Skip to main content

Overview

  • What it Does: IaC Scanning analyzes your infrastructure configuration files to identify security misconfigurations, policy violations, and hardcoded secrets before they reach production. It scans various IaC formats including Kubernetes manifests, Terraform files, Dockerfiles, CloudFormation templates, and more, providing detailed findings with severity ratings and remediation guidance.
  • Who it’s For: This feature is designed for DevOps engineers, cloud architects, security teams, and platform engineers who manage infrastructure as code. It’s essential for teams adopting cloud-native practices, implementing GitOps workflows, or maintaining compliance requirements in their infrastructure deployments.

Key Features and Benefits

  • Comprehensive IaC Coverage: Scans infrastructure code across multiple platforms and formats including Kubernetes, Docker, Terraform, CloudFormation, Azure ARM Templates, and Helm charts
  • Dual Detection Capabilities:
    • Misconfiguration Detection: Identifies insecure configurations, missing security controls, excessive permissions, and compliance violations
    • Secret Detection: Finds hardcoded credentials, API keys, tokens, and sensitive data embedded in infrastructure code
  • Rich Finding Intelligence: Provides detailed information including:
    • Configuration issue descriptions and security impact
    • Severity ratings (Critical, High, Medium, Low)
    • Affected resources and file locations
    • Remediation guidance and best practice recommendations
  • Smart Detection: Automatically identifies IaC files in your repository and applies appropriate security checks based on file type

Supported Infrastructure Types

File Patterns: *.yml, *.yaml, *.jsonDetects issues like:
  • Privileged containers and insecure capabilities
  • Missing resource limits and security contexts
  • Exposed secrets in manifests
  • Network policy misconfigurations
File Patterns: Dockerfile, ContainerfileDetects issues like:
  • Running as root user
  • Missing health checks
  • Exposed secrets in build arguments
  • Insecure base images
File Patterns: *.tf, *.tf.json, *.tfvars, tfplan, *.tfplanDetects issues like:
  • Publicly accessible cloud resources
  • Unencrypted storage and databases
  • Overly permissive IAM policies
  • Missing logging and monitoring
File Patterns: *.yml, *.yaml, *.jsonDetects issues like:
  • Open security groups
  • Unencrypted S3 buckets
  • Missing CloudTrail logging
  • Insecure AWS resource configurations
File Patterns: *.jsonDetects issues like:
  • Public blob containers
  • Disabled encryption
  • Weak network security rules
  • Missing diagnostic settings
File Patterns: *.yaml, *.tpl, *.tar.gzDetects issues in Helm templates similar to Kubernetes manifest checks

Setup Instructions

IaC scanning is not enabled by default. Contact support to enable this feature for your company account.
Project must contain at least one supported IaC file to enable infrastructure scanning.

Configuration Steps

1

Verify IaC Files

Ensure your project contains supported infrastructure files in any of the formats listed above
2

Configure Scan Scope

Choose whether to include IaC scanning in full or partial scans
3

Set Up Notifications

Configure alerts for critical misconfigurations and exposed secrets

Usage Guide

Key Workflows

  1. Automatic Discovery: The system automatically identifies IaC files in your repository
  2. Configuration Analysis: Applies security checks and compliance rules based on file type
  3. Misconfiguration Detection: Identifies security issues, policy violations, and best practice deviations
  4. Secret Detection: Scans for hardcoded credentials and sensitive information
  5. Issue Creation: Creates trackable security issues for each finding
  6. Reporting: Generates comprehensive reports with prioritized remediation guidance

Common Misconfiguration Examples

# ❌ Insecure
apiVersion: v1
kind: Pod
spec:
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      privileged: true  # High severity issue

Severity Breakdown

Critical: Immediate action required, exposes sensitive data or allows unauthorized access
  • High: Should be addressed before deployment, significant security risk
  • Medium: Should be addressed in regular maintenance, moderate security impact
  • Low: Best practice improvements, minimal immediate risk

Best Practices

Integrate IaC scanning into your CI/CD pipeline to catch issues before deployment.
  • Shift Left Security: Scan infrastructure code during development, not just before deployment
  • Policy as Code: Define and enforce organization-specific security policies
  • Version Control: Store all infrastructure code in version control for audit trails
  • Least Privilege: Configure minimal necessary permissions for all resources
  • Encryption: Enable encryption at rest and in transit for all sensitive resources
  • Regular Reviews: Periodically review and update IaC security policies
  • Secret Management: Use secret management tools (Vault, AWS Secrets Manager) instead of hardcoding
  • Compliance Alignment: Map findings to relevant compliance frameworks (CIS, SOC2, etc.)

Troubleshooting

Solution: Verify that IaC files are in supported formats and contain valid configuration syntaxCheck: Ensure files are not corrupted or contain parsing errors
Solution: Focus on Critical and High severity issues first, then address lower severity itemsCheck: Consider adjusting severity thresholds based on your organization’s risk tolerance
Solution: Review the specific configuration context - some findings may not apply to your use caseCheck: Use suppression comments or policy exceptions for intentional configurations
Solution: Check that file extensions match supported patternsCheck: Verify files are not in ignored directories (.gitignore)