Checkmarx · cx-laura-rodrigues · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025 · Nov 27, 2025
@@ -105,7 +105,9 @@
                 "azure",
                 "common",
                 "gcp",
+                "ibmcloud",
                 "nifcloud",
+                "oraclecloud",
                 "tencentcloud"
             ]
         },

@@ -218,6 +218,20 @@ Find security vulnerabilities, compliance issues, and infrastructure misconfigur
 </picture>
 </a>
 </td>
+<td>
+<a href="https://github.com/Checkmarx/kics/blob/master/docs/platforms.md#ibmcloud-for-terraform">
+<img alt="IBMCloud" src="docs/img/logo-ibmcloud.png" width="100">
+</a>
+</td>
+<td>
+<a href="https://github.com/Checkmarx/kics/blob/master/docs/platforms.md#oraclecloud-for-terraform">
+<picture>
+<source media="(prefers-color-scheme: light)" srcset="docs/img/logo-oraclecloud.png" width="180">
+<source media="(prefers-color-scheme: dark)" srcset="docs/img/logo-oraclecloud-dark.png" width="180">
+<img alt="OracleCloud" src="docs/img/logo-oraclecloud.png" width="100">
+</picture>
+</a>
+</td>
 </tr>
 </table>
 

@@ -0,0 +1,14 @@
+{
+    "id": "a6bc2970-c10d-45ab-9050-cf69c393e911",
+    "queryName": "Load Balancer VPC is Public",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "IBM Load Balancer VPC should not be public",
+    "descriptionUrl": "https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_lb",
+    "platform": "Terraform",
+    "descriptionID": "a6bc2970",
+    "cloudProvider": "ibmcloud",
+    "cwe": "668",
+    "riskScore": "3.0",
+    "experimental": "true"
+  }
@@ -0,0 +1,39 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+
+	lb := input.document[i].resource.ibm_is_lb[name]
+	not common_lib.valid_key(lb, "type")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "ibm_is_lb",
+		"resourceName": tf_lib.get_resource_name(lb, name),
+		"searchKey": sprintf("ibm_is_lb[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'ibm_is_lb[%s]' should be set to private or private_path.", [name]),
+		"keyActualValue": sprintf("'ibm_is_lb[%s]' is missing type property, defaults to public.", [name]),
+		"searchLine": common_lib.build_search_line(["resource","ibm_is_lb", name], []),
+	}
+}
+
+CxPolicy[result] {
+
+	lb := input.document[i].resource.ibm_is_lb[name]
+	lb.type != "private"
+	lb.type != "private_path"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "ibm_is_lb",
+		"resourceName": tf_lib.get_resource_name(lb, name),
+		"searchKey": sprintf("ibm_is_lb[%s]", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'ibm_is_lb[%s]' should be set to private or private_path.", [name]),
+		"keyActualValue": sprintf("'ibm_is_lb[%s]' is set to %s.", [name, lb.type]),
+		"searchLine": common_lib.build_search_line(["resource","ibm_is_lb", name, "type"], []),
+	}
+}
@@ -0,0 +1,7 @@
+# Case: type is defined to private_path
+resource "ibm_is_lb" "example" {
+  name    = "example-load-balancer"
+  subnets = [ibm_is_subnet.example.id]
+  profile = "network-private-path"
+  type = "private_path"
+}
@@ -0,0 +1,7 @@
+# Case: type is defined to private
+resource "ibm_is_lb" "example" {
+  name    = "example-load-balancer"
+  subnets = [ibm_is_subnet.example.id]
+  profile = "network-private-path"
+  type = "private"
+}
@@ -0,0 +1,7 @@
+# Case: type is defined to public
+resource "ibm_is_lb" "example" {
+  name    = "example-load-balancer"
+  subnets = [ibm_is_subnet.example.id]
+  profile = "network-private-path"
+  type = "public"
+}
@@ -0,0 +1,6 @@
+resource "ibm_is_lb" "example" {
+  name    = "example-load-balancer"
+  subnets = [ibm_is_subnet.example.id]
+  profile = "network-private-path"
+  # Case: type is not defined, defaults to public 
+}
@@ -0,0 +1,15 @@
+[
+    {
+      "queryName": "Load Balancer VPC is Public",
+      "severity": "MEDIUM",
+      "line": 6,
+      "fileName": "positive1.tf"
+    },
+    {
+    "queryName": "Load Balancer VPC is Public",
+      "severity": "MEDIUM",
+      "line": 1,
+      "fileName": "positive2.tf"    
+    }
+]
+
@@ -0,0 +1,14 @@
+{
+  "id": "1d2e88ff-7ee7-4c8a-bf16-01488c83f295",
+  "queryName": "Instance Monitoring Disabled",
+  "severity": "LOW",
+  "category": "Observability",
+  "descriptionText": "Instance should have monitoring enabled",
+  "descriptionUrl": "https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_instance_configuration.html#is_monitoring_disabled-2",
+  "platform": "Terraform",
+  "descriptionID": "1d2e88ff",
+  "cloudProvider": "oraclecloud",
+  "cwe": "778",
+  "riskScore": "1.0",
+  "experimental": "true"
+}
@@ -0,0 +1,21 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.oci_core_instance[name]
+	agent_config := resource.agent_config
