IaC Scanning

Infrastructure as Code (IaC) has transformed how organizations define, provision, and manage cloud infrastructure — replacing manual configuration with version-controlled, repeatable code. However, misconfigurations in IaC files are now one of the leading causes of cloud security breaches. A single misconfigured Terraform file, insecure Kubernetes manifest, or misconfigured Helm chart can expose an entire production environment.

OpsMx integrates with TFSec — an open-source Infrastructure as Code security scanner — to identify misconfigurations, enforce security best practices, and reduce risks in your infrastructure deployments. This ensures your Terraform code is secure, compliant, and production-ready.

OpsMx integrates with Kubescape — an open-source Kubernetes security platform — to secure Kubernetes clusters, ensure compliance, and enable a proactive approach to DevSecOps. Security checks are integrated directly into the CI/CD pipeline to remain resilient against vulnerabilities and misconfigurations.

Why Use IaC Security in OpsMx

Infrastructure misconfigurations are the root cause of many high-profile cloud breaches — and they are entirely preventable with early detection. Scanning IaC before deployment is dramatically cheaper and safer than discovering misconfigurations in production.

OpsMx uses IaC Security in Delivery Shield to:

• Catch misconfigurations before they are deployed — not after a breach has occurred

• Enforce consistent security standards across Terraform, Kubernetes, Helm, and Dockerfile assets regardless of team or cloud provider

• Block insecure deployments automatically via Deployment Firewall integration with Kubescape scan results

• Continuously monitor live clusters so drift from the secure baseline is detected in real time

• Unify IaC findings with SAST, SCA, DAST, and container scan results in a single security posture view

• Maintain audit-ready compliance evidence aligned with CIS, NSA, NIST, and MITRE frameworks

How IaC Security Works in OpsMx Delivery Shield

When a pipeline is triggered or an ad hoc scan is initiated, Delivery Shield:

1. Detects IaC files across the target — Terraform (HCL/JSON), Kubernetes YAML, Helm charts, Dockerfiles, and CloudFormation

2. Scans using Trivy (TFSec engine) for Terraform and Kubescape for Kubernetes and Helm assets

3. Evaluates findings against built-in security framework rules and custom OPA policies

4. Scores misconfigurations by severity (Critical, High, Medium, Low)

5. Reports results in the Deploy section of the DBOM page and the View Open Security Issues page

6. Blocks deployments to insecure clusters based on Kubescape scan results, via the Deployment Firewall

7. Recommends remediation steps per finding with actionable fix guidance

Supported IaC Scanning Tools

Trivy — Terraform & Multi-Format IaC Scanning

Trivy analyzes Terraform configurations — both JSON and HCL files — to detect vulnerabilities, misconfigurations, and deviations from security standards. It analyzes interdependencies between resources for end-to-end vulnerability detection in complex configurations.

Delivery Shield also pulls IaC configuration scan results from Trivy alongside other scan results — such as container image and secret scans — and uses all of this data to calculate the overall risk of the application.

Kubescape — Kubernetes & Helm Security

Kubescape is used to assess the security posture of Kubernetes clusters by identifying potential vulnerabilities and misconfigurations. It scans Kubernetes cluster configuration and resources, looking for security issues, vulnerabilities, and best practice violations.

SSD uses Kubescape to perform security analysis on Kubernetes clusters. It runs security scans on clusters before deployment and blocks deployments in insecure clusters. The scanned results help in calculating the overall image and application risk. These results are available in the Deploy section of the DBOM page as well as in the View Open Security Issues page.

Delivery Shield offers continuous monitoring of Kubernetes clusters by detecting changes in application deployments in real time. For each change, Delivery Shield evaluates specific security policies and can prevent actions that violate these policies. Before any deployment, Kubescape's scan results are reviewed to ensure the Kubernetes cluster is secure and compliant with industry standards like CIS benchmarks.

Security Frameworks & Compliance Standards Covered

Benefits for the User

1. Shift Infrastructure Security Left

Misconfigurations are caught in the pipeline — during code review, PR, or build — before they are applied to any environment. Kubescape empowers developers to fix security issues earlier in the SDLC — reducing both risks and remediation costs.

2. Automated, Continuous Coverage — No Manual Reviews

Delivery Shield offers continuous monitoring of Kubernetes clusters by detecting changes in application deployments in real time. Every IaC change is scanned automatically — no manual security review required.

3. Pre-Deployment Blocking

Delivery Shield runs security scans on clusters before deployment and blocks deployments in insecure clusters — ensuring no misconfigured infrastructure ever reaches production undetected.

4. Multi-Cloud, Multi-Format Coverage in One Tool

A single Delivery Shield integration covers Terraform on AWS, Azure, and GCP; Kubernetes manifests; Helm charts; and Docker files — without needing separate IaC scanners per cloud or format.

5. Framework-Aligned Compliance Evidence

Out-of-the-box compliance checks for frameworks like CIS, NIST, and PCI DSS ensure readiness for audits. Every scan result is traceable to a specific framework control — providing ready-made audit evidence.

6. Custom Policies for Org-Specific Standards

Predefined and custom policies can be tailored to address organization-specific needs. Security and platform teams define the rules once — Delivery Shield enforces them everywhere, consistently.

7. Unified View Alongside Application Security

IaC scan results appear in the same dashboard as SAST, SCA, DAST, Secrets, and SBOM findings — giving security teams a complete picture of risk across both application code and infrastructure, in a single pane of glass.

Setting Up IaC Security in Delivery Shield

For TFSec / Trivy IaC Scanning:

1. Navigate to Setup → Integrations in Delivery Shield.

2. In the Source Scan panel, locate Trivy.

3. Enable the IaC scanning toggle.

4. Connect your Terraform repository or specify the scan target path.

5. Configure severity thresholds and any custom rules.

6. IaC scans trigger automatically on pipeline events or can be run ad hoc.

For Kubescape — Kubernetes & Helm Scanning:

1. Navigate to Config → Integrations in Delivery Shield.

2. In the Artifact panel, click Kubescape.

3. Enable or disable the Helm Scan toggle as required.

4. Kubescape is integrated as part of Delivery Shield — no separate installation required

5. Results from Kubescape appear automatically in the Deploy section of the DBOM page and the View Open Security Issues page.

Viewing IaC Scan Results in Delivery Shield

IaC scan results are available in the following locations:

• Deploy section of the DBOM page — Kubescape cluster and Helm scan results tied to each deployment record

• View Open Security Issues page — all active IaC findings requiring action, prioritized by risk severity

• Vulnerability Management page — consolidated view of IaC findings alongside SAST, SCA, and DAST results

• Artifact pages — Trivy IaC results for specific build artifacts

Each finding shows the affected resource, misconfiguration type, severity level, the violated framework rule, and actionable remediation guidance.