diff --git a/.github/workflows/kics-iac.yml b/.github/workflows/kics-iac.yml
new file mode 100644
index 0000000..9e03fc0
--- /dev/null
+++ b/.github/workflows/kics-iac.yml
@@ -0,0 +1,29 @@
+name: kics scanning
+on:
+  push:
+    branches: master
+jobs:
+  kics:
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.VULN_REPORTS_AWS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.VULN_REPORTS_AWS_SECRET_ACCESS_KEY }}
+      VULN_REPORTS_AWS_BUCKET: ${{ secrets.VULN_REPORTS_AWS_BUCKET }}
+      AWS_EC2_METADATA_DISABLED: true
+    steps:
+      - uses: actions/checkout@v2
+      - name: run kics Scan
+        uses: checkmarx/kics-github-action@v1.6
+        with:
+          path: .
+          ignore_on_exit: results
+          output_path: res/
+      - name: display kics results
+        run: |
+          cat res/results.json
+      - name: upload scan results
+        run: |
+          set -eu
+          KEY="`date +%Y`/`date +%m`/`date +%d`/${GITHUB_REPOSITORY#*/}_${GITHUB_REF#refs/heads/}_kics_`date +%s`.json"
+          echo "[i] writing to s3 object '$KEY'"
+          aws s3 cp res/results.json s3://$VULN_REPORTS_AWS_BUCKET/$KEY