IaC overview
What is IaC scanning?
IaC (Infrastructure as Code) scanning analyzes infrastructure configuration files to identify security misconfigurations, vulnerabilities, and compliance violations before infrastructure is deployed. By shifting security checks into the development phase, IaC scanning helps teams catch issues when they are easiest and cheapest to fix.
How it works
IaC scanning parses infrastructure configuration files and evaluates them against security policies and best practices. The scanning process includes:
- Configuration analysis: checks resource definitions for security misconfigurations such as open ports, missing encryption, or overly permissive access.
- Policy evaluation: validates configurations against security benchmarks such as CIS Benchmarks and organizational policies.
- Compliance checks: identify deviations from compliance frameworks before deployment.
- Dependency analysis: detects insecure module references and outdated provider versions.
Supported IaC frameworks
IaC scanning supports the following configuration formats:
- Terraform (HCL configuration files)
- AWS CloudFormation (JSON/YAML templates)
- Kubernetes manifests (YAML)
- Helm Charts
- Dockerfile
- Ansible
- Pulumi
The specific formats supported depend on the scanning tool used.
What it can discover
IaC scanning detects risks across the following categories:
| Category | Examples |
|---|---|
| Overly permissive access | Security groups allowing ingress from 0.0.0.0/0, IAM policies with wildcard permissions |
| Public storage | S3 buckets or equivalent configured with public access |
| Unencrypted resources | Databases, storage volumes, or EBS volumes defined without encryption |
| Exposed databases | RDS instances or similar resources configured with public accessibility |
| Missing logging | Resources defined without audit logging or monitoring |
| Insecure container definitions | Containers running as root, missing resource limits, hardcoded secrets |
| Compliance violations | Deviations from CIS benchmarks and other security standards |
For ASPM, supported third-party IaC scanning tools include Checkmarx KICS, Checkov, tfsec, Snyk IaC, Trivy IaC, and Semgrep Config. See Third-party scanners overview for the full list.
Updated about 3 hours ago