iac-security
Safeguard articles tagged "iac-security" — guides, analysis, and best practices for software supply chain and application security.
48 articles
Insecure defaults in Azure ARM templates: a pre-deployment scanning guide
Azure Resource Manager templates don't enforce TLS 1.2 or block public blob access by default — here's how to catch it before terraform apply's Azure cousin ever runs.
Catching Terraform Misconfigurations Before They Ever Reach Apply
Trivy replaced tfsec in 2023 and Checkov ships thousands of policies — here's how to wire open-source Terraform scanners into CI/CD before terraform apply runs.
Azure Bicep IaC security fundamentals: secrets, module trust, and policy gates
A @secure() Bicep parameter still leaks in plaintext the moment it's written to an output — a well-documented gap most teams discover only after a deployment history review.
Automating cloud compliance checks in Terraform and CloudFormation pipelines
Terrascan went fully archived in November 2025. Here's how to gate CIS and SOC 2 checks in Terraform/CloudFormation pipelines with tools still standing.
Scanning Terraform and CloudFormation before you ever run apply
tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.
A guide to scanning Terraform IaC for misconfigurations before deployment
tfsec folded into Trivy in February 2023. Sentinel gates plans in Terraform Enterprise. Here's how to catch misconfigured infrastructure before it's ever provisioned.
Policy as Code: Enforcing Cloud Security Guardrails in CI/CD Instead of Manual Review
OPA reached CNCF Graduated status in January 2021 — yet most teams still catch misconfigured IAM roles by eyeballing a pull request.
Policy-as-code for Terraform: testing before you ever run apply
Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.
Shifting Infrastructure-as-Code security left across the SDLC
Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.
AWS S3 Bucket Security: The Complete 2026 Guide
S3 is the single most common source of cloud data leaks. This guide covers block public access, encryption, bucket policies, and how to enforce all three in Terraform.
Infrastructure Drift Detection: A Practical Guide for 2026
When running infrastructure diverges from your Terraform, your security scans start auditing a fiction. Here's how to detect, understand, and reconcile configuration drift.
Terraform Security Best Practices: Hardening Your IaC in 2026
Terraform provisions your entire cloud, which makes it your largest attack surface as code. Here are the practices that keep state, modules, and providers from becoming the breach.