terraform
Safeguard articles tagged "terraform" — guides, analysis, and best practices for software supply chain and application security.
31 articles
Catching Terraform Misconfigurations Before They Ever Reach Apply
Trivy replaced tfsec in 2023 and Checkov ships thousands of policies — here's how to wire open-source Terraform scanners into CI/CD before terraform apply runs.
Automating cloud compliance checks in Terraform and CloudFormation pipelines
Terrascan went fully archived in November 2025. Here's how to gate CIS and SOC 2 checks in Terraform/CloudFormation pipelines with tools still standing.
Scanning Terraform and CloudFormation before you ever run apply
tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.
The S3 bucket security hardening checklist
AWS blocked public access by default in April 2023, yet misconfigured buckets still leak data — here's a concrete checklist and Terraform to close the gaps.
A guide to scanning Terraform IaC for misconfigurations before deployment
tfsec folded into Trivy in February 2023. Sentinel gates plans in Terraform Enterprise. Here's how to catch misconfigured infrastructure before it's ever provisioned.
Detecting and remediating Terraform and CloudFormation drift
Terraform's own drift check can return an ambiguous exit code — here's how declared IaC state quietly diverges from live cloud resources, and how to catch it.
Policy-as-code for Terraform: testing before you ever run apply
Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.
Shifting Infrastructure-as-Code security left across the SDLC
Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.
The most common infrastructure-as-code security risks, with Terraform examples
AWS S3 buckets are private by default, yet public-bucket findings still top every cloud posture scan — because Terraform's own access-block resource defaults to open.
Infrastructure Drift Detection: A Practical Guide for 2026
When running infrastructure diverges from your Terraform, your security scans start auditing a fiction. Here's how to detect, understand, and reconcile configuration drift.
Terraform Security Best Practices: Hardening Your IaC in 2026
Terraform provisions your entire cloud, which makes it your largest attack surface as code. Here are the practices that keep state, modules, and providers from becoming the breach.
What Is Infrastructure as Code (IaC) Security?
Infrastructure as Code (IaC) security is the practice of scanning and hardening the machine-readable files that define your cloud infrastructure — before they provision anything. Here's how it catches misconfigurations at the source.