Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

IaC Scanning: Concepts, Process, and Tools

Infrastructure as code (IaC) scanning is the process of analyzing the scripts that automatically provision and configure infrastructure.

4 aANyg+

What is IaC scanning?

Infrastructure as code (IaC) scanning is the process of analyzing the scripts that automatically provision and configure infrastructure. Unlike traditional code scanning, which focuses on application code, IaC scanning targets the specific syntax and structures used in declaring cloud environments. It has become a crucial tool for maintaining secure and efficient cloud operations.

IaC scanning preemptively identifies misconfigurations and compliance issues before they can be deployed. In the realm of continuous integration and continuous deployment (CI/CD), IaC scans act as a vital checkpoint, both ensuring that infrastructure deployments are secure by design and also facilitating rapid and safe iterations of infrastructure changes.

In this article, we'll navigate the complexities of IaC security scanning, taking a closer look at its significance and the scanning process. We’ll also review fundamental concepts, explore open-source IaC scanning tools, and provide insights on how these tools can bolster your infrastructure's security posture.

Key concepts in IaC scanning

Let's start by looking at two foundational elements that make IaC code scanning an indispensable tool for modern infrastructure management:

  • Policy as code: Policy as code (PaC) allows teams to explicitly state and manage their infrastructure's operational and security policies within codebases. In IaC scanning, PaC is utilized to automatically validate and enforce compliance with these policies, ensuring that the provisioned infrastructure aligns with organizational and regulatory standards.

  • Security and compliance posture: IaC scanning directly impacts an organization's security and compliance posture by systematically detecting and fixing potential security threats and compliance infractions within the IaC scripts. In short, this proactive measure secures the infrastructure and embeds compliance into the foundation of the infrastructure's code.

The following section will explore the IaC scanning process and demonstrate how it fits within the development life cycle.

The IaC scanning process

There are six systematic stages of IaC scanning, each an integral part of securing and optimizing cloud infrastructure:

Step 1: InitializationSelecting the appropriate policies to scan against is critical, as it sets the standard for security and compliance from the start. The goal is to ensure that the systems adhere to the necessary regulations and best practices, providing a foundation for robust security posture.
Step 2: IntegrationIntegrating IaC scanning into version control systems and CI/CD pipelines ensures that scans are an automated part of the build process, providing continuous oversight and timely detection of potential issues.
Step 3: ExecutionDuring execution, scanning tools assess the IaC against predefined rules, identifying potential security misconfigurations or compliance issues that could jeopardize the infrastructure's integrity.
Step 4: ReviewPost-scan, it is imperative to review the results closely to understand the context of each finding and prioritize issues based on their severity in order to address vulnerabilities promptly.
Step 5: RemediationRemediation involves taking actionable steps to address identified vulnerabilities, including modifying IaC scripts or incorporating modular, verified code snippets to fortify your infrastructure's security.
Step 6: Feedback loopEstablishing a feedback loop empowers developers to refine IaC scanning policies and processes. This iterative process allows continuous improvement based on historical scans and emerging threats, fostering a culture of security and vigilance.

Open-source IaC scanning tools and solutions

Choosing an open-source IaC scanning tool depends on your organization’s unique infrastructure. This section focuses on several leading open-source IaC scanning tools, providing the insights you need to make the right choice for your business.


Terrascan is a comprehensive IaC scanning tool that can preemptively identify security issues in Terraform templates. What sets it apart is its extensive policy library, which aligns with the CIS Benchmarks, making it a formidable tool for ensuring compliance.

The installation process is straightforward, and Terrascan is frequently utilized in automated pipelines for detecting instances of policy violations. The scan results are easy to understand, detailing violations like overly permissive S3 bucket access with high severity:

$ terrascan scan
By default Terrascan will output its findings in human friendly format:
Violation Details -

  Description    :	S3 bucket Access is allowed to all AWS Account Users.
  File           :	modules/storage/main.tf
  Line           :	124
  Severity       :	HIGH


Checkov's latest iteration boasts a graph-based scanning engine, representing a significant leap forward in performance and accuracy. With its new engine, Checkov can efficiently resolve complex dependencies within Terraform and analyze Dockerfile configurations, providing a holistic approach to IaC scanning.

