This integration is configured through the Invicti ASPM product.
Infrastructure as Code (IaC) overview
What is IaC scanning?
Infrastructure as Code (IaC) scanning analyzes infrastructure configuration files to identify security misconfigurations, vulnerabilities, and compliance violations before infrastructure is deployed. By shifting security checks into the development phase, IaC scanning helps teams catch issues when they are easiest and cheapest to fix.
Invicti AppSec Core includes a preconfigured Invicti SCA scanner that is automatically activated with your package. The integrations on this page are for teams using Invicti ASPM who want to connect their own SCA tools instead. See AppSec Core scanners overview for details on the built-in scanner.
How it works
IaC scanning parses infrastructure configuration files and evaluates them against security policies and best practices. The scanning process includes:
- Configuration analysis — checks resource definitions for security misconfigurations such as open ports, missing encryption, or overly permissive access.
- Policy evaluation — validates configurations against security benchmarks such as CIS Benchmarks and organizational policies.
- Compliance checks — identifies deviations from compliance frameworks before deployment.
- Dependency analysis — detects insecure module references and outdated provider versions.
Supported IaC frameworks
IaC scanning tools support the following configuration formats. The specific formats supported depend on the tool used:
- Terraform (HCL configuration files)
- AWS CloudFormation (JSON/YAML templates)
- Kubernetes manifests (YAML)
- Helm Charts
- Dockerfile
- Ansible
- Pulumi
What it can discover
IaC scanning detects risks across the following categories:
| Category | Examples |
|---|---|
| Overly permissive access | Security groups allowing ingress from 0.0.0.0/0, IAM policies with wildcard permissions |
| Public storage | S3 buckets or equivalent configured with public access |
| Unencrypted resources | Databases, storage volumes, or EBS volumes defined without encryption |
| Exposed databases | RDS instances or similar resources configured with public accessibility |
| Missing logging | Resources defined without audit logging or monitoring |
| Insecure container definitions | Containers running as root, missing resource limits, hardcoded secrets |
| Compliance violations | Deviations from CIS benchmarks and other security standards |
IaC scanning vs. infrastructure scanning
IaC scanning and infrastructure scanning complement each other and cover different stages of the security lifecycle:
| IaC scanning | Infrastructure scanning | |
|---|---|---|
| When | Before deployment (shift-left) | After deployment (runtime) |
| Target | Configuration files in source control | Running hosts and services |
| Use case | Prevent misconfigurations from being deployed | Detect vulnerabilities in live systems |
Supported IaC scanning tools
The following IaC integrations are available through Invicti ASPM:
| Tool | Type | Supported frameworks |
|---|---|---|
| Checkmarx One IaC / KICS | Connection | Terraform, CloudFormation, Kubernetes, Dockerfile, Ansible, and more |
| Semgrep CE Config | Docker | Terraform, CloudFormation, Kubernetes |
| Snyk IaC | Connection | Terraform, CloudFormation, Kubernetes, Helm, ARM, Pulumi |
| Trivy IaC | Docker | Terraform, CloudFormation, Kubernetes, Dockerfile, Helm |
Need help?
The Invicti Support team is ready to provide technical assistance. Go to Help Center