Skip to main content
CodeThreat uses Trivy for Infrastructure as Code security scanning, detecting misconfigurations before deployment.

Supported IaC Formats

Terraform

File Types: .tf (HCL), .tf.json Providers Supported:
  • AWS: 200+ checks covering EC2, S3, RDS, IAM, VPC, Lambda, and more
  • Azure: 150+ checks for Virtual Machines, Storage, Databases, Key Vault, etc.
  • Google Cloud: 100+ checks for Compute, Storage, IAM, Networking
  • Kubernetes: 80+ checks for pod security, RBAC, network policies
Common Checks:
  • Public S3 buckets / Azure Storage
  • Unencrypted storage volumes
  • Overly permissive IAM policies / Security Groups
  • Missing encryption at rest
  • Insecure network configurations
  • Publicly exposed databases
  • Missing backup configurations

Kubernetes

File Types: .yaml, .yml manifests, Helm charts Resource Types Scanned:
  • Pods, Deployments, StatefulSets, DaemonSets
  • Services (LoadBalancer, NodePort exposure risks)
  • ConfigMaps, Secrets (insecure usage)
  • RBAC (Roles, ClusterRoles, RoleBindings)
  • NetworkPolicies
  • PodSecurityPolicies
  • Ingress configurations
Common Checks:
  • Containers running as root
  • Privileged containers
  • Host network/IPC/PID access
  • Missing resource limits (CPU, memory)
  • Insecure volume mounts
  • Exposed secrets in environment variables
  • Missing security contexts
  • Overly permissive RBAC

Docker

File Types: Dockerfile, docker-compose.yml Dockerfile Checks:
  • Vulnerable base images
  • Running as root user
  • Exposed sensitive ports (22, 3306, 5432, etc.)
  • Hardcoded secrets
  • Missing health checks
  • Using latest tag (unpinned versions)
  • Installing unnecessary packages
  • Not using multi-stage builds
docker-compose Checks:
  • Exposed ports
  • Insecure volume mounts
  • Missing resource limits
  • Privileged mode usage

CloudFormation

File Types: .yaml, .yml, .json (AWS templates) AWS Resource Checks:
  • IAM policies and roles
  • Security groups
  • S3 bucket policies
  • RDS encryption
  • Lambda security
  • API Gateway configuration
  • CloudTrail logging

ARM Templates

File Types: .json (Azure Resource Manager) Azure Resource Checks:
  • Storage account encryption
  • VM security
  • Network security groups
  • Key Vault policies
  • SQL Database encryption

Other Formats

Helm Charts: Scans rendered YAML Kustomize: Scans generated manifests Ansible: Playbook security checks Pulumi/CDK: Scans generated templates

Misconfiguration Categories

Public Exposure

S3 buckets publicly accessible
Azure Blob Storage public access
Databases exposed to internet (0.0.0.0/0)
Load balancers with open security groups
Storage accounts without network restrictions

Missing Encryption

S3 without server-side encryption
EBS volumes unencrypted
RDS databases without encryption at rest
Azure Storage without encryption
GCP Disks unencrypted

Overly Permissive IAM

IAM policies with wildcard (*) actions
Service accounts with admin permissions
Security groups allowing 0.0.0.0/0
RBAC cluster-admin to all users
Resource policies too permissive

Container Security

Running as root in containers
Privileged containers without justification
Host network access
Missing resource limits
Insecure capabilities (SYS_ADMIN, NET_ADMIN)

Configuration Issues

Debug mode enabled in production
Default passwords or credentials
Logging disabled for audit trails
Monitoring not configured
Backup policies missing

Cloud Provider Coverage

AWS (200+ Checks)

Compute: EC2, Lambda, ECS, EKS, Batch
Storage: S3, EBS, EFS
Database: RDS, DynamoDB, ElastiCache, DocumentDB
Networking: VPC, Security Groups, NACLs, ELB/ALB
IAM: Policies, Roles, Users, Groups
Security: KMS, Secrets Manager, GuardDuty
Monitoring: CloudTrail, CloudWatch

Azure (150+ Checks)

Compute: Virtual Machines, Container Instances, AKS
Storage: Blob Storage, Managed Disks
Database: SQL Database, CosmosDB, PostgreSQL
Networking: Virtual Networks, NSGs, Application Gateway
Identity: Active Directory, Managed Identities
Security: Key Vault, Security Center

Google Cloud (100+ Checks)

Compute: Compute Engine, GKE, Cloud Run, Cloud Functions
Storage: Cloud Storage, Persistent Disks
Database: Cloud SQL, Firestore, Bigtable
Networking: VPC, Firewalls, Load Balancers
IAM: Service Accounts, IAM Policies
Security: KMS, Secret Manager

Kubernetes-Specific Security

Pod Security:
  • RunAsNonRoot enforcement
  • ReadOnlyRootFilesystem
  • AllowPrivilegeEscalation=false
  • Seccomp profiles
  • AppArmor profiles
Network Security:
  • NetworkPolicy enforcement
  • Service mesh configuration
  • Ingress TLS
  • Internal-only services
RBAC Security:
  • Least privilege principles
  • No cluster-admin bindings
  • Service account token mounting
  • API access restrictions
Secret Management:
  • External secret stores (Vault, etc.)
  • Encrypted secrets
  • Secret rotation
  • No secrets in environment variables

Best Practices Detection

Trivy also identifies best practice violations: Missing labels for resource organization
Untagged resources (cost tracking issues)
No lifecycle policies for storage
Missing monitoring/alerting configuration
Inadequate backup strategies

What Makes IaC Scanning Different

Shift-left approach: Catch misconfigurations in code, not after deployment Multi-cloud: One scanner for AWS, Azure, GCP, Kubernetes Comprehensive: Security + compliance + best practices Integrated: Part of the same workflow as SAST and SCA

Compliance Frameworks

Trivy’s IaC checks align with: CIS Benchmarks:
  • CIS AWS Foundations Benchmark
  • CIS Azure Foundations Benchmark
  • CIS GCP Foundations Benchmark
  • CIS Kubernetes Benchmark
Security Standards:
  • NIST Cybersecurity Framework
  • ISO 27001 controls
  • SOC 2 requirements
  • PCI-DSS infrastructure requirements
IaC scanning is only available on the PRO plan. FREE plan includes SAST and SCA only.

What’s Next?

Secrets Detection

Secret type coverage

Run an IaC Scan

Start scanning infrastructure