This chapter covers Infrastructure-as-Code (IaC) security scanning, a critical practice for identifying and remediating misconfigurations in declarative cloud and network templates before deployment. For the CS0-003 exam, IaC scanning falls under Domain 2.0 (Vulnerability Management), specifically Objective 2.4: 'Given a scenario, analyze the output from common vulnerability assessment tools.' While this topic may not dominate the exam, understanding how IaC scanners work, what they detect, and how to interpret their output is essential for scenario-based questions. Expect 2-4 questions that test your ability to identify misconfigurations in code snippets and choose the correct remediation.
Jump to a section
Imagine a construction company that builds skyscrapers using a library of blueprint templates. Each template specifies the materials, structural elements, and safety features. Before any foundation is poured, a building inspector reviews the blueprints for violations of the building code. The inspector does not wait until the building is erected; they check the plans while they are still digital, catching issues like insufficient load-bearing capacity or fire escape routes that are too narrow. This is exactly how Infrastructure-as-Code (IaC) security scanning works. Instead of waiting until servers are deployed and networks are configured, scanning tools analyze the declarative configuration files (like Terraform HCL, CloudFormation JSON, or Ansible YAML) at rest, before any resource is provisioned. The scanner parses the code into an abstract syntax tree, then applies a set of security rules—akin to building codes—that check for misconfigurations such as open security groups, unencrypted storage, or hardcoded secrets. Just as a building inspector's review prevents costly rework after concrete is poured, IaC scanning prevents security vulnerabilities from ever reaching production. The scanner outputs a list of violations with severity levels, references to the specific line of code, and remediation guidance. This shift-left approach ensures that security is embedded in the development pipeline, not bolted on after deployment.
What is Infrastructure-as-Code Security Scanning?
Infrastructure-as-Code (IaC) is the practice of managing and provisioning infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. IaC security scanning is the process of analyzing these definition files—such as Terraform configurations, AWS CloudFormation templates, Kubernetes manifests, and Ansible playbooks—for security misconfigurations, compliance violations, and best practice deviations before the infrastructure is deployed.
The core principle is 'shift left'—moving security checks earlier in the software development lifecycle (SDLC). Instead of scanning a live environment and then tearing down or patching misconfigured resources, IaC scanners catch issues at design time, when changes are cheap and fast. This is analogous to static application security testing (SAST) but for infrastructure definitions.
How IaC Scanners Work Internally
IaC scanners operate in three main phases: parsing, rule evaluation, and report generation.
Parsing: The scanner reads the IaC file and converts it into an internal representation, typically an abstract syntax tree (AST) or a structured data model. For example, a Terraform HCL file is parsed into a tree of blocks and attributes; a CloudFormation JSON template is parsed into a JSON object. The scanner must understand the specific syntax and semantics of each IaC language.
Rule Evaluation: The scanner applies a set of security rules against the parsed representation. Rules are typically written in a declarative language such as Rego (used by Open Policy Agent), Python, or custom DSLs. Each rule checks for a specific condition. For instance, a rule might check if an AWS S3 bucket has acl = "public-read" or if a security group allows inbound traffic on port 22 from 0.0.0.0/0. Rules are organized by severity (Critical, High, Medium, Low) and by standard frameworks (CIS Benchmarks, NIST 800-53, PCI DSS).
