How to scan infrastructure-as-code for misconfigurations in CI
Add automated IaC security scanning to CI to catch insecure Terraform and Kubernetes configuration before it ships, with severity gates and justified suppressions.
What and why
Infrastructure-as-code can ship insecure defaults: public buckets, open security groups, unencrypted volumes. Scanning IaC in CI catches these as code, before they become real resources. This tutorial adds a scanner that fails builds on high-severity misconfigurations.
Prerequisites
- Terraform or Kubernetes configuration in a repository.
- A CI pipeline.
- Basic security awareness.
Steps
1. Pick an IaC scanner
Tools such as Checkov, tfsec, or Trivy analyze IaC against a policy library. Choose one that covers your stack; Trivy and Checkov handle both Terraform and Kubernetes.
2. Add the scan step
- uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: config
scan-ref: .
severity: HIGH,CRITICAL
The scanner walks your IaC files and reports policy violations.
3. Set a severity threshold
Fail only on severities you treat as blocking, such as HIGH and CRITICAL, while reporting lower ones. This keeps the gate meaningful and avoids alert fatigue.
4. Triage findings
Review each finding: confirm it is real, understand the risk, and fix the configuration. Most findings map to a concrete change, such as enabling encryption or restricting a CIDR range.
5. Suppress accepted risks
For a genuine false positive or accepted risk, suppress it inline with a documented reason:
# trivy:ignore:AVD-AWS-0089 bucket is intentionally public for static site
Suppressions must be specific and justified, not blanket disables.
Verification
Introduce an insecure resource, such as a public bucket, and confirm the build fails with the finding. Fix it and confirm the build passes. Add a documented suppression and confirm it is honored.
Next Steps
Upload results in SARIF so findings appear in the code-scanning UI. Run the scan on pull requests for early feedback. Track suppression debt so accepted risks are revisited.
Prerequisites
- Terraform or Kubernetes config in a repo
- A CI pipeline
- Basic security awareness
Steps
- 1Pick an IaC scanner
- 2Add the scan step
- 3Set a severity threshold
- 4Triage findings
- 5Suppress accepted risks
- 6Verify the gate