# Install kics with Homebrew, Nix

Detect vulnerabilities, compliance issues, and misconfigurations. Version 2.1.20 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:kics
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install kics
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#kics
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ki/kics/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:kics
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/kics>
- **Version:** 2.1.20
- **Source summary:** Detect vulnerabilities, compliance issues, and misconfigurations
- **Homepage:** <https://kics.io/>
- **Repository:** <https://github.com/Checkmarx/kics>
- **Upstream docs:** <https://docs.kics.io/>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/Checkmarx/kics/archive/refs/tags/v2.1.20.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- kics (cli)
- kics (alias)

## Build dependencies

- go

## Install behavior

- Post-install hook: not defined
- Caveats: KICS queries are placed under $HOMEBREW_PREFIX/opt/kics/share/kics/assets/queries To use KICS default queries add KICS_QUERIES_PATH env to your ~/.zshrc or ~/.zprofile: "echo 'export KICS_QUERIES_PATH=$HOMEBREW_PREFIX/opt/kics/share/kics/assets/queries' >> ~/.zshrc" usage of CLI flag --queries-path takes precedence.
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 2.1.20
- Local data: ok
- Upstream repository: https://github.com/Checkmarx/kics
- Upstream latest detected: v2.1.20 (current)
- info: No package-manager update timestamp was available.
## Project history and usage

KICS, short for Keeping Infrastructure as Code Secure, is Checkmarx's open-source scanner for infrastructure-as-code vulnerabilities, compliance problems, and misconfigurations.

### Project history

Checkmarx created the public KICS repository in 2020 and published v1.0.0 on 2020-11-30. The project arrived during the wider shift from manually provisioned infrastructure toward Terraform, Kubernetes, Helm, CloudFormation, Docker Compose, and other declarative infrastructure formats, where configuration mistakes can become security defects.

### Adoption history

KICS adoption is tied to CI and DevSecOps workflows. Official materials document a GitHub Action, a Docker image, a standalone CLI, and broad platform coverage across Terraform, Kubernetes, Docker, CloudFormation, Ansible, Helm, OpenAPI, gRPC, Azure Resource Manager, Pulumi, Serverless Framework, OpenTofu, Bicep, and more.

### How it is used

Users run `kics scan` or CI integrations against infrastructure repositories to catch risky cloud and orchestration settings before deployment. Query packs and documentation make it useful both for one-off audits and for policy-style checks in build pipelines.

### Why package nerds care

KICS is significant because it packages a large IaC security rule corpus as a Go CLI that can be installed by package managers, run in containers, or embedded in GitHub workflows. It sits in the same package-nerd mental shelf as Terraform linters, policy engines, and static analyzers, but focuses on concrete misconfiguration checks across many IaC syntaxes.

### Timeline

- 2020: Checkmarx/kics repository created on GitHub.
- 2020: v1.0.0 release published on 2020-11-30.
- 2021: The 1.1 and 1.2 release series expanded after the initial 1.0 release.
- 2025: The 2.1 release series was active through repeated published releases.
- 2026: v2.1.20 release published on 2026-03-03.

### Related projects

- Official KICS materials include a companion Checkmarx/kics-github-action repository for GitHub Actions integration and documentation for scanning common IaC ecosystems such as Terraform, Kubernetes, Helm, CloudFormation, and Docker Compose.

### Sources

- <https://checkmarx.com/product/kics/>
- <https://docs.kics.io/>
- <https://docs.kics.io/latest/integrations_ghactions/>
- <https://github.com/Checkmarx/kics>
- <https://github.com/Checkmarx/kics-github-action>
- <https://github.com/Checkmarx/kics/releases>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: kics.config
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** kics
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - kics: normalized package name match | nixpkgs package indexes: pkgs/by-name/ki/kics/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [go](https://www.automicvault.com/pkg/brew/go/) - Build dependency declared by Homebrew.
- [checkov](https://www.automicvault.com/pkg/brew/checkov/) - Shares av.db curated category or tags: cli, compliance, infrastructure-as-code, security.
- [cargo-audit](https://www.automicvault.com/pkg/brew/cargo-audit/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [clair](https://www.automicvault.com/pkg/brew/clair/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [dependency-check](https://www.automicvault.com/pkg/brew/dependency-check/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [flawfinder](https://www.automicvault.com/pkg/brew/flawfinder/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [govulncheck](https://www.automicvault.com/pkg/brew/govulncheck/) - Shares av.db curated category or tags: cli, security, vulnerability-scanning.
- [intercept](https://www.automicvault.com/pkg/brew/intercept/) - Shares av.db curated category or tags: cli, compliance, security.
- [kube-bench](https://www.automicvault.com/pkg/brew/kube-bench/) - Shares av.db curated category or tags: cli, compliance, security.
- [terrascan](https://www.automicvault.com/pkg/brew/terrascan/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, code, compliance, detect, iac.
- [snyk-cli](https://www.automicvault.com/pkg/brew/snyk-cli/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, iac, scanning, security, vulnerabilities.

## Combined YAML source

View the package source record on GitHub. [combined/kics.yml](https://github.com/automic-vault/db/blob/main/combined/kics.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
