What IaC scanning finds
Misconfigurations, before deploy.
IaC scanning is static analysis for infrastructure code: it reads your Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Dockerfiles and flags insecure configuration before any of it is deployed. Where a runtime tool catches a public bucket after it exists, a scanner catches it in the pull request — an unencrypted volume, a security group open to 0.0.0.0/0, an IAM policy with Action:*, a container running as root. It is the shift-left counterpart to the runtime controls in the security courses.
Checkov (by Prisma/Bridgecrew) is the most widely used of these tools: a single Python package with hundreds of built-in policies across many IaC frameworks, designed to run in CI and locally. It is the anchor of this course, but the same ideas — read config, match against a rule catalog, report violations — apply to the whole scanner family (tfsec/Trivy, Terrascan, KICS), which the advanced lessons compare. Learn the discipline once and every scanner fits it.
What it catches, and what it does not
Scanners are strong on the well-known misconfiguration classes — encryption off, public exposure, over-broad IAM, missing logging, weak TLS, absent resource limits — because those map cleanly to rules over config fields. They are weaker on logic that only resolves at runtime, on business-specific policy (which is where OPA/Conftest complements them), and on anything not expressed in the config at all. Scanning is one layer of defense in depth, not the whole story.