+	agent_config.is_monitoring_disabled == true
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "oci_core_instance",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("oci_core_instance[%s]", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "Attribute 'is_monitoring_disabled' should be set to false.",
+		"keyActualValue": "Attribute 'is_monitoring_disabled' is set to true.",
+		"searchLine": common_lib.build_search_line(["resource", "oci_core_instance", name, "agent_config", "is_monitoring_disabled"], []),
+	}
+}
@@ -0,0 +1,9 @@
+# Case: is_monitoring_disabled set to false
+resource "oci_core_instance" "fail" {
+  availability_domain = var.instance_availability_domain
+  compartment_id      = var.compartment_id
+  shape               = var.instance_shape
+  agent_config {
+    is_monitoring_disabled = false
+  }
+}
@@ -0,0 +1,6 @@
+# Case: missing is_monitoring_disabled property, defaults to false
+resource "oci_core_instance" "fail" {
+  availability_domain = var.instance_availability_domain
+  compartment_id      = var.compartment_id
+  shape               = var.instance_shape
+}
@@ -0,0 +1,7 @@
+# Case: missing is_monitoring_disabled inside agent_config
+resource "oci_core_instance" "fail" {
+  availability_domain = var.instance_availability_domain
+  compartment_id      = var.compartment_id
+  shape               = var.instance_shape
+  agent_config {}
+}
@@ -0,0 +1,8 @@
+resource "oci_core_instance" "fail" {
+  availability_domain = var.instance_availability_domain
+  compartment_id      = var.compartment_id
+  shape               = var.instance_shape
+  agent_config {
+    is_monitoring_disabled = true
+  }
+}
@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "Instance Monitoring Disabled",
+    "severity": "LOW",
+    "line": 6,
+    "fileName": "positive.tf"
+  }
+]
@@ -38,7 +38,7 @@ Use "kics [command] --help" for more information about a command.
 | Flags                       | Description                                                                                                                                                                                                                                                                                 |
 |-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 |-m, --bom                           | include bill of materials (BoM) in results output                                                                                                                                                                                                                                           |
-|      --cloud-provider strings      | list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)                                                                                                                                                                                                              |
+|      --cloud-provider strings      | list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)                                                                                                                                                                                                              |
 |      --config string               | path to configuration file                                                                                                                                                                                                                                                                  |
 |      --old-severities              | uses old severities in query results                                                                                                                                                                                                                                                        |
 |      --disable-full-descriptions   | disable request for full descriptions and use default vulnerability descriptions                                                                                                                                                                                                            |

@@ -107,7 +107,7 @@ Usage:
 
 Flags:
   -m, --bom                           include bill of materials (BoM) in results output
-      --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
+      --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)
       --config string                 path to configuration file
       --old-severities                use old severities in query results (excludes critical severity)
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions

