Safeguard
Topic

Cloud Security

In-depth guides and analysis on cloud security from the Safeguard engineering team.

237 articles

Cloud Security

CNAPPs in 2025: What Cloud-Native Application Protection Platforms Actually Protect

CNAPP has become the dominant category in cloud security. But the label covers wildly different capabilities. A clear-eyed look at what CNAPPs do, where they fall short, and how supply chain security fits in.

Sep 5, 20257 min read
Cloud Security

How Snyk IaC's static analysis engine parses Terraform HC...

A technical walkthrough of how Snyk IaC parses Terraform HCL into JSON, evaluates it with OPA/Rego policies, and maps violations back to source lines.

Sep 3, 20257 min read
Cloud Security

How Snyk IaC's 400+ rule library maps to CIS benchmarks a...

How Snyk IaC's 400+ rules trace to numbered CIS AWS, Azure, GCP, and Kubernetes benchmark controls — and where benchmark-mapped scanning stops short.

Sep 3, 20258 min read
Cloud Security

How to write a custom Snyk IaC rule in Rego using the Rul...

A technical walkthrough of Snyk's IaC Rules SDK: scaffolding, writing Rego deny rules, local testing, bundling, and org-wide enforcement via OCI registries.

Sep 2, 20258 min read
Cloud Security

How Snyk IaC's Terraform Cloud run tasks gate infrastruct...

How Snyk IaC uses Terraform Cloud's run tasks to scan plan output and block infrastructure changes before apply — the mechanics, enforcement levels, and limits.

Sep 2, 20257 min read
Cloud Security

How Snyk IaC scans a Terraform Plan JSON file to catch dr...

How Snyk IaC parses Terraform plan JSON's resource_changes to catch drift and misconfigurations before terraform apply — the mechanics, limits, and what it can't see.

Sep 2, 20257 min read
Cloud Security

How Snyk IaC correlates code-level misconfigurations with...

How Snyk's Cloud Context feature joins Terraform and CloudFormation misconfigurations to live AWS, Azure, and GCP resources — and where that correlation model breaks down.

Sep 1, 20257 min read
Cloud Security

How Snyk IaC's severity scoring weighs the exploitability...

A mechanical look at how Snyk IaC assigns Critical-to-Low severity to misconfigurations, and how exploitability factors like exposure and privilege requirements shape the rating.

Sep 1, 20257 min read
Cloud Security

How Snyk IaC's custom rule SDK structures resource-attrib...

A technical look at how Snyk IaC's Rego-based SDK normalizes Terraform, CloudFormation, Kubernetes, and ARM into one resource-attribute query model.

Sep 1, 20256 min read
Cloud Security

How Snyk IaC handles Terraform modules and remote module ...

How Snyk IaC statically parses Terraform, resolves local modules inline, and why remote Registry or Git modules stay unexpanded until a Terraform plan is scanned.

Aug 31, 20257 min read
Cloud Security

How an organization's custom policy set overrides Snyk Ia...

How Snyk IaC's Rego-based custom rules layer onto, disable, or supplement default policies — and what that means for enforcing org-specific IaC standards.

Aug 31, 20257 min read
Cloud Security

How Snyk IaC detects overly permissive IAM policies in Te...

A mechanical walkthrough of how Snyk IaC parses Terraform and CloudFormation, normalizes IAM policies into one model, and flags wildcard actions, resources, and principals before deploy.

Aug 31, 20256 min read
Cloud Security (Page 17) — Supply Chain Security Blog | Safeguard