Skip to content

v6.0.0 - IaC Misconfiguration Scanner

Choose a tag to compare

@OmarRao OmarRao released this 18 Jun 15:30

v6.0.0 - IaC Misconfiguration Scanner

Detect cloud and container misconfigurations before they reach production. Scans Terraform, Kubernetes, Dockerfiles, GitHub Actions workflows, CloudFormation templates, and Ansible playbooks - integrated into every repo scan and available as a standalone dashboard panel.


What's scanned

Framework Key Checks
Terraform Public S3 buckets, open security groups (0.0.0.0/0), publicly accessible RDS, wildcard IAM ("Action": "*"), disabled encryption, hardcoded credentials, no deletion protection
Kubernetes Privileged containers, hostNetwork/PID/IPC, allowPrivilegeEscalation, root UID, wildcard RBAC verbs, :latest image tags, missing resource limits, auto-mounted service account tokens
Dockerfile No USER (runs as root), ADD instead of COPY, :latest base image, hardcoded secrets in ENV/ARG, curl | bash in RUN, --privileged flag, missing HEALTHCHECK
GitHub Actions write-all permissions, pull_request_target misuse, unpinned actions (@main/@master), curl | bash in run steps, script injection via ${{ github.event.* }}, hardcoded credentials
CloudFormation Publicly accessible RDS, public S3 ACLs, wildcard IAM actions, missing DeletionPolicy, disabled storage encryption
Ansible Privilege escalation (become: yes), no_log: false on secret tasks, hardcoded passwords, curl | bash in shell tasks, disabled TLS validation

Checkov integration

When checkov is installed, the scanner uses it for deep analysis:

pip install checkov

Without checkov, 50+ built-in pattern checks run across all 6 frameworks - zero additional dependencies required.


Dashboard panel

  • KPI strip: Frameworks detected, Files scanned, Critical / High / Medium counts, Engine used
  • Framework breakdown cards - click any card to filter findings by that framework
  • Severity filter buttons (All / Critical / High / Medium / Low)
  • Findings table: Severity badge, Framework, Check ID, Resource, File, Line, Description, Fix
  • 5-step IaC remediation workflow guide

Full release history

Version Highlights
v6.0.0 IaC Misconfiguration Scanner - 6 frameworks, 50+ checks, checkov integration
v5.0.0 Expanded YARA library - 11 rule sets, 50+ rules (Cl0p, Play, Akira, RansomHub, LotL, credential harvesting, supply chain)
v4.0.0 Dependency Vulnerability Scanner - OSV.dev, 7 ecosystems, CVSS scoring
v3.0.0 Secrets Detection Engine - 60+ patterns, git history scan, entropy, blast radius
v2.0.0 Threat Intelligence Dashboard, YARA scanner, enterprise prevention guide
v1.0.0 Initial release - Semgrep, Docker sandbox, multi-LLM advisor, ransomware engine