KICS CLI

August 12, 2025 ยท View on GitHub

KICS is a command line tool, and should be used in a terminal. The next section describes the usage, the same help content is displayed when kics is provided with the --help flag.

KICS Command

KICS has the following commands available:

Available CommandsDescription
generate-idGenerates uuid for query
helpHelp about any command
list-platformsList supported platforms
remediateAuto remediates the project
scanExecutes a scan analysis
versionDisplays the current version

Usage: kics [command]

FlagDescription
--ciDisplay only log messages to CLI output (mutually exclusive with silent).
-h, --helpHelp for kics.
-f, --log-format stringDetermines log format (pretty,json) (default "pretty").
--log-level stringDetermines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO").
--log-path stringPath to generate log file (info.log).
--no-colorDisable CLI color output.
--profiling stringEnables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM).
-s, --silentSilence stdout messages (mutually exclusive with verbose and ci).
-v, --verboseWrite logs to stdout too (mutually exclusive with silent).

Use "kics [command] --help" for more information about a command.

Scan Command Options

FlagsDescription
-m, --bominclude bill of materials (BoM) in results output
--cloud-provider stringslist of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
--config stringpath to configuration file
--old-severitiesuses old severities in query results
--disable-full-descriptionsdisable request for full descriptions and use default vulnerability descriptions
--disable-secretsdisable secrets scanning
--enable-openapi-refsresolve the file reference, on OpenAPI files (default [false])
--exclude-categories stringsexclude categories by providing its name
cannot be provided with query inclusion flags
can be provided multiple times or as a comma separated string
example: 'Access control,Best practices'
--exclude-gitignoredisables the exclusion of paths specified within .gitignore file
-e, --exclude-paths stringsexclude paths from scan
supports glob and can be provided multiple times or as a quoted comma separated string
example: './shouldNotScan/*,somefile.txt'
--exclude-queries stringsexclude queries by providing the query ID
cannot be provided with query inclusion flags
can be provided multiple times or as a comma separated string
example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'
-x, --exclude-results stringsexclude results by providing the similarity ID of a result
can be provided multiple times or as a comma separated string
example: 'fec62a97d569662093dbb9739360942f...,31263s5696620s93dbb973d9360942fc2a...'
--exclude-severities stringsexclude results by providing the severity of a result
can be provided multiple times or as a comma separated string
example: 'info,low'
possible values: 'critical,high,medium,low,info,trace'
--experimental-queriesinclude experimental queries (queries not yet thoroughly reviewed) (default [false])
--fail-on stringswhich kind of results should return an exit code different from 0
accepts: critical, high, medium, low and info
example: "high,low" (default [critical,high,medium,low,info])
-h, --helphelp for scan
--ignore-on-exit stringdefines which kind of non-zero exits code should be ignored
accepts: all, results, errors, none
example: if 'results' is set, only engine errors will make KICS exit code different from 0 (default "none")
-i, --include-queries stringsinclude queries by providing the query ID
cannot be provided with query exclusion flags
can be provided multiple times or as a comma separated string
example: 'e69890e6-fce5-461d-98ad-cb98318dfc96,4728cd65-a20c-49da-8b31-9c08b423e4db'
--input-data stringpath to query input data files
-b, --libraries-path stringpath to directory with libraries (default "./assets/libraries")
--max-file-size intmax file size permitted for scanning, in MB (default 5)
--max-resolver-depth intmax depth to which the resolver will traverse to resolve files (default 15)
--minimal-uisimplified version of CLI output
--no-progresshides the progress bar
--output-name stringname used on report creations (default "results")
-o, --output-path stringdirectory path to store reports
--parallel intnumber of workers per platform enabled for parallel scanning (default set to 0 to auto-detect optimal number of workers)
-p, --path stringspaths or directories to scan
example: "./somepath,somefile.txt"
--payload-linesadds line information inside the payload when printing the payload file
-d, --payload-path stringpath to store internal representation JSON file
--preview-lines intnumber of lines to be display in CLI results (min: 1, max: 30) (default 3)
-q, --queries-path stringspaths to directory with queries (default [./assets/queries])
--report-formats stringsformats in which the results will be exported (all,asff,codeclimate,csv,cyclonedx,glsast,html,json,junit,pdf,sarif,sonarqube) (default [json])
-r, --secrets-regexes-path stringpath to secrets regex rules configuration file
--terraform-vars-pathstring path where terraform variables are present
--timeout intnumber of seconds the query has to execute before being canceled (default 60)
-t, --type stringscase insensitive list of platform types to scan
(Ansible,AzureResourceManager,Buildah,CICD,CloudFormation,Crossplane,DockerCompose,Dockerfile,GRPC,GoogleDeploymentManager,Knative,Kubernetes,OpenAPI,Pulumi,ServerlessFW,Terraform)
cannot be provided with type exclusion flags
--exclude-type stringscase insensitive list of platform types not to scan
(Ansible,AzureResourceManager,Buildah,CICD,CloudFormation,Crossplane,DockerCompose,Dockerfile,GRPC,GoogleDeploymentManager,Knative,Kubernetes,OpenAPI,Pulumi,ServerlessFW,Terraform)
cannot be provided with type inclusion flags

Usage: kics scan [flags]

Global flagsDescription
--cidisplay only log messages to CLI output (mutually exclusive with silent)
-f, --log-format stringdetermines log format (pretty,json) (default "pretty")
--log-level stringdetermines log level (TRACE,DEBUG,INFO,WARN,ERROR,FATAL) (default "INFO")
--log-path stringpath to generate log file (info.log)
--no-colordisable CLI color output
--profiling stringenables performance profiler that prints resource consumption metrics in the logs during the execution (CPU, MEM)
-s, --silentsilence stdout messages (mutually exclusive with verbose and ci)
-v, --verbosewrite logs to stdout too (mutually exclusive with silent)

Auto Remediate Command Options

FlagsDescription
-h, --helphelp for remediate
--include-ids stringswhich remediation (similarity ids) should be remediated
example "f6b7acac2d541d8c15c88d2be51b0e6abd576750b71c580f2e3a9346f7ed0e67,6af5fc5d7c0ad0077348a090f7c09949369d24d5608bbdbd14376a15de62afd1" (default [all])
--results stringpoints to the JSON results file with remediation

Usage: kics remediate [flags]

The other commands have no further options.

Exclude Paths

By default, KICS excludes paths specified in the .gitignore file in the root of the repository. To disable this behavior, use flag --exclude-gitignore.

Library Flag Usage

As mentioned above, the library flag (-b or --libraries-path) refers to the directory with libraries. The functions need to be grouped by platform and the library file name should follow the format: <platform>.rego to be loaded by KICS. It doesn't matter your directory structure. In other words, for example, if you want to indicate a directory that contains a library for your terraform queries, you should group your functions (used in your terraform queries) in a file named terraform.rego wherever you want.

This will merge the custom libraries found on the flag's path with KICS's default libraries. Note that any functions declared in a custom library with the same signature as an existing function in the default libraries will cause the default library function to be overwritten by the custom definition provided.


Profiling

With the --profiling flag KICS will print resource consumption information in the logs.

You can only enable one profiler at a time, CPU or MEM.

๐Ÿ“ Please note that execution time may be impacted by enabling performance profiler due to sampling

Disable Crash Report

You can disable KICS crash report to sentry.io with DISABLE_CRASH_REPORT environment variable set to 0 or false e.g:

DISABLE_CRASH_REPORT=0 ./bin/kics version
# 'KICS crash report disabled' message should appear in the logs