What IaC scanning finds

Misconfigurations, before deploy.

Intermediate12 min · lesson 1 of 12

IaC scanning is static analysis for infrastructure code: it reads your Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Dockerfiles and flags insecure configuration before any of it is deployed. Where a runtime tool catches a public bucket after it exists, a scanner catches it in the pull request — an unencrypted volume, a security group open to 0.0.0.0/0, an IAM policy with Action:*, a container running as root. It is the shift-left counterpart to the runtime controls in the security courses.

Checkov (by Prisma/Bridgecrew) is the most widely used of these tools: a single Python package with hundreds of built-in policies across many IaC frameworks, designed to run in CI and locally. It is the anchor of this course, but the same ideas — read config, match against a rule catalog, report violations — apply to the whole scanner family (tfsec/Trivy, Terrascan, KICS), which the advanced lessons compare. Learn the discipline once and every scanner fits it.

Where scanning sits
1write IaC
Terraform, k8s, Docker…
2scan
match against rules
3findings
severity + remediation
4gate
fix before merge
Static analysis reads the code (or the plan) and reports misconfigurations pre-deploy — no cloud account touched.

What it catches, and what it does not

Scanners are strong on the well-known misconfiguration classes — encryption off, public exposure, over-broad IAM, missing logging, weak TLS, absent resource limits — because those map cleanly to rules over config fields. They are weaker on logic that only resolves at runtime, on business-specific policy (which is where OPA/Conftest complements them), and on anything not expressed in the config at all. Scanning is one layer of defense in depth, not the whole story.

A clean scan is not a secure system
Passing a scanner means “no known misconfiguration in the rules it ran,” not “secure.” It cannot see runtime behavior, custom risks it has no rule for, or issues in code it did not parse. Treat a green scan as one necessary gate among many (policy-as-code, runtime detection, review) — never as proof of safety.