Safeguard
Tag

infrastructure-as-code

Safeguard articles tagged "infrastructure-as-code" — guides, analysis, and best practices for software supply chain and application security.

27 articles

Cloud Security

Detecting and remediating Terraform and CloudFormation drift

Terraform's own drift check can return an ambiguous exit code — here's how declared IaC state quietly diverges from live cloud resources, and how to catch it.

Jul 11, 20267 min read
Cloud Security

The most common infrastructure-as-code security risks, with Terraform examples

AWS S3 buckets are private by default, yet public-bucket findings still top every cloud posture scan — because Terraform's own access-block resource defaults to open.

Jul 8, 20266 min read
Buyer's Guides

Best IaC Security Tools in 2026: An Honest Buyer's Guide

A balanced 2026 comparison of the leading infrastructure-as-code security tools — Checkov, Trivy, KICS, Snyk IaC, Prisma Cloud, and Wiz — with an honest look at where Safeguard fits.

Jul 4, 20266 min read
Concepts

What Is Infrastructure as Code (IaC) Security?

Infrastructure as Code (IaC) security is the practice of scanning and hardening the machine-readable files that define your cloud infrastructure — before they provision anything. Here's how it catches misconfigurations at the source.

Jul 2, 20266 min read
Infrastructure Security

Scanning Terraform code for security misconfigurations

Public S3 buckets, open security groups, and wildcard IAM policies are the recurring Terraform mistakes behind most cloud breaches — here's how to catch them before apply.

Jun 19, 20268 min read
Infrastructure Security

Managing Terraform state file security risks

Terraform state files store database passwords, IAM keys, and private keys in plaintext. Here's how they leak, why encryption alone won't save you, and how to lock them down.

Jun 19, 20267 min read
Infrastructure Security

Scanning AWS CloudFormation templates for misconfigurations

CloudFormation deploys exactly what you write, misconfigurations included. Here's how scanning catches IAM, S3, and security group errors before they ship.

Jun 18, 20267 min read
Infrastructure Security

Policy as code for cloud security guardrails

Policy as code turns cloud security guardrails into version-controlled, testable rules enforced automatically across IaC, Kubernetes, and CI/CD pipelines.

Jun 18, 20266 min read
Infrastructure Security

Pulumi security scanning best practices

Pulumi programs run as real code with live cloud credentials -- here's how to secure state files, dependencies, CrossGuard policy, and CI/CD.

Jun 17, 20267 min read
Infrastructure Security

Securing Infrastructure as Code in GitOps workflows

GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.

Jun 16, 20267 min read
Infrastructure Security

Comparing Terraform security scanners: Snyk IaC, Checkov, tfsec

Snyk IaC, Checkov, and tfsec take different approaches to Terraform scanning — and one of them stopped getting new checks in 2023. Here's how they actually compare.

Jun 15, 20268 min read
Industry Analysis

Infrastructure as Code (IaC) scanning explained

A breakdown of how IaC scanning tools catch cloud misconfigurations before deployment, how Aikido Security's bundled approach compares, and what to look for in 2026.

May 1, 20267 min read
infrastructure-as-code — Safeguard Blog