> For the complete documentation index, see [llms.txt](https://docs.opsmx.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.opsmx.com/code-to-cloud-security-and-scanners/cloud-security/iac-scanning.md). # IaC Scanning Infrastructure as Code (IaC) has transformed how organizations define, provision, and manage cloud infrastructure — replacing manual configuration with version-controlled, repeatable code. However, misconfigurations in IaC files are now one of the leading causes of cloud security breaches. A single misconfigured Terraform file, insecure Kubernetes manifest, or misconfigured Helm chart can expose an entire production environment. OpsMx integrates with TFSec — an open-source Infrastructure as Code security scanner — to identify misconfigurations, enforce security best practices, and reduce risks in your infrastructure deployments. This ensures your Terraform code is secure, compliant, and production-ready. OpsMx integrates with Kubescape — an open-source Kubernetes security platform — to secure Kubernetes clusters, ensure compliance, and enable a proactive approach to DevSecOps. Security checks are integrated directly into the CI/CD pipeline to remain resilient against vulnerabilities and misconfigurations. ## Why Use IaC Security in OpsMx Infrastructure misconfigurations are the root cause of many high-profile cloud breaches — and they are entirely preventable with early detection. Scanning IaC before deployment is dramatically cheaper and safer than discovering misconfigurations in production. OpsMx uses IaC Security in Delivery Shield to: * **Catch misconfigurations before they are deployed** — not after a breach has occurred * **Enforce consistent security standards** across Terraform, Kubernetes, Helm, and Dockerfile assets regardless of team or cloud provider * **Block insecure deployments automatically** via Deployment Firewall integration with Kubescape scan results * **Continuously monitor live clusters** so drift from the secure baseline is detected in real time * **Unify IaC findings** with SAST, SCA, DAST, and container scan results in a single security posture view * **Maintain audit-ready compliance evidence** aligned with CIS, NSA, NIST, and MITRE frameworks ## How IaC Security Works in OpsMx Delivery Shield When a pipeline is triggered or an ad hoc scan is initiated, Delivery Shield: 1. **Detects** IaC files across the target — Terraform (HCL/JSON), Kubernetes YAML, Helm charts, Dockerfiles, and CloudFormation 2. **Scans** using Trivy (TFSec engine) for Terraform and Kubescape for Kubernetes and Helm assets 3. **Evaluates** findings against built-in security framework rules and custom OPA policies 4. **Scores** misconfigurations by severity (Critical, High, Medium, Low) 5. **Reports** results in the **Deploy section of the DBOM page** and the **View Open Security Issues page** 6. **Blocks** deployments to insecure clusters based on Kubescape scan results, via the Deployment Firewall 7. **Recommends** remediation steps per finding with actionable fix guidance ## Supported IaC Scanning Tools **Trivy — Terraform & Multi-Format IaC Scanning** Trivy analyzes Terraform configurations — both JSON and HCL files — to detect vulnerabilities, misconfigurations, and deviations from security standards. It analyzes interdependencies between resources for end-to-end vulnerability detection in complex configurations. Delivery Shield also pulls IaC configuration scan results from Trivy alongside other scan results — such as container image and secret scans — and uses all of this data to calculate the overall risk of the application. **Kubescape — Kubernetes & Helm Security** Kubescape is used to assess the security posture of Kubernetes clusters by identifying potential vulnerabilities and misconfigurations. It scans Kubernetes cluster configuration and resources, looking for security issues, vulnerabilities, and best practice violations. SSD uses Kubescape to perform security analysis on Kubernetes clusters. It runs security scans on clusters before deployment and blocks deployments in insecure clusters. The scanned results help in calculating the overall image and application risk. These results are available in the Deploy section of the DBOM page as well as in the View Open Security Issues page. Delivery Shield offers continuous monitoring of Kubernetes clusters by detecting changes in application deployments in real time. For each change, Delivery Shield evaluates specific