writing together, feel free to reach out via Collaboration page. Thank you!!
