iac-security
Safeguard articles tagged "iac-security" — guides, analysis, and best practices for software supply chain and application security.
49 articles
Best Terraform security and compliance tools
A practical, no-hype comparison of Terraform security tools — Checkov, tfsec/Trivy, Terrascan, Sentinel, Snyk IaC, and more — plus how Safeguard fits in.
Terraform Registry module vulnerability trends
Registry-wide analysis shows a rising share of Terraform modules carry stale provider pins and insecure defaults — here's what's driving it and how to respond.
Terraform AWS provider misconfiguration trends
Terraform's AWS misconfiguration trends in 2026: how provider v4.0 migration gaps, wildcard IAM policies, and state drift keep exposing production infrastructure.
Best infrastructure drift detection tools
A practical buyer's guide to infrastructure drift detection tools, comparing Terraform Cloud, Spacelift, env0, driftctl-style OSS, and Safeguard.
OpenTofu and Terraform provider supply chain risk
Terraform and OpenTofu providers run unsandboxed with full pipeline credentials. Here's where the provider supply chain actually breaks down.
How Snyk IaC's static analysis engine parses Terraform HC...
A technical walkthrough of how Snyk IaC parses Terraform HCL into JSON, evaluates it with OPA/Rego policies, and maps violations back to source lines.
How Snyk IaC's 400+ rule library maps to CIS benchmarks a...
How Snyk IaC's 400+ rules trace to numbered CIS AWS, Azure, GCP, and Kubernetes benchmark controls — and where benchmark-mapped scanning stops short.
How to write a custom Snyk IaC rule in Rego using the Rul...
A technical walkthrough of Snyk's IaC Rules SDK: scaffolding, writing Rego deny rules, local testing, bundling, and org-wide enforcement via OCI registries.
How Snyk IaC scans a Terraform Plan JSON file to catch dr...
How Snyk IaC parses Terraform plan JSON's resource_changes to catch drift and misconfigurations before terraform apply — the mechanics, limits, and what it can't see.
How Snyk IaC correlates code-level misconfigurations with...
How Snyk's Cloud Context feature joins Terraform and CloudFormation misconfigurations to live AWS, Azure, and GCP resources — and where that correlation model breaks down.
Pulumi and Crossplane Security: IaC Beyond Terraform
Security considerations for Pulumi and Crossplane as infrastructure-as-code alternatives, including unique risks and hardening strategies.
Infrastructure as Code Security: Scanning Terraform, CloudFormation, and Kubernetes Manifests
IaC scanning catches misconfigurations before they reach production. This guide covers tools, techniques, and integration patterns for Terraform, CloudFormation, and Kubernetes.