IaC misconfiguration
Every av sast scan checks the infrastructure-as-code in your tree for
misconfigurations and tiers each one
REDYELLOWGREEN.
What runs
Section titled “What runs”The infrastructure scanner performs a filesystem scan of the target path with its secret and misconfiguration checks enabled. The misconfiguration checks cover the common IaC formats - Terraform, Dockerfiles, Kubernetes manifests, Helm charts and CloudFormation templates.
Like every scanner in the series, it is downloaded pinned and checksum-verified on first use and runs locally as a separate subprocess - your source never leaves the machine. See Code scanning (SAST) for the scan series.
What it deliberately does not do
Section titled “What it deliberately does not do”The scan series does not enable dependency-vulnerability scanning. Dependency CVEs are owned by AlertaVuln’s core CVE pipeline - the tech stack derived from your manifests, matched against CVE announcements on the Vulnerabilities page. Running a second vulnerability scanner here would double-report the same dependency CVE on the Code Scan page, so the infrastructure scanner is scoped to secrets and IaC misconfigurations, which the core pipeline does not cover.
Tiering
Section titled “Tiering”The infrastructure scanner declares severity on each rule rather than on each
result; a result with no explicit level inherits its rule’s default level, and
any security-severity score takes precedence over the level. The full
mapping is on Code scanning (SAST).
How findings are bucketed
Section titled “How findings are bucketed”On the Code Scan page, the infrastructure scanner’s findings land in the Misconfig category (its secret hits land in Secrets), as do findings from other scanners whose rule or message references Terraform, Dockerfile, Kubernetes, CloudFormation, Helm or IaC.
Gate your CI
Section titled “Gate your CI”Run the full scan series in your pipeline and fail the build on any RED
finding. To scope the gate to your infrastructure code, point --path at the
directory that holds it; to fail on anything YELLOW or worse, raise the tier
with --fail-on yellow:
av sast scan --path infra --fail-on redSee also
Section titled “See also”- Code scanning (SAST) - the scan series, tiering and local-first design
- Secret detection - the other half of the infrastructure scanner’s pass
av sast scan- run a local scan