A collection of tools for performing security scans on infrastructure-as-code.
Infrastructure as code (IaC) streamlines deployment processes by enabling developers to script and manage infrastructure configurations. Tools like tfsec get used to scan code in real-time, enabling developers to preemptively identify security and compliance issues before being deployed.
Many of these tools integrate with IDEs (e.g., VS Code) but can also be set as a job in CI pipelines (e.g., .gitlab-ci.yml for GitLab). This ensures continuous checks throughout the development lifecycle, minimizing the risk of vulnerabilities and reinforcing the reliability and security of the deployed infrastructure.
Let's take a look at a typical deployment process and where these tools can fit into that.