What IaC scanning covers
IaC scanners apply static analysis to infrastructure definition files to detect security misconfigurations before they are applied to a cloud environment. The categories of issues they find:
- Overly permissive access controls: Security groups open to
0.0.0.0/0, IAM policies with*actions, S3 buckets with public access enabled - Missing encryption: EBS volumes without encryption, RDS instances without encryption at rest, S3 buckets without server-side encryption
- Logging and monitoring disabled: CloudTrail off, VPC flow logs not enabled, CloudWatch alarms missing
- Insecure defaults: Default VPCs in use, root account used for actions, MFA not required
- Container misconfigurations: Pods running as root, privileged containers, capabilities not dropped, writable root filesystems
IaC scanning vs cloud posture management: IaC scanners analyse the code before it is applied. Cloud Security Posture Management (CSPM) tools (like AWS Config, Prisma Cloud) scan the live running environment. Both are needed β IaC scanning prevents misconfigurations; CSPM detects what got through or was manually changed.
Terraform scanning with tfsec and Checkov
Common Terraform misconfigurations
# tfsec/checkov will flag: aws-ec2-no-public-ingress-sgr resource "aws_security_group_rule" "allow_all" { type = "ingress" from_port = 0 to_port = 65535 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] # β CRITICAL finding }
# Install tfsec brew install tfsec # Scan Terraform files tfsec . --format sarif --out tfsec.sarif # With severity threshold (fail on HIGH+) tfsec . --minimum-severity HIGH
# Install Checkov pip install checkov # Scan Terraform directory checkov -d . --framework terraform --output sarif > checkov.sarif # Scan a specific plan file (catches dynamic values) terraform plan -out=tfplan.binary terraform show -json tfplan.binary > tfplan.json checkov -f tfplan.json
Kubernetes manifest scanning
Common Kubernetes security misconfigurations found by IaC scanners:
apiVersion: v1 kind: Pod spec: containers: - name: app image: nginx:latest # β mutable tag securityContext: privileged: true # β CRITICAL: container escape runAsRoot: true # β runs as root readOnlyRootFilesystem: false # β writable filesystem
# Scan a directory of K8s manifests trivy config --severity HIGH,CRITICAL ./k8s/ # Scan with SARIF output for GitHub trivy config --format sarif --output k8s.sarif ./k8s/
Dockerfile scanning
Dockerfiles are IaC for container builds. Common findings include running as root, using mutable base image tags, and adding secrets via ARG or ENV instructions.
# Hadolint/Checkov flags all of these FROM ubuntu:latest # β mutable tag (DL3007) ARG DB_PASSWORD # β secret in build arg, visible in layers ENV DB_PASS=$DB_PASSWORD # β persists in image metadata RUN apt-get install -y sudo # β privilege escalation tool USER root # β runs as root (DL3002)
CI/CD integration for IaC scanning
name: IaC Security Scan on: [pull_request] jobs: iac: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Checkov β Terraform and K8s uses: bridgecrewio/checkov-action@master with: directory: . soft_fail: false output_format: sarif output_file_path: checkov.sarif - uses: github/codeql-action/upload-sarif@v3 if: always() with: { sarif_file: checkov.sarif }
IaC scanner comparison
Tool Terraform K8s CloudFormation Dockerfile ARM SARIF ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ tfsec β β β β β β Checkov β β β β β β Trivy β β β β β β KICS β β β β β β Terrascan β β β β β β AquilaX β β β β β β
Recommendation: Checkov or Trivy for most teams β broad coverage, active maintenance, SARIF output, and free. AquilaX for teams that want custom policy rules, organisation-wide dashboards, and integration with SAST/SCA in a single platform.
IaC scanning built for your pipeline
AquilaX IaC scanning covers Terraform, Kubernetes, CloudFormation, and Dockerfiles β with custom policy support and a centralised findings dashboard across all your infrastructure repos.
Explore IaC scanning β