infrastructure-as-code
Safeguard articles tagged "infrastructure-as-code" — guides, analysis, and best practices for software supply chain and application security.
27 articles
Detecting and remediating Terraform and CloudFormation drift
Terraform's own drift check can return an ambiguous exit code — here's how declared IaC state quietly diverges from live cloud resources, and how to catch it.
The most common infrastructure-as-code security risks, with Terraform examples
AWS S3 buckets are private by default, yet public-bucket findings still top every cloud posture scan — because Terraform's own access-block resource defaults to open.
Best IaC Security Tools in 2026: An Honest Buyer's Guide
A balanced 2026 comparison of the leading infrastructure-as-code security tools — Checkov, Trivy, KICS, Snyk IaC, Prisma Cloud, and Wiz — with an honest look at where Safeguard fits.
What Is Infrastructure as Code (IaC) Security?
Infrastructure as Code (IaC) security is the practice of scanning and hardening the machine-readable files that define your cloud infrastructure — before they provision anything. Here's how it catches misconfigurations at the source.
Scanning Terraform code for security misconfigurations
Public S3 buckets, open security groups, and wildcard IAM policies are the recurring Terraform mistakes behind most cloud breaches — here's how to catch them before apply.
Managing Terraform state file security risks
Terraform state files store database passwords, IAM keys, and private keys in plaintext. Here's how they leak, why encryption alone won't save you, and how to lock them down.
Scanning AWS CloudFormation templates for misconfigurations
CloudFormation deploys exactly what you write, misconfigurations included. Here's how scanning catches IAM, S3, and security group errors before they ship.
Policy as code for cloud security guardrails
Policy as code turns cloud security guardrails into version-controlled, testable rules enforced automatically across IaC, Kubernetes, and CI/CD pipelines.
Pulumi security scanning best practices
Pulumi programs run as real code with live cloud credentials -- here's how to secure state files, dependencies, CrossGuard policy, and CI/CD.
Securing Infrastructure as Code in GitOps workflows
GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.
Comparing Terraform security scanners: Snyk IaC, Checkov, tfsec
Snyk IaC, Checkov, and tfsec take different approaches to Terraform scanning — and one of them stopped getting new checks in 2023. Here's how they actually compare.
Infrastructure as Code (IaC) scanning explained
A breakdown of how IaC scanning tools catch cloud misconfigurations before deployment, how Aikido Security's bundled approach compares, and what to look for in 2026.