🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
ExplanationsDevSecOpsInfrastructure as Code (IaC)

Infrastructure as Code (IaC) Scanning

What is Infrastructure as Code Scanning (IaC)

Infrastructure as Code (IaC) scanning is a practice that involves static code analysis to identify security and configuration issues in infrastructure code. IaC scanning tools examine the code used to provision and manage infrastructure, detecting potential vulnerabilities, misconfigurations, and best practice violations before the code is deployed. This process ensures that your infrastructure is secure, compliant, and optimized for performance.

Why IaC Scanning Matters

  • Prevents Security Vulnerabilities: Identifies security vulnerabilities early in the development process, helping to avoid potential breaches or data leaks.
  • Ensures Compliance: Helps organizations adhere to industry regulations and internal security policies by catching misconfigurations or violations of best practices.
  • Reduces Downtime: By detecting and addressing issues in the code before deployment, IaC scanning reduces the likelihood of infrastructure failures or outages.
  • Improves Code Quality: Encourages best practices in writing infrastructure code, leading to more efficient, reliable, and maintainable infrastructure setups.
  • Automates Security Checks: Automates the process of checking infrastructure code for security issues, making it easier to maintain secure environments at scale.

Example Findings

IaC scanning can detect a wide range of security issues and misconfigurations. Here are some common examples:

CategoryExample FindingRisk
Cloud StorageS3 bucket with public read accessData exposure
EncryptionDatabase storage without encryption at restData breach risk
IAM/Access ControlOverly permissive IAM policy with * permissionsPrivilege escalation
Network SecuritySecurity group allowing SSH from 0.0.0.0/0Unauthorized access
KubernetesContainer running as rootContainer escape
DockerDockerfile using latest tagUnpredictable builds
SecretsHardcoded credentials in Terraform variablesCredential exposure
LoggingCloudTrail logging disabledAudit trail gaps

How to do IaC Scanning with DevGuard

DevGuard provides multiple ways to integrate IaC scanning into your workflow. The scan results are uploaded to DevGuard in SARIF format, where they are analyzed, tracked, and presented in your asset’s security dashboard.

CLI

Use the DevGuard Scanner CLI to run IaC scans locally or in custom CI/CD pipelines:

devguard-scanner iac ./terraform --assetName "myOrg/projects/myProject/assets/myAsset" --token $DEVGUARD_TOKEN

See the full DevGuard Scanner IAC CLI Reference for all available options and examples.

CI/CD Integration

DevGuard offers pre-built components for popular CI/CD platforms:

For a comprehensive scan covering all DevGuard security checks including IaC, see:

What Happens After Scanning

Once an IaC scan completes, the results flow through DevGuard’s security workflow:

  1. Findings appear in your dashboard - All detected misconfigurations and vulnerabilities are displayed in your asset’s security dashboard, categorized by severity.
  2. Prioritize based on risk - DevGuard helps you focus on the most critical issues first, considering factors like exploitability and potential impact.
  3. Remediate issues - Use the provided guidance and links to fix misconfigurations in your infrastructure code.
  4. Rescan to verify - Run the scan again after applying fixes to confirm the issues are resolved.

Related Security Scanning Methods

IaC scanning is one part of a comprehensive DevSecOps strategy. DevGuard also supports:

For a complete overview, see Understanding the OWASP DevSecOps Pipeline.

Static Application Security Testing (SAST)Container Scanning