terraform
Safeguard articles tagged "terraform" — guides, analysis, and best practices for software supply chain and application security.
31 articles
Bridgecrew vs tfsec: choosing a Terraform IaC scanner in 2026
How Bridgecrew (Prisma Cloud Code Security) and tfsec compare on policy coverage, custom rule extensibility, drift detection, and the operational fit for IaC programs.
Checkov 3.2.x Field Review: IaC Scanning in 2026
Bridgecrew's Checkov is still shipping weekly patches in 2026. We ran 3.2.527 against a 38,000-line Terraform monorepo and graded coverage, noise, and CI cost.
tfsec to Trivy IaC: 2026 Migration Playbook
tfsec has been folded into Trivy for over a year and Aqua has stopped feature work on tfsec. We migrated three platforms in 2026 and documented what actually breaks.
IaC Scanning Tools for Terraform and Beyond
IaC scanning tools catch misconfigured cloud resources before they're ever applied — the question is which ones actually understand Terraform's module graph instead of just its syntax.
How to scan Terraform for misconfigurations with Checkov
A hands-on guide to running Checkov against Terraform, triaging findings, writing custom policies, and blocking IaC misconfigurations before they merge.
How to encrypt a Terraform state file
A step-by-step guide to encrypting a Terraform state file using an S3 backend, KMS keys, and IAM controls to keep infrastructure secrets safe.
Terraform Module Supply Chain Security
The dependency lockfile everyone commits only covers providers — your modules float free. Pinning, provenance, and the code-execution paths hiding inside terraform plan.
Terraform infrastructure-as-code misconfiguration explained
Terraform misconfigurations — not zero-days — cause most cloud breaches. Here's how they happen, real incidents they caused, and how to catch them pre-deploy.
Terraform AWS provider misconfiguration trends
Terraform's AWS misconfiguration trends in 2026: how provider v4.0 migration gaps, wildcard IAM policies, and state drift keep exposing production infrastructure.
How Snyk IaC's static analysis engine parses Terraform HC...
A technical walkthrough of how Snyk IaC parses Terraform HCL into JSON, evaluates it with OPA/Rego policies, and maps violations back to source lines.
How Snyk IaC's 400+ rule library maps to CIS benchmarks a...
How Snyk IaC's 400+ rules trace to numbered CIS AWS, Azure, GCP, and Kubernetes benchmark controls — and where benchmark-mapped scanning stops short.
How Snyk IaC scans a Terraform Plan JSON file to catch dr...
How Snyk IaC parses Terraform plan JSON's resource_changes to catch drift and misconfigurations before terraform apply — the mechanics, limits, and what it can't see.