Report Generation: The scanner outputs a list of findings, each containing:
Resource type and name
Rule identifier and description
Severity level
File path and line number
The exact code snippet that violates the rule
Remediation guidance, often including a code fix
Key Components and Defaults
IaC Languages Supported: - Terraform (HCL) - AWS CloudFormation (JSON/YAML) - Kubernetes manifests (YAML) - Ansible (YAML) - Dockerfile - ARM templates (Azure) - Google Deployment Manager (YAML)
Common Scanning Tools: - Checkov (open-source, Python-based) - Terrascan (open-source, Go-based) - tfsec (Terraform-specific, now part of Trivy) - Snyk IaC (commercial, supports multiple languages) - Bridgecrew (commercial, now part of Prisma Cloud) - KICS (Keeping Infrastructure as Code Secure, open-source)
Default Severity Levels: - Critical: Direct exposure of sensitive data or full compromise (e.g., S3 bucket public access) - High: Misconfigurations that could lead to privilege escalation or lateral movement (e.g., overly permissive IAM policies) - Medium: Violations of best practices that increase attack surface (e.g., missing encryption at rest) - Low: Informational findings, such as missing tags or logging recommendations
Common Rules Checked: - Storage bucket public access (S3, Blob Storage) - Security groups allowing 0.0.0.0/0 on sensitive ports (SSH, RDP, MySQL) - Encryption disabled on storage or databases - Hardcoded secrets (passwords, API keys, tokens) - IAM policies with wildcard actions or principals - Kubernetes pods running as root or with privileged containers - Missing network segmentation (e.g., all subnets in a VPC)
Configuration and Verification Commands
Checkov Example:
# Install Checkov
pip install checkov
# Scan a Terraform directory
checkov -d /path/to/terraform
# Scan a specific file
checkov -f /path/to/main.tf
# Scan with a custom skip rule
checkov -d . --skip-check CKV_AWS_23
# Output results in JSON format
checkov -d . -o jsonTerrascan Example:
# Install Terrascan (via brew or binary)
brew install terrascan
# Scan a Terraform directory
terrascan scan -d /path/to/terraform
# Scan a specific file
terrascan scan -f /path/to/main.tf
# Use a specific policy path
terrascan scan -d . --policy-path /path/to/custom/policiestfsec (Trivy) Example:
# Install tfsec
brew install tfsec
# Scan a directory
tfsec /path/to/terraform
# Scan with custom severity threshold
tfsec /path/to/terraform --severity-threshold CRITICAL
# Output in SARIF format for integration with GitHub
tfsec /path/to/terraform --format sarif > results.sarifIntegration with CI/CD Pipelines
IaC scanning is typically integrated into CI/CD pipelines as a gate. For example, in a GitHub Actions workflow:
name: IaC Security Scan
on: [pull_request]
jobs:
checkov:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Checkov
run: |
pip install checkov
checkov -d . --soft-failIf --soft-fail is omitted, the pipeline will fail on any finding with severity above a configurable threshold, blocking the pull request. This ensures that no misconfigured infrastructure reaches production.
How IaC Scanning Interacts with Related Technologies
Configuration Management Database (CMDB): IaC scanning results can be fed into a CMDB to track misconfigurations over time and correlate with incidents.
Vulnerability Scanners: Traditional vulnerability scanners (e.g., Nessus, Qualys) scan live systems for known CVEs. IaC scanners complement them by preventing misconfigurations that could lead to vulnerabilities, but they do not detect runtime vulnerabilities.
Cloud Security Posture Management (CSPM): CSPM tools scan live cloud environments for misconfigurations. IaC scanning is the 'shift-left' counterpart—catching issues before deployment, while CSPM catches what slips through.
Policy as Code: Tools like Open Policy Agent (OPA) can enforce policies not only on IaC files but also on runtime decisions. IaC scanners often integrate OPA for policy evaluation.
Example: Analyzing a Terraform File
Consider the following Terraform snippet:
resource "aws_s3_bucket" "my_bucket" {
bucket = "my-unique-bucket-name"
acl = "public-read"
}
resource "aws_security_group" "allow_ssh" {
name = "allow_ssh"
description = "Allow SSH inbound traffic"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}An IaC scanner like Checkov would produce findings: - CKV_AWS_20: S3 Bucket has an ACL defined which allows public access. (Severity: CRITICAL) - CKV_AWS_23: Security group allows ingress from 0.0.0.0:0 to port 22. (Severity: HIGH)
Remediation would involve removing the acl line (or setting it to private) and restricting the cidr_blocks to a specific IP range.
Conclusion
IaC security scanning is a foundational practice for modern DevSecOps. By catching misconfigurations before deployment, organizations reduce their attack surface, achieve compliance more easily, and avoid costly post-deployment fixes. For the CS0-003 exam, focus on understanding the types of misconfigurations scanners detect, how to interpret their output, and how they fit into the broader vulnerability management lifecycle.
Define IaC Template
A developer writes or modifies an IaC template using a declarative language such as Terraform HCL, CloudFormation JSON, or Kubernetes YAML. This template describes the desired state of infrastructure resources, including compute instances, storage buckets, networking components, and IAM policies. The template is stored in a version control system (e.g., Git) as part of the application codebase. At this stage, no actual infrastructure exists; the template is merely a blueprint.
Trigger CI/CD Pipeline
When the developer pushes the IaC template to the repository, a CI/CD pipeline (e.g., GitHub Actions, GitLab CI, Jenkins) is automatically triggered. The pipeline includes a stage dedicated to IaC security scanning. The pipeline checks out the code and prepares the scanning environment, including installing the scanning tool (e.g., Checkov, Terrascan) and any custom policies. The pipeline may also run unit tests or linting on the IaC code.
Parse IaC File
The scanning tool reads the IaC file and parses it into an internal data structure. For example, Checkov uses Python's HCL parser to convert Terraform files into a dictionary of resources and attributes. If the file has syntax errors, the scanner reports a parsing error and stops. The scanner also resolves any references to modules or remote state files, downloading them as needed to build a complete picture of the infrastructure.
Evaluate Security Rules
The scanner applies a set of security rules against the parsed data structure. Each rule is a condition that checks for a specific misconfiguration. Rules are typically written in a policy language like Rego or Python. The scanner iterates over all resources and checks each rule. If a rule's condition is met, a finding is generated with a severity level, rule ID, and remediation guidance. The scanner may also evaluate compliance with frameworks like CIS or PCI DSS.
Generate Report and Gate Pipeline
The scanner aggregates all findings into a report, which can be output in formats like JSON, SARIF, or CLI text. The report is then evaluated by the CI/CD pipeline. If the pipeline is configured to fail on findings above a certain severity (e.g., CRITICAL or HIGH), the pipeline stops and the developer is notified. The developer must fix the misconfigurations and push a new commit. If no critical findings exist, the pipeline proceeds to deploy the infrastructure.
In a large enterprise, IaC security scanning is typically integrated into a centralized DevSecOps platform. For example, a financial services company uses Terraform to manage hundreds of AWS accounts. They deploy Checkov in their GitLab CI pipeline, scanning every pull request against a custom policy library that enforces PCI DSS requirements. The pipeline is configured to fail on any CRITICAL or HIGH finding, blocking the merge. Developers receive immediate feedback in the merge request comments via a Checkov integration. Common misconfigurations caught include S3 buckets with public read access, security groups open to 0.0.0.0/0, and unencrypted RDS instances. The team also runs a weekly scan of all IaC repositories using a scheduled pipeline to catch any drift or newly introduced issues. Performance is a consideration: scanning a large Terraform project with hundreds of modules can take several minutes. To mitigate this, the team uses incremental scanning—only scanning changed files in pull requests—and caches module downloads. When misconfigurations slip through, such as when a developer bypasses the pipeline using a hotfix branch, the team relies on a CSPM tool (e.g., AWS Security Hub) to detect the misconfiguration in production and trigger a remediation workflow. Another scenario involves a SaaS provider using Kubernetes and Helm charts. They integrate Terrascan into their Argo CD pipeline to scan Helm values and templates before deployment. A common issue is container images running as root or with privileged capabilities. The scanner catches these and suggests adding securityContext settings. The team also uses custom policies to enforce internal standards, such as requiring all ingress controllers to have TLS termination. When the scanner produces false positives, such as flagging a public ALB as a security risk when it is intentionally public for a customer-facing web app, the team adds skip annotations to the IaC code with a justification. This ensures that the scan remains useful without blocking legitimate deployments. Over time, the team builds a library of exceptions that are reviewed quarterly.
On the CS0-003 exam, IaC security scanning appears under Domain 2.0 (Vulnerability Management), Objective 2.4: 'Given a scenario, analyze the output from common vulnerability assessment tools.' The exam expects you to interpret the output of an IaC scanner, identify the misconfiguration, and select the correct remediation. You do not need to memorize specific rule IDs (like CKV_AWS_20), but you must understand the types of misconfigurations that are detected. Common wrong answers include: (1) Choosing 'Run a vulnerability scanner on the live environment' instead of fixing the IaC file. Candidates mistakenly think that scanning the live environment is sufficient, but the question emphasizes shift-left. (2) Selecting 'Ignore the finding because it is in IaC code, not production.' The exam tests that IaC code is the source of truth, and misconfigurations there will propagate. (3) Choosing 'Patch the server' when the issue is a network misconfiguration (e.g., open security group). The correct remediation is to modify the IaC template and redeploy. (4) Selecting 'Use a WAF' to mitigate an open S3 bucket, rather than setting the bucket to private in the IaC code. Specific numbers and terms: The exam may reference 'CKV_AWS_20' for S3 public access or 'CKV_AWS_23' for security group ingress from 0.0.0.0/0. Know that severity levels are Critical, High, Medium, Low. The exam loves edge cases: What if the scanner reports a false positive? The correct answer is to add a skip annotation with a justification. Another edge case: What if the IaC file uses a module from a third party? The scanner should be configured to scan modules recursively. How to eliminate wrong answers: Always ask yourself, 'Does this fix the root cause in the IaC code?' If the answer involves patching a live server or adding a runtime control without changing the IaC, it is likely wrong.
