Overview
IaC scanning identifies misconfigurations (like open S3 buckets or running containers as root) before infrastructure is provisioned, following the "Shift-Left" philosophy.
Common Tools
- Checkov: Scans Terraform, CloudFormation, Kubernetes, and ARM templates.
- tfsec: Specialized scanner for Terraform.
Example: Running a Checkov Scan
checkov -d ./terraform/Expected Result (Failure Example):
Check: CKV_AWS_20: "Ensure S3 bucket has block public access enabled"
FAILED for resource: aws_s3_bucket.my_bucket
File: terraform/main.tf:10-15Fixing this ensures you don't accidentally deploy insecure infrastructure.