Skip to main content

How to scan infrastructure-as-code for misconfigurations in CI

Add automated IaC security scanning to CI to catch insecure Terraform and Kubernetes configuration before it ships, with severity gates and justified suppressions.

Difficulty
Intermediate
Duration
35 minutes
Steps
6

What and why

Infrastructure-as-code can ship insecure defaults: public buckets, open security groups, unencrypted volumes. Scanning IaC in CI catches these as code, before they become real resources. This tutorial adds a scanner that fails builds on high-severity misconfigurations.

Prerequisites

  • Terraform or Kubernetes configuration in a repository.
  • A CI pipeline.
  • Basic security awareness.

Steps

1. Pick an IaC scanner

Tools such as Checkov, tfsec, or Trivy analyze IaC against a policy library. Choose one that covers your stack; Trivy and Checkov handle both Terraform and Kubernetes.

2. Add the scan step

      - uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: config
          scan-ref: .
          severity: HIGH,CRITICAL

The scanner walks your IaC files and reports policy violations.

3. Set a severity threshold

Fail only on severities you treat as blocking, such as HIGH and CRITICAL, while reporting lower ones. This keeps the gate meaningful and avoids alert fatigue.

4. Triage findings

Review each finding: confirm it is real, understand the risk, and fix the configuration. Most findings map to a concrete change, such as enabling encryption or restricting a CIDR range.

5. Suppress accepted risks

For a genuine false positive or accepted risk, suppress it inline with a documented reason:

# trivy:ignore:AVD-AWS-0089 bucket is intentionally public for static site

Suppressions must be specific and justified, not blanket disables.

Verification

Introduce an insecure resource, such as a public bucket, and confirm the build fails with the finding. Fix it and confirm the build passes. Add a documented suppression and confirm it is honored.

Next Steps

Upload results in SARIF so findings appear in the code-scanning UI. Run the scan on pull requests for early feedback. Track suppression debt so accepted risks are revisited.

Prerequisites

  • Terraform or Kubernetes config in a repo
  • A CI pipeline
  • Basic security awareness

Steps

  • 1
    Pick an IaC scanner
  • 2
    Add the scan step
  • 3
    Set a severity threshold
  • 4
    Triage findings
  • 5
    Suppress accepted risks
  • 6
    Verify the gate