Automic VaultAutomic Vault

brew

Install kics with Homebrew, Nix

Detect vulnerabilities, compliance issues, and misconfigurations. Version 2.1.20 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install kics

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#kics

nixpkgs package indexes · pkgs/by-name/ki/kics/package.nix · source: api.github.com

overview

Package summary

Detect vulnerabilities, compliance issues, and misconfigurations

Commands and aliases

  • kics

history

Project history and usage

KICS, short for Keeping Infrastructure as Code Secure, is Checkmarx's open-source scanner for infrastructure-as-code vulnerabilities, compliance problems, and misconfigurations.

Project history

Checkmarx created the public KICS repository in 2020 and published v1.0.0 on 2020-11-30. The project arrived during the wider shift from manually provisioned infrastructure toward Terraform, Kubernetes, Helm, CloudFormation, Docker Compose, and other declarative infrastructure formats, where configuration mistakes can become security defects.

Adoption history

KICS adoption is tied to CI and DevSecOps workflows. Official materials document a GitHub Action, a Docker image, a standalone CLI, and broad platform coverage across Terraform, Kubernetes, Docker, CloudFormation, Ansible, Helm, OpenAPI, gRPC, Azure Resource Manager, Pulumi, Serverless Framework, OpenTofu, Bicep, and more.

How it is used

Users run `kics scan` or CI integrations against infrastructure repositories to catch risky cloud and orchestration settings before deployment. Query packs and documentation make it useful both for one-off audits and for policy-style checks in build pipelines.

Why package nerds care

KICS is significant because it packages a large IaC security rule corpus as a Go CLI that can be installed by package managers, run in containers, or embedded in GitHub workflows. It sits in the same package-nerd mental shelf as Terraform linters, policy engines, and static analyzers, but focuses on concrete misconfiguration checks across many IaC syntaxes.

Timeline

  • 2020: Checkmarx/kics repository created on GitHub.
  • 2020: v1.0.0 release published on 2020-11-30.
  • 2021: The 1.1 and 1.2 release series expanded after the initial 1.0 release.
  • 2025: The 2.1 release series was active through repeated published releases.
  • 2026: v2.1.20 release published on 2026-03-03.

Related projects

  • Official KICS materials include a companion Checkmarx/kics-github-action repository for GitHub Actions integration and documentation for scanning common IaC ecosystems such as Terraform, Kubernetes, Helm, CloudFormation, and Docker Compose.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 6 platform targets.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

local files

Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.

Configuration files

Config paths the tool may read or write during local use.

Unix
kics.config

executables

Installed executables

CommandKindExposureNote
kicscliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version2.1.20
manager updated
local dataok
upstreamcurrent
latest detectedv2.1.20

https://github.com/Checkmarx/kics

  • infoNo package-manager update timestamp was available.low confidence

install metadata

Package metadata

Package keybrew:kics
Version2.1.20
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/kics
Homepagehttps://kics.io/
Repositoryhttps://github.com/Checkmarx/kics
Upstream docshttps://docs.kics.io/
LicenseApache-2.0
Source archivehttps://github.com/Checkmarx/kics/archive/refs/tags/v2.1.20.tar.gz
Build dependenciesgo
Bottleavailable (on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared
CaveatsKICS queries are placed under $HOMEBREW_PREFIX/opt/kics/share/kics/assets/queries To use KICS default queries add KICS_QUERIES_PATH env to your ~/.zshrc or ~/.zprofile: "echo 'export KICS_QUERIES_PATH=$HOMEBREW_PREFIX/opt/kics/share/kics/assets/queries' >> ~/.zshrc" usage of CLI flag --queries-path takes precedence.

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namekics
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

kics

nix profile install nixpkgs#kics
  • normalized package name match
  • Matched by: Kics
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ki/kics/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated configuration and credential file locations
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment