Skip to main content
Infrastructure misconfigurations are a leading cause of cloud breaches. CodeThreat performs deterministic scanning of IaC files to identify security misconfigurations before deployment.

What We Detect

Misconfigurations

Publicly exposed databases and storage buckets

Compliance Violations

CIS benchmarks and security best practices

Privilege Escalation

Overly permissive IAM roles

Resource Exposure

Unencrypted data and open ports

Supported Infrastructure

Cloud Platforms

  • AWS: CloudFormation, CDK, IAM policies, Security groups, S3 buckets
  • Azure: ARM templates, Bicep, Network security groups, Storage accounts
  • GCP: Deployment Manager, IAM policies, Firewall rules, Cloud Storage

IaC Tools

  • Terraform: HCL files and modules
  • Kubernetes: YAML manifests and Helm charts
  • Docker: Dockerfiles and compose files
  • Ansible: Playbooks and roles
  • CloudFormation: JSON and YAML templates
  • Pulumi: TypeScript, Python, Go
View complete IaC support matrix →

Common Vulnerabilities

Public Storage Buckets

# ❌ Vulnerable
resource "aws_s3_bucket" "data" {
  bucket = "company-data"
  acl    = "public-read"
}

# ✅ Secure
resource "aws_s3_bucket" "data" {
  bucket = "company-data"
}

resource "aws_s3_bucket_public_access_block" "data" {
  bucket = aws_s3_bucket.data.id
  block_public_acls = true
  block_public_policy = true
}

Unrestricted Security Groups

# ❌ Vulnerable - Open to world
resource "aws_security_group" "web" {
  ingress {
    from_port   = 0
    to_port     = 65535
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# ✅ Secure - Internal only
resource "aws_security_group" "web" {
  ingress {
    from_port   = 443
    to_port     = 443
    cidr_blocks = ["10.0.0.0/8"]
  }
}

Kubernetes Security

# ❌ Vulnerable
securityContext:
  privileged: true
  runAsUser: 0

# ✅ Secure
securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]

Compliance Frameworks

CIS Benchmarks

AWS, Azure, GCP, Kubernetes

PCI DSS

Payment card industry standards

HIPAA

Healthcare data protection

SOC 2

Service organization controls

Container Image Scanning

Scan Docker images for vulnerabilities in base images and dependencies. 
codethreat image scan myapp:latest
Scans detect:
  • OS vulnerabilities in base images
  • Application CVEs in dependencies
  • Secrets in image layers
  • Dockerfile best practices

Configuration

Configure IaC scanning in repository settings:
  • Enable/disable IaC scanning
  • Select frameworks to scan
  • Set severity thresholds
  • Configure compliance frameworks
  • Enable drift detection

Best Practices

  • Scan IaC files in CI/CD before deployment
  • Use policy as code for compliance
  • Monitor configuration drift
  • Keep base images updated
  • Automate remediation for common issues

Next Steps

Project Settings

Configure IaC scanning

CI/CD Integration

Add to your pipeline