IaC Scanning: Infrastructure as Code Security
Infrastructure as Code (IaC) has revolutionized infrastructure management, but it has also introduced a new type of risk: misconfigurations. A public S3 bucket, an overly permissive security group, a database without encryption at rest are all configuration errors that can be intercepted before deployment with IaC scanning.
IaC scanning tools analyze Terraform, CloudFormation, ARM templates, Kubernetes manifests, and other IaC formats looking for insecure configurations, comparing them against best practices and compliance standards like CIS Benchmarks.
What You'll Learn
- Why IaC scanning is fundamental for cloud security
- Checkov: multi-framework IaC scanner
- tfsec: Terraform-specific analysis
- KICS: universal scanner by Checkmarx
- Custom policies for Terraform with Sentinel and Conftest
- CI/CD pipeline integration
Most Common Misconfigurations
Cloud misconfigurations are the cause of 65% of security incidents in cloud environments. Here are the most frequent ones:
Top 10 Cloud Misconfigurations
| # | Misconfiguration | Risk |
|---|---|---|
| 1 | Public storage bucket | Data breach, data leakage |
| 2 | Security group 0.0.0.0/0 | Unauthorized access |
| 3 | Database without encryption | Compliance violation, data theft |
| 4 | Logging disabled | Impossible forensics |
| 5 | Overly permissive IAM policies | Privilege escalation |
| 6 | Versioning disabled on storage | Data loss, ransomware |
| 7 | SSH open to the world | Brute force, server compromise |
| 8 | Secrets in IaC variables | Credential exposure |
| 9 | No backup configured | Permanent data loss |
| 10 | TLS not enforced | Man-in-the-middle, data interception |
Checkov: Multi-Framework Scanner
Checkov by Bridgecrew (now Prisma Cloud) is the most comprehensive IaC scanner, with over 1000 built-in policies for Terraform, CloudFormation, ARM, Kubernetes, Helm, Dockerfile, and Serverless. It also supports custom policies in Python and YAML.
# Install Checkov
pip install checkov
# Scan Terraform files
checkov -d terraform/ --framework terraform
# Scan with SARIF output
checkov -d terraform/ -o sarif --output-file checkov-results.sarif
# Scan with severity filter
checkov -d terraform/ --check HIGH --check CRITICAL
# Scan a Dockerfile
checkov -f Dockerfile --framework dockerfile
# Scan Kubernetes manifests
checkov -d k8s/ --framework kubernetes
# Skip specific checks
checkov -d terraform/ --skip-check CKV_AWS_18,CKV_AWS_19
Checkov Integration in GitHub Actions
# .github/workflows/iac-scanning.yml
name: IaC Security Scan
on:
pull_request:
paths:
- "terraform/**"
- "k8s/**"
- "Dockerfile"
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkov Scan
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
framework: terraform
output_format: sarif
output_file_path: checkov-results.sarif
soft_fail: false
check: HIGH,CRITICAL
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov-results.sarif
tfsec: Terraform-Specific Analysis
tfsec (now part of Trivy) is a dedicated Terraform scanner that analyzes HCL files looking for security misconfigurations. It's particularly fast and accurate, with support for Terraform modules and variables.
# Install tfsec
brew install tfsec
# Basic scan
tfsec terraform/
# Scan with SARIF output
tfsec terraform/ --format sarif --out tfsec-results.sarif
# Scan with minimum severity
tfsec terraform/ --minimum-severity HIGH
# Exclude specific checks
tfsec terraform/ --exclude aws-s3-enable-versioning
KICS: Universal Scanner
KICS (Keeping Infrastructure as Code Secure) by Checkmarx is an open source scanner supporting over 15 IaC platforms. It's particularly useful for organizations using multiple IaC technologies that want a single tool.
# Run KICS with Docker
docker run -v /path/to/project:/path checkmarx/kics:latest scan \
-p /path \
-o /path/results \
--report-formats sarif,json \
--fail-on high,critical
Custom Policy for Terraform
Beyond built-in policies, it's often necessary to create organization-specific custom policies. Here's an example with Conftest/Rego:
# policy/terraform/aws_security.rego
package terraform.aws
# All S3 buckets must have encryption
deny[msg] {
resource := input.resource.aws_s3_bucket[name]
not resource.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' must have encryption enabled", [name])
}
# RDS must have backup enabled
deny[msg] {
resource := input.resource.aws_db_instance[name]
resource.backup_retention_period == 0
msg := sprintf("RDS instance '%s' must have backup enabled (retention > 0)", [name])
}
# No security group with ingress 0.0.0.0/0 on SSH
deny[msg] {
resource := input.resource.aws_security_group[name]
ingress := resource.ingress[_]
ingress.from_port <= 22
ingress.to_port >= 22
cidr := ingress.cidr_blocks[_]
cidr == "0.0.0.0/0"
msg := sprintf("Security group '%s' must not allow SSH (22) from 0.0.0.0/0", [name])
}
Terraform Policy Enforcement with Sentinel
IaC Scanning Tools Comparison
- Checkov: most complete, 1000+ policies, multi-framework, custom Python/YAML policies
- tfsec: Terraform-specific, fast, integrated in Trivy
- KICS: universal, 15+ platforms, great for multi-IaC environments
- Conftest: flexible, uses Rego, great for custom policies
- Sentinel: native Terraform Cloud, integrated policy enforcement
IaC Scanning Best Practices
- Scan on every PR: every IaC change must be validated before merge
- Severity-based blocking: block deploys for HIGH and CRITICAL, warnings for MEDIUM
- Custom policies: create organization-specific standard policies
- Baseline and progression: establish a baseline and progressively reduce findings
- Pre-commit hooks: run tfsec/checkov locally before push
- Drift detection: monitor drift between IaC state and actual infrastructure
Conclusions
IaC scanning is essential for preventing misconfigurations that are the leading cause of cloud security incidents. With Checkov, tfsec, and custom policies, organizations can automatically validate every infrastructure change before it reaches production.
In the next article, we'll explore Runtime Security, analyzing real-time monitoring with Falco, eBPF, and anomaly detection systems to protect production applications.