IaC scanning shifts security left by analyzing configuration files before deployment.
Common misconfigurations detected include open security groups, public storage buckets, and hardcoded secrets.
Tools like Checkov and Terrascan parse IaC files and apply rule sets based on CIS benchmarks and other standards.
Severity levels are Critical, High, Medium, Low; pipelines often gate on Critical and High findings.
Remediation involves modifying the IaC file and redeploying, not patching live systems.
False positives should be annotated with skip comments and reviewed periodically.
IaC scanning complements but does not replace live vulnerability scanning or CSPM.
These come up on the exam all the time. Here's how to tell them apart.
Checkov
Open-source, Python-based, supports Terraform, CloudFormation, Kubernetes, Ansible, Dockerfile
Uses a policy engine based on Python and YAML; supports custom policies
Integrates with Bridgecrew for policy management and compliance dashboards
Can output results in JSON, JUnit XML, SARIF, and CLI table
Has a large built-in rule set (over 500 rules) covering CIS benchmarks
Terrascan
Open-source, Go-based, originally focused on Terraform but now supports CloudFormation, Kubernetes, and Helm
Uses Rego policies (OPA), allowing advanced policy-as-code workflows
Supports scanning of remote modules and registries
Outputs results in JSON, YAML, and SARIF; has a 'webhook' mode for serverless scanning
Rule set is smaller but extensible; integrates with OPA for custom policies
Mistake
IaC scanning is the same as vulnerability scanning of live systems.
Correct
IaC scanning analyzes code at rest, before deployment, for misconfigurations. Live vulnerability scanning detects known CVEs in running systems. They are complementary, not interchangeable.
Mistake
If the scanner passes, the infrastructure is secure.
Correct
IaC scanners only check for predefined rules. They cannot catch all misconfigurations, logic errors, or zero-day vulnerabilities. They are a layer of defense, not a silver bullet.
Mistake
All IaC scanners support all cloud providers equally.
Correct
Most scanners have best support for AWS, followed by Azure and GCP. Support for niche providers or custom modules may be limited. Always verify coverage for your specific stack.
Mistake
IaC scanning should be done only at the final stage of CI/CD.
Correct
Shift-left means scanning as early as possible—ideally on every commit or pull request. Waiting until the final stage reduces the benefit of early detection and increases rework.
Mistake
False positives are harmless and can be ignored.
Correct
Ignoring false positives can lead to alert fatigue, where real issues are missed. Proper practice is to annotate false positives with a justification and review periodically.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
IaC scanning analyzes configuration files before deployment (shift-left), while Cloud Security Posture Management (CSPM) scans live cloud environments for misconfigurations. IaC scanning prevents issues from reaching production; CSPM detects issues that slip through or arise from drift. Both are important for a comprehensive security posture.
Yes, many IaC scanners include rules to detect hardcoded secrets like passwords, API keys, and tokens in configuration files. However, dedicated secret scanners (e.g., GitLeaks, TruffleHog) are more thorough. IaC scanners typically flag patterns like 'password = "plaintext"' or 'access_key = "AKIA..."'.
Most scanners allow you to skip specific rules on a per-resource basis using inline comments or a skip list. For example, in Checkov, you can add `# checkov:skip=CKV_AWS_20:This bucket is intentionally public for static website hosting`. Always include a justification for auditing purposes.
There is no single 'best' tool; it depends on your needs. Checkov has a large built-in rule set and is widely used. Terrascan integrates with OPA for custom policies. tfsec (now part of Trivy) is lightweight and fast. For the exam, know that Checkov and Terrascan are the most commonly referenced open-source tools.
No, IaC scanning is designed for pre-deployment. Running it against live environments would require accessing the IaC files that generated those environments, which may not be available. For live environments, use CSPM tools.
Add a stage in your pipeline that runs the scanner on the IaC files. For example, in GitHub Actions, you can use a step that installs Checkov and runs `checkov -d . --soft-fail`. Configure the pipeline to fail if findings exceed a severity threshold. Use the scanner's output to annotate the pull request with findings.
Custom policies allow organizations to enforce company-specific security standards beyond built-in rules. For example, you might require all S3 buckets to have versioning enabled or all EC2 instances to use specific AMIs. Tools like Checkov and Terrascan support custom policies via Python or Rego.
You've just covered Infrastructure-as-Code Security Scanning — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?