v6.0.0 - IaC Misconfiguration Scanner
v6.0.0 - IaC Misconfiguration Scanner
Detect cloud and container misconfigurations before they reach production. Scans Terraform, Kubernetes, Dockerfiles, GitHub Actions workflows, CloudFormation templates, and Ansible playbooks - integrated into every repo scan and available as a standalone dashboard panel.
What's scanned
| Framework | Key Checks |
|---|---|
| Terraform | Public S3 buckets, open security groups (0.0.0.0/0), publicly accessible RDS, wildcard IAM ("Action": "*"), disabled encryption, hardcoded credentials, no deletion protection |
| Kubernetes | Privileged containers, hostNetwork/PID/IPC, allowPrivilegeEscalation, root UID, wildcard RBAC verbs, :latest image tags, missing resource limits, auto-mounted service account tokens |
| Dockerfile | No USER (runs as root), ADD instead of COPY, :latest base image, hardcoded secrets in ENV/ARG, curl | bash in RUN, --privileged flag, missing HEALTHCHECK |
| GitHub Actions | write-all permissions, pull_request_target misuse, unpinned actions (@main/@master), curl | bash in run steps, script injection via ${{ github.event.* }}, hardcoded credentials |
| CloudFormation | Publicly accessible RDS, public S3 ACLs, wildcard IAM actions, missing DeletionPolicy, disabled storage encryption |
| Ansible | Privilege escalation (become: yes), no_log: false on secret tasks, hardcoded passwords, curl | bash in shell tasks, disabled TLS validation |
Checkov integration
When checkov is installed, the scanner uses it for deep analysis:
pip install checkovWithout checkov, 50+ built-in pattern checks run across all 6 frameworks - zero additional dependencies required.
Dashboard panel
- KPI strip: Frameworks detected, Files scanned, Critical / High / Medium counts, Engine used
- Framework breakdown cards - click any card to filter findings by that framework
- Severity filter buttons (All / Critical / High / Medium / Low)
- Findings table: Severity badge, Framework, Check ID, Resource, File, Line, Description, Fix
- 5-step IaC remediation workflow guide
Full release history
| Version | Highlights |
|---|---|
| v6.0.0 | IaC Misconfiguration Scanner - 6 frameworks, 50+ checks, checkov integration |
| v5.0.0 | Expanded YARA library - 11 rule sets, 50+ rules (Cl0p, Play, Akira, RansomHub, LotL, credential harvesting, supply chain) |
| v4.0.0 | Dependency Vulnerability Scanner - OSV.dev, 7 ecosystems, CVSS scoring |
| v3.0.0 | Secrets Detection Engine - 60+ patterns, git history scan, entropy, blast radius |
| v2.0.0 | Threat Intelligence Dashboard, YARA scanner, enterprise prevention guide |
| v1.0.0 | Initial release - Semgrep, Docker sandbox, multi-LLM advisor, ransomware engine |