Checkmarx • Application security
Checkmarx IaC Security (formerly KICS) scans Terraform, CloudFormation, Kubernetes manifests, Helm charts, Docker, Ansible, and Azure ARM templates with PR-time policy gates and an open-source engine the customer can audit, all integrated with the rest of Checkmarx One.
Programs adopting Checkmarx IaC Security through Merito get the KICS rule set tuned to the customer's actual cloud-provider mix, custom policy-as-code authored for internal cloud standards, and PR-time gates wired into the CI fabric so misconfigurations get caught before they deploy.
What it is
Checkmarx IaC Security is the Infrastructure-as-Code scanner inside the Checkmarx One Cloud pillar. It is built on **KICS** (Keeping Infrastructure as Code Secure), the open-source engine Checkmarx maintains. KICS scans Terraform (HCL), CloudFormation (YAML and JSON), Kubernetes manifests, Helm charts, Dockerfiles, Ansible playbooks, Azure Resource Manager templates, OpenAPI specs, and CDK output. The open-source roots matter because customers can audit the rule set, contribute custom rules upstream, and verify that the engine is doing what it claims.
PR-time policy gates are the load-bearing capability for shifting left. IaC misconfigurations (public S3 buckets, overly-permissive IAM roles, unencrypted database snapshots, Kubernetes pods running as root) are easy to introduce and hard to catch after deployment. Checkmarx IaC Security scans the Terraform or CloudFormation diff at PR time, posts findings as PR comments on the changed resources, and gates the merge based on severity and policy. Programs that catch IaC misconfigurations at PR time spend a fraction of the operational effort that programs catching them post-deploy do.
Compare honestly to Checkov and Bridgecrew (now Prisma Cloud). Checkov is open-source, Python-based, and the established alternative. Bridgecrew (now part of Prisma Cloud) commercializes Checkov. KICS is open-source, Go-based, and the engine behind Checkmarx IaC Security. The technical differences are modest; the integration story differs. Programs picking Checkmarx IaC Security usually want consolidation with SAST, SCA, DAST, and Container Security inside Checkmarx One. Programs picking Checkov stay open-source. Both are valid.
What derails IaC Security adoption is rule-set drift and rule-set noise. Default rules generate findings on every minor convention deviation regardless of whether the deviation matters in this environment. Merito's engagement starts with rule-set tuning to the customer's actual cloud provider mix (AWS-heavy programs do not need Azure-specific rules tripping on every scan), application of compensating-control logic (a finding flagged on an internal-only resource may not need PR-time blocking), and policy-as-code authoring so internal cloud standards become enforceable scanner rules.
Ideal use cases
What it is best at
Built on the KICS open-source project Checkmarx maintains. Customers can read the rule set, audit the engine, contribute upstream, and verify the scanner is doing what it claims. Closed engines do not allow this.
Terraform, CloudFormation, Kubernetes, Helm, Docker, Ansible, Azure ARM, OpenAPI, CDK output. One engine across the IaC formats enterprises actually run.
Scans the IaC diff at PR time, posts findings as PR comments, and gates the merge. Catches misconfigurations before they deploy rather than after.
Kubernetes IaC findings cross-link with container findings on the same workload. Programs see the manifest issue and the image issue together.
Programs encode internal cloud standards (mandatory tagging, permitted regions, required encryption settings) as custom KICS rules. Internal standards become enforceable scanner policy.
Core capabilities
What KICS scans across the IaC stack.
Terraform (HCL)
AWS, Azure, GCP, and major Terraform providers. Module resolution and per-environment variable awareness.
CloudFormation
AWS-specific scanning across YAML and JSON CloudFormation templates and CDK output.
Kubernetes and Helm
Kubernetes manifests, Helm charts, and templated YAML. Cross-links with Checkmarx Container Security on the same workloads.
Docker, Ansible, ARM, OpenAPI
Dockerfile, Ansible playbook, Azure ARM template, and OpenAPI spec scanning in the same engine.
PR-time enforcement of IaC standards.
PR-time scanning
Scans the IaC diff in the pull request and posts findings as PR comments on the changed resources.
Policy-as-code authoring
Programs encode internal cloud standards as custom KICS rules. Internal standards become enforceable scanner policy.
