Safeguard
Tag

terraform

Safeguard articles tagged "terraform" — guides, analysis, and best practices for software supply chain and application security.

31 articles

Vendor Comparison

Bridgecrew vs tfsec: choosing a Terraform IaC scanner in 2026

How Bridgecrew (Prisma Cloud Code Security) and tfsec compare on policy coverage, custom rule extensibility, drift detection, and the operational fit for IaC programs.

May 14, 20267 min read
Tools

Checkov 3.2.x Field Review: IaC Scanning in 2026

Bridgecrew's Checkov is still shipping weekly patches in 2026. We ran 3.2.527 against a 38,000-line Terraform monorepo and graded coverage, noise, and CI cost.

May 8, 20266 min read
Tools

tfsec to Trivy IaC: 2026 Migration Playbook

tfsec has been folded into Trivy for over a year and Aqua has stopped feature work on tfsec. We migrated three platforms in 2026 and documented what actually breaks.

Mar 26, 20266 min read
Cloud Security

IaC Scanning Tools for Terraform and Beyond

IaC scanning tools catch misconfigured cloud resources before they're ever applied — the question is which ones actually understand Terraform's module graph instead of just its syntax.

Feb 18, 20265 min read
Infrastructure Security

How to scan Terraform for misconfigurations with Checkov

A hands-on guide to running Checkov against Terraform, triaging findings, writing custom policies, and blocking IaC misconfigurations before they merge.

Feb 13, 20269 min read
Infrastructure Security

How to encrypt a Terraform state file

A step-by-step guide to encrypting a Terraform state file using an S3 backend, KMS keys, and IAM controls to keep infrastructure secrets safe.

Feb 13, 20267 min read
Engineering

Terraform Module Supply Chain Security

The dependency lockfile everyone commits only covers providers — your modules float free. Pinning, provenance, and the code-execution paths hiding inside terraform plan.

Dec 18, 20256 min read
Vulnerability Analysis

Terraform infrastructure-as-code misconfiguration explained

Terraform misconfigurations — not zero-days — cause most cloud breaches. Here's how they happen, real incidents they caused, and how to catch them pre-deploy.

Dec 3, 20257 min read
Cloud Security

Terraform AWS provider misconfiguration trends

Terraform's AWS misconfiguration trends in 2026: how provider v4.0 migration gaps, wildcard IAM policies, and state drift keep exposing production infrastructure.

Nov 4, 20257 min read
Cloud Security

How Snyk IaC's static analysis engine parses Terraform HC...

A technical walkthrough of how Snyk IaC parses Terraform HCL into JSON, evaluates it with OPA/Rego policies, and maps violations back to source lines.

Sep 3, 20257 min read
Cloud Security

How Snyk IaC's 400+ rule library maps to CIS benchmarks a...

How Snyk IaC's 400+ rules trace to numbered CIS AWS, Azure, GCP, and Kubernetes benchmark controls — and where benchmark-mapped scanning stops short.

Sep 3, 20258 min read
Cloud Security

How Snyk IaC scans a Terraform Plan JSON file to catch dr...

How Snyk IaC parses Terraform plan JSON's resource_changes to catch drift and misconfigurations before terraform apply — the mechanics, limits, and what it can't see.

Sep 2, 20257 min read
terraform (Page 2) — Safeguard Blog