Infrastructure Security
In-depth guides and analysis on infrastructure security from the Safeguard engineering team.
52 articles
Scanning Terraform code for security misconfigurations
Public S3 buckets, open security groups, and wildcard IAM policies are the recurring Terraform mistakes behind most cloud breaches — here's how to catch them before apply.
Terraform Cloud security integration guide
A practical breakdown of Terraform Cloud security: state file exposure, Sentinel/OPA policy gaps, Run Tasks trust risks, and drift monitoring.
Managing Terraform state file security risks
Terraform state files store database passwords, IAM keys, and private keys in plaintext. Here's how they leak, why encryption alone won't save you, and how to lock them down.
Detecting drift between IaC and live cloud infrastructure
IaC and live cloud state drift apart within days of every deploy. Here's how drift detection actually works, why it matters, and how to close the gap fast.
Scanning AWS CloudFormation templates for misconfigurations
CloudFormation deploys exactly what you write, misconfigurations included. Here's how scanning catches IAM, S3, and security group errors before they ship.
Introduction to Open Policy Agent and Rego
A concrete walkthrough of Open Policy Agent and Rego — how OPA evaluates decisions, a runnable policy example, and where it fits in supply chain security.
Policy as code for cloud security guardrails
Policy as code turns cloud security guardrails into version-controlled, testable rules enforced automatically across IaC, Kubernetes, and CI/CD pipelines.
Pulumi security scanning best practices
Pulumi programs run as real code with live cloud credentials -- here's how to secure state files, dependencies, CrossGuard policy, and CI/CD.
Ansible playbook security scanning
Hardcoded secrets, unrestricted become, and injection-prone shell tasks turn Ansible playbooks into a single point of compromise across every host they touch.
Cloud Security Posture Management (CSPM) explained
CSPM explained: what it checks, why Gartner created the category in 2019, how it differs from CWPP/CNAPP, and why raw findings alone don't stop breaches.
Cloud misconfiguration as the top cause of cloud breaches
Capital One, Toyota, and a single Azure endpoint that leaked 65,000 companies' data all trace back to one root cause: cloud misconfiguration.
Securing Infrastructure as Code in GitOps workflows
GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.