Once you install Checkov from PyPI and scan a directory containing Terraform plan files, the output will clearly display the compliance status for each check, allowing you to identify compliant as well as non-compliant configurations:

Figure 1: A Checkov result in Jenkins (Source: GitHub)


KICS is a versatile scanner capable of handling various IaC formats. Its ease of integration with CI/CD pipelines makes it a developer-friendly tool that doesn't interrupt the development process while still maintaining a high security standard.

KICS offers the convenience of scanning both directories and individual files using Docker:

$ docker run -t -v {path_to_host_folder_to_scan}:/path checkmarx/kics:latest scan -p /path -o "/path/"
$ docker run -t -v {path_to_host_folder}:/path checkmarx/kics:latest scan -p /path/{filename}.{extension} -o "/path/"

It also provides developer-friendly reports by showing the source of the vulnerabilities:

Figure 2: KICS example PDF report (Source: KICS Docs)


With a focus on Terraform, tfsec is a static analysis tool that is community driven. Its unique selling point is the depth of its security checks, which are regularly updated by the community, ensuring that the tool stays on the cutting edge of security best practices.

The tfsec scanner can be run on your system or as a Docker container, scanning a specified directory for issues:

$ tfsec . 
$ docker run --rm -it -v "$(pwd):/src" aquasec/tfsec /src

The exit status will help you determine if there were any problems found during the scan:

Figure 3: tfsec output (Source: GitHub)


As a linter for Terraform, TFLint assists developers in catching errors early in the development cycle. It emphasizes adherence to coding standards and policy compliance, which is critical for maintaining a high-quality codebase.

TFLint can be installed on different platforms using a bash script, Homebrew, or Docker, and it's used to enforce best practices and find errors:

$ docker run --rm -v $(pwd):/data -t ghcr.io/terraform-linters/tflint

TFLint is known for its pluggable architecture, where each feature is provided by plugins, making it highly customizable and adaptable to various needs:

Figure 4: TFLint in GitHub Actions (Source: GitHub)

As we’ve seen, integrating open-source tools into your CI/CD pipeline can secure your infrastructure by catching potential issues early in the development cycle. The ease of use and thorough documentation provided by these tools make them accessible to developers and security professionals, fostering a shift-left approach within your organization.

Wiz's approach to IaC scanning

Wiz provides a comprehensive IaC scanning solution that can help you identify and remediate security vulnerabilities and compliance issues in your infrastructure code. Wiz's IaC scanner can scan a variety of IaC formats, including Terraform, AWS CloudFormation, Azure Resource Manager templates, and Kubernetes manifests. Wiz also provides a variety of features to help you manage your IaC security posture, including:

  • Policy enforcement: Wiz can enforce your security policies by automatically flagging code that violates your policies.

  • Vulnerability scanning: Wiz can scan your code for known vulnerabilities and provide you with remediation guidance.

  • Compliance checking: Wiz can check your code for compliance with industry standards, such as PCI DSS and SOC 2.

Wiz's IaC scanner detects vulnerabilities, secrets, and misconfigurations in IaC templates, container images, and VM images, bolstering security from the earliest stages of development. By providing a single policy across all cloud environments and code, Wiz unites developers and security teams, eliminating silos and ensuring a harmonized approach to cloud security.

With Wiz, you can secure infrastructure from source to production, learn from runtime, and enforce code with unprecedented efficiency and accuracy. See Wiz in action for yourself: Schedule a demo today.

Developer centric security from code to cloud

Learn how Wiz delivers immediate security insights for developers and policy enforcement for security teams.

Get a demo

Continue reading

Cloud Investigation and Response Automation (CIRA)

Cloud investigation and response automation (CIRA) harnesses the power of advanced analytics, artificial intelligence (AI), and automation to provide organizations with real-time insights into potential security incidents within their cloud environments

What is Security by Design?

Wiz Experts Team

Security by design is a software development approach that aims to establish security as a pillar, not an afterthought, i.e., integrating security controls into software products right from the design phase.

Guide to Standard SBOM Formats

Wiz Experts Team

Two major formats dominate the SBOM ecosystem: Software Package Data Exchange (SPDX) and CycloneDX (CDX). Let’s review!