iac
Safeguard articles tagged "iac" — guides, analysis, and best practices for software supply chain and application security.
8 articles
Helm Chart Security Best Practices
Helm charts template every RBAC binding, image reference, and secret your cluster runs. Here is how to harden charts, verify provenance, and stop a templating tool from quietly shipping cluster-admin.
Checkov 3.2.x Field Review: IaC Scanning in 2026
Bridgecrew's Checkov is still shipping weekly patches in 2026. We ran 3.2.527 against a 38,000-line Terraform monorepo and graded coverage, noise, and CI cost.
tfsec to Trivy IaC: 2026 Migration Playbook
tfsec has been folded into Trivy for over a year and Aqua has stopped feature work on tfsec. We migrated three platforms in 2026 and documented what actually breaks.
GCP Terraform Provider Security Review
A security-focused review of the Google Terraform providers: provenance, authentication paths, state handling, and the misconfigurations that consistently produce incidents across the Google and Google-Beta provider ecosystem.
AWS CDK Construct Library Security
CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.
Azure Bicep vs ARM: Security Comparison
Bicep and ARM templates produce the same deployments, but their security properties diverge — in module provenance, what-if analysis, registry trust, and review experience.
AWS SAM Template Security Considerations
SAM templates look simple and that is exactly the problem. The defaults are generous, the transforms are opaque, and the resulting stacks are often more privileged than anyone intended.
Securing Terraform Infrastructure as Code: A Practitioner's Guide
Your Terraform code defines your production infrastructure. If an attacker compromises your HCL files, state files, or provider plugins, they do not just get access — they get the keys to rebuild your entire environment on their terms.