security policies and can prevent actions that violate these policies. Before any deployment, Kubescape's scan results are reviewed to ensure the Kubernetes cluster is secure and compliant with industry standards like CIS benchmarks. ## Security Frameworks & Compliance Standards Covered | Framework | Tool | Coverage | | ---------------------------------- | ----------------- | --------------------------------------------- | | **CIS Benchmarks** | Kubescape + Trivy | Kubernetes, AWS, Azure, GCP hardening | | **AWS Well-Architected Framework** | Trivy (TFSec) | Terraform AWS resource security | | **NIST 800-53** | Kubescape + Trivy | Infrastructure security controls | | **NSA-CISA Kubernetes Hardening** | Kubescape | Kubernetes cluster security | | **MITRE ATT\&CK** | Kubescape | Threat-based attack surface | | **PCI DSS** | Kubescape + Trivy | Infrastructure compliance for payment systems | | **SOC 2** | Kubescape | Kubernetes security compliance | ## Benefits for the User **1. Shift Infrastructure Security Left** Misconfigurations are caught in the pipeline — during code review, PR, or build — before they are applied to any environment. Kubescape empowers developers to fix security issues earlier in the SDLC — reducing both risks and remediation costs. **2. Automated, Continuous Coverage — No Manual Reviews** Delivery Shield offers continuous monitoring of Kubernetes clusters by detecting changes in application deployments in real time. Every IaC change is scanned automatically — no manual security review required. **3. Pre-Deployment Blocking** Delivery Shield runs security scans on clusters before deployment and blocks deployments in insecure clusters — ensuring no misconfigured infrastructure ever reaches production undetected. **4. Multi-Cloud, Multi-Format Coverage in One Tool** A single Delivery Shield integration covers Terraform on AWS, Azure, and GCP; Kubernetes manifests; Helm charts; and Docker files — without needing separate IaC scanners per cloud or format. **5. Framework-Aligned Compliance Evidence** Out-of-the-box compliance checks for frameworks like CIS, NIST, and PCI DSS ensure readiness for audits. Every scan result is traceable to a specific framework control — providing ready-made audit evidence. **6. Custom Policies for Org-Specific Standards** Predefined and custom policies can be tailored to address organization-specific needs. Security and platform teams define the rules once — Delivery Shield enforces them everywhere, consistently. **7. Unified View Alongside Application Security** IaC scan results appear in the same dashboard as SAST, SCA, DAST, Secrets, and SBOM findings — giving security teams a complete picture of risk across both application code and infrastructure, in a single pane of glass. ## Setting Up IaC Security in Delivery Shield **For TFSec / Trivy IaC Scanning:** 1. Navigate to **Setup → Integrations** in Delivery Shield. 2. In the **Source Scan** panel, locate **Trivy.** 3. Enable the IaC scanning toggle. 4. Connect your Terraform repository or specify the scan target path. 5. Configure severity thresholds and any custom rules. 6. IaC scans trigger automatically on pipeline events or can be run ad hoc. **For Kubescape — Kubernetes & Helm Scanning:** 1. Navigate to **Config → Integrations** in Delivery Shield. 2. In the **Artifact** panel, click **Kubescape.** 3. Enable or disable the Helm Scan toggle as required. 4. Kubescape is integrated as part of Delivery Shield — no separate installation required 5. Results from Kubescape appear automatically in the **Deploy section of the DBOM page** and the **View Open Security Issues page.** ## Viewing IaC Scan Results in Delivery Shield IaC scan results are available in the following locations: * **Deploy section of the DBOM page** — Kubescape cluster and Helm scan results tied to each deployment record * **View Open Security Issues page** — all active IaC findings requiring action, prioritized by risk severity * **Vulnerability Management page** — consolidated view of IaC findings alongside SAST, SCA, and DAST results * **Artifact pages** — Trivy IaC results for specific build artifacts Each finding shows the affected resource, misconfiguration type, severity level, the violated framework rule, and actionable remediation guidance. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.opsmx.com/code-to-cloud-security-and-scanners/cloud-security/iac-scanning.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.