Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
IaC overview
What is IaC scanning?
IaC (Infrastructure as Code) scanning analyzes infrastructure configuration files to identify security misconfigurations, vulnerabilities, and compliance violations before infrastructure is deployed. By shifting security checks into the development phase, IaC scanning helps teams catch issues when they are easiest and cheapest to fix.
For Invicti AppSec Core, Invicti IaC scanning is pre-activated and ready to use. No manual setup or integration is required.
How it works
IaC scanning parses infrastructure configuration files and evaluates them against security policies and best practices. The scanning process includes:
- Configuration analysis:checks resource definitions for security misconfigurations such as open ports, missing encryption, or overly permissive access.
- Policy evaluation:validates configurations against security benchmarks such as CIS Benchmarks and organizational policies.
- Compliance checks:identifies deviations from compliance frameworks before deployment.
- Dependency analysis:detects insecure module references and outdated provider versions.
Supported IaC frameworks
IaC scanning supports the following configuration formats:
- Terraform (HCL configuration files)
- AWS CloudFormation (JSON/YAML templates)
- Kubernetes manifests (YAML)
- Helm Charts
- Dockerfile
- Ansible
- Pulumi
The specific formats supported depend on the scanning tool used.
What it can discover
IaC scanning detects risks across the following categories:
| Category | Examples |
|---|---|
| Overly permissive access | Security groups allowing ingress from 0.0.0.0/0, IAM policies with wildcard permissions |
| Public storage | S3 buckets or equivalent configured with public access |
| Unencrypted resources | Databases, storage volumes, or EBS volumes defined without encryption |
| Exposed databases | RDS instances or similar resources configured with public accessibility |
| Missing logging | Resources defined without audit logging or monitoring |
| Insecure container definitions | Containers running as root, missing resource limits, hardcoded secrets |
| Compliance violations | Deviations from CIS benchmarks and other security standards |
Invicti IaC editions
Invicti AppSec supports two editions of IaC scanning:
| Edition | Package | Activation |
|---|---|---|
| Invicti IaC | AppSec Core | Pre-activated, no setup required |
| Third-party IaC tools | AppSec Enterprise | Requires manual activation under Integrations |
For AppSec Enterprise, supported third-party IaC scanning tools include Checkmarx KICS, Checkov, tfsec, Snyk IaC, Trivy IaC, and Semgrep Config. See Third-party scanners overview for the full list.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center