@@ -153,6 +153,12 @@ KICS scans and detects issues in following Infrastructure as Code solutions:
 <div class="card"  style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
         <img alt="TencentCloud" src="img/logo-tencentcloud.png" width="120">&nbsp;&nbsp;&nbsp;
 </div>
+<div class="card" style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
+        <img alt="IBMCloud" src="img/logo-ibmcloud.png" width="90">&nbsp;&nbsp;&nbsp;
+</div>
+<div class="card"  style="min-width:80;flex:0 0 25%;display:flex;align-items:center;justify-content:center;margin:8px">
+        <img alt="OracleCloud" src="img/logo-oraclecloud.png" width="120">&nbsp;&nbsp;&nbsp;
+</div>
 </div>
 
 ## Getting Started

@@ -195,6 +195,14 @@ KICS supports scanning Databricks under Terraform file extension (`.tf`).
 
 KICS supports scanning TencentCloud under Terraform file extension (`.tf`).
 
+### IBMCloud for Terraform
+
+KICS supports scanning IBMCloud under Terraform file extension (`.tf`).
+
+### OracleCloud for Terraform
+
+KICS supports scanning OracleCloud under Terraform file extension (`.tf`).
+
 ### Terraform variables path
 
 When using vars in a terraform file there are 2 ways of passing the file in which a variable's value is present.

@@ -3,7 +3,7 @@ Usage:
 
 Flags:
   -m, --bom                           include bill of materials (BoM) in results output
-      --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,nifcloud,tencentcloud)
+      --cloud-provider strings        list of cloud providers to scan (alicloud,aws,azure,gcp,ibmcloud,nifcloud,oraclecloud,tencentcloud)
       --config string                 path to configuration file
       --disable-full-descriptions     disable request for full descriptions and use default vulnerability descriptions
       --disable-secrets               disable secrets scanning

@@ -84,7 +84,9 @@ var (
 		"aws":          "",
 		"azure":        "",
 		"gcp":          "",
+		"ibmcloud":     "",
 		"nifcloud":     "",
+		"oraclecloud":  "",
 		"tencentcloud": "",
 	}
 )

@@ -82,7 +82,7 @@ func ListSupportedPlatforms() []string {
 
 // ListSupportedCloudProviders returns a list of supported cloud providers
 func ListSupportedCloudProviders() []string {
-	return []string{"alicloud", "aws", "azure", "gcp", "nifcloud", "tencentcloud"}
+	return []string{"alicloud", "aws", "azure", "gcp", "ibmcloud", "nifcloud", "oraclecloud", "tencentcloud"}
 }
 
 func getLibraryInDir(platform, libraryDirPath string) string {

@@ -821,7 +821,7 @@ func TestSource_validateMetadata(t *testing.T) {
 
 // TestSource_ListSupportedCloudProviders tests the function ListSupportedCloudProviders.
 func TestSource_ListSupportedCloudProviders(t *testing.T) {
-	want := []string{"alicloud", "aws", "azure", "gcp", "nifcloud", "tencentcloud"}
+	want := []string{"alicloud", "aws", "azure", "gcp", "ibmcloud", "nifcloud", "oraclecloud", "tencentcloud"}
 	t.Run("test List Supported CP", func(t *testing.T) {
 		got := ListSupportedCloudProviders()
 		require.Equal(t, want, got)

@@ -41,7 +41,9 @@ var (
 		"../assets/queries/terraform/kubernetes":            {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/terraform/general":               {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/terraform/alicloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
+		"../assets/queries/terraform/ibmcloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/terraform/nifcloud":              {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
+		"../assets/queries/terraform/oraclecloud":           {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/terraform/tencentcloud":          {FileKind: []model.FileKind{model.KindTerraform, model.KindJSON}, Platform: "terraform"},
 		"../assets/queries/crossplane/aws":                  {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},
 		"../assets/queries/crossplane/azure":                {FileKind: []model.FileKind{model.KindYAML}, Platform: "crossplane"},