Severity tuning per environment
Different severity thresholds for prod vs. non-prod, customer-facing vs. internal-only resources.
Compensating-control logic
Findings flagged with awareness of compensating controls so internal-only resources do not get audited like public ones.
IaC findings flowing into the broader AppSec backlog and audit evidence.
CIS benchmark alignment
Built-in rules aligned with CIS AWS, Azure, GCP, Docker, and Kubernetes benchmarks.
Cross-product correlation
IaC findings cross-link to Container Security, SCA, and SAST inside Checkmarx One.
Triage and Remediation clustering
IaC findings cluster with related Container Security and SAST findings on root cause for single-fix remediation.
Compliance reporting
Audit-ready evidence for PCI DSS, HIPAA, FedRAMP, SOC 2, and ISO 27001.
Where it fits in the stack
Deployment and implementation
Licensing and packaging
Checkmarx One Advanced
Adds IaC Security alongside DAST, API Security, Malicious Package Protection, and Repository Health to the Essentials baseline.
Best for: Programs adding IaC scanning to an existing SAST or SCA footprint.
Checkmarx One Enterprise
Advanced plus AI agents (Developer Assist, Triage and Remediation), AI Supply Chain Security, Software Supply Chain Security, and premium SLAs.
Best for: Enterprise programs running IaC Security inside a fully consolidated AppSec platform.
Merito services
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
Tenant setup, rule-set tuning, custom policy-as-code authoring, PR-time gate wiring, severity-tuning policy.
Explore service02IaC governance scoping for Checkmarx IaC Security alongside Checkov, Bridgecrew, and Prisma Cloud IaC.
Explore service03IaC scanning integrated into PR-time CI and merge-gate policy.
Explore service04Platform engineering enablement around IaC discipline and policy-as-code authoring.
Explore service05Named engineer, priority SLAs, and release-time coverage for IaC Security.
Explore service06Long-term run support including KICS rule maintenance, policy-as-code evolution, and severity-tuning operation.
Explore service07Role-based training for platform engineers, DevSecOps owners, and AppSec architects.
Explore service08Merito-placed AppSec engineers and Checkmarx specialists embedded on long-running programs.
Explore serviceCheckmarx IaC Security licensing
IaC Security pricing arrives with rule-set tuning, custom policy-as-code authoring, PR-time gate wiring, and severity-tuning policy that turn the scanner into enforced cloud standards rather than aspirational ones.
Merito point of view
Merito has audited cloud programs that ran IaC scanning post-deploy, accumulated thousands of findings on existing infrastructure, and never moved the needle because remediating already-deployed cloud is expensive. The fix is shifting left: scan the IaC diff at PR time, post findings as PR comments, and gate the merge before the misconfiguration ships. Checkmarx IaC Security does this; programs that scan only post-deploy are running detection rather than prevention.
Merito recommends Checkmarx IaC Security specifically when the program is consolidating onto Checkmarx One, when cross-product correlation with Container Security and SAST matters, and when the open-source KICS heritage gives the team confidence to audit and contribute to the engine. For programs already running mature Checkov pipelines and not consolidating, the migration delta is often small. For programs picking Prisma Cloud or Wiz as the cloud-side anchor, IaC Security from Checkmarx still works as the AppSec-side companion.
The custom policy-as-code authoring is the load-bearing move on internal cloud standards. Programs that document tagging, region, and encryption rules in a wiki and never enforce them spend the next year arguing about them. Programs that encode them as custom KICS rules turn standards into enforceable PR-time gates.
What buyers usually underestimate
Related from Merito
Related solutions
Related services
Related products
Frequently Asked Questions
Consultation request
Share your IaC formats (Terraform, CloudFormation, Kubernetes), cloud provider mix, and current IaC scanning posture. A Merito Checkmarx specialist follows up within one business day.
KICS open-source
Built on the KICS open-source project Checkmarx maintains. Customers can read, audit, and contribute to the rule set.
PR-time gates
Scans the IaC diff at PR time and gates the merge. Order-of-magnitude cheaper than post-deploy detection.
Next step
A Merito IaC Security engagement starts with rule-set tuning and custom policy-as-code authoring. Programs that scan only post-deploy spend the next year remediating already-deployed cloud.