Supported IaC Formats
Terraform
File Types:.tf (HCL), .tf.json
Providers Supported:
- AWS: 200+ checks covering EC2, S3, RDS, IAM, VPC, Lambda, and more
- Azure: 150+ checks for Virtual Machines, Storage, Databases, Key Vault, etc.
- Google Cloud: 100+ checks for Compute, Storage, IAM, Networking
- Kubernetes: 80+ checks for pod security, RBAC, network policies
- Public S3 buckets / Azure Storage
- Unencrypted storage volumes
- Overly permissive IAM policies / Security Groups
- Missing encryption at rest
- Insecure network configurations
- Publicly exposed databases
- Missing backup configurations
Kubernetes
File Types:.yaml, .yml manifests, Helm charts
Resource Types Scanned:
- Pods, Deployments, StatefulSets, DaemonSets
- Services (LoadBalancer, NodePort exposure risks)
- ConfigMaps, Secrets (insecure usage)
- RBAC (Roles, ClusterRoles, RoleBindings)
- NetworkPolicies
- PodSecurityPolicies
- Ingress configurations
- Containers running as root
- Privileged containers
- Host network/IPC/PID access
- Missing resource limits (CPU, memory)
- Insecure volume mounts
- Exposed secrets in environment variables
- Missing security contexts
- Overly permissive RBAC
Docker
File Types:Dockerfile, docker-compose.yml
Dockerfile Checks:
- Vulnerable base images
- Running as root user
- Exposed sensitive ports (22, 3306, 5432, etc.)
- Hardcoded secrets
- Missing health checks
- Using
latesttag (unpinned versions) - Installing unnecessary packages
- Not using multi-stage builds
- Exposed ports
- Insecure volume mounts
- Missing resource limits
- Privileged mode usage
CloudFormation
File Types:.yaml, .yml, .json (AWS templates)
AWS Resource Checks:
- IAM policies and roles
- Security groups
- S3 bucket policies
- RDS encryption
- Lambda security
- API Gateway configuration
- CloudTrail logging
ARM Templates
File Types:.json (Azure Resource Manager)
Azure Resource Checks:
- Storage account encryption
- VM security
- Network security groups
- Key Vault policies
- SQL Database encryption
Other Formats
Helm Charts: Scans rendered YAML Kustomize: Scans generated manifests Ansible: Playbook security checks Pulumi/CDK: Scans generated templatesMisconfiguration Categories
Public Exposure
❌ S3 buckets publicly accessible❌ Azure Blob Storage public access
❌ Databases exposed to internet (0.0.0.0/0)
❌ Load balancers with open security groups
❌ Storage accounts without network restrictions
Missing Encryption
❌ S3 without server-side encryption❌ EBS volumes unencrypted
❌ RDS databases without encryption at rest
❌ Azure Storage without encryption
❌ GCP Disks unencrypted
Overly Permissive IAM
❌ IAM policies with wildcard (*) actions❌ Service accounts with admin permissions
❌ Security groups allowing 0.0.0.0/0
❌ RBAC cluster-admin to all users
❌ Resource policies too permissive
Container Security
❌ Running as root in containers❌ Privileged containers without justification
❌ Host network access
❌ Missing resource limits
❌ Insecure capabilities (SYS_ADMIN, NET_ADMIN)
Configuration Issues
❌ Debug mode enabled in production❌ Default passwords or credentials
❌ Logging disabled for audit trails
❌ Monitoring not configured
❌ Backup policies missing
Cloud Provider Coverage
AWS (200+ Checks)
Compute: EC2, Lambda, ECS, EKS, BatchStorage: S3, EBS, EFS
Database: RDS, DynamoDB, ElastiCache, DocumentDB
Networking: VPC, Security Groups, NACLs, ELB/ALB
IAM: Policies, Roles, Users, Groups
Security: KMS, Secrets Manager, GuardDuty
Monitoring: CloudTrail, CloudWatch
Azure (150+ Checks)
Compute: Virtual Machines, Container Instances, AKSStorage: Blob Storage, Managed Disks
Database: SQL Database, CosmosDB, PostgreSQL
Networking: Virtual Networks, NSGs, Application Gateway
Identity: Active Directory, Managed Identities
Security: Key Vault, Security Center
Google Cloud (100+ Checks)
Compute: Compute Engine, GKE, Cloud Run, Cloud FunctionsStorage: Cloud Storage, Persistent Disks
Database: Cloud SQL, Firestore, Bigtable
Networking: VPC, Firewalls, Load Balancers
IAM: Service Accounts, IAM Policies
Security: KMS, Secret Manager
Kubernetes-Specific Security
Pod Security:- RunAsNonRoot enforcement
- ReadOnlyRootFilesystem
- AllowPrivilegeEscalation=false
- Seccomp profiles
- AppArmor profiles
- NetworkPolicy enforcement
- Service mesh configuration
- Ingress TLS
- Internal-only services
- Least privilege principles
- No cluster-admin bindings
- Service account token mounting
- API access restrictions
- External secret stores (Vault, etc.)
- Encrypted secrets
- Secret rotation
- No secrets in environment variables
Best Practices Detection
Trivy also identifies best practice violations: ✅ Missing labels for resource organization✅ Untagged resources (cost tracking issues)
✅ No lifecycle policies for storage
✅ Missing monitoring/alerting configuration
✅ Inadequate backup strategies
What Makes IaC Scanning Different
Shift-left approach: Catch misconfigurations in code, not after deployment Multi-cloud: One scanner for AWS, Azure, GCP, Kubernetes Comprehensive: Security + compliance + best practices Integrated: Part of the same workflow as SAST and SCACompliance Frameworks
Trivy’s IaC checks align with: CIS Benchmarks:- CIS AWS Foundations Benchmark
- CIS Azure Foundations Benchmark
- CIS GCP Foundations Benchmark
- CIS Kubernetes Benchmark
- NIST Cybersecurity Framework
- ISO 27001 controls
- SOC 2 requirements
- PCI-DSS infrastructure requirements
What’s Next?
Secrets Detection
Secret type coverage
Run an IaC Scan
Start scanning infrastructure