Skip to content

IaC misconfiguration

Every av sast scan checks the infrastructure-as-code in your tree for misconfigurations and tiers each one REDYELLOWGREEN.

The infrastructure scanner performs a filesystem scan of the target path with its secret and misconfiguration checks enabled. The misconfiguration checks cover the common IaC formats - Terraform, Dockerfiles, Kubernetes manifests, Helm charts and CloudFormation templates.

Like every scanner in the series, it is downloaded pinned and checksum-verified on first use and runs locally as a separate subprocess - your source never leaves the machine. See Code scanning (SAST) for the scan series.

The scan series does not enable dependency-vulnerability scanning. Dependency CVEs are owned by AlertaVuln’s core CVE pipeline - the tech stack derived from your manifests, matched against CVE announcements on the Vulnerabilities page. Running a second vulnerability scanner here would double-report the same dependency CVE on the Code Scan page, so the infrastructure scanner is scoped to secrets and IaC misconfigurations, which the core pipeline does not cover.

The infrastructure scanner declares severity on each rule rather than on each result; a result with no explicit level inherits its rule’s default level, and any security-severity score takes precedence over the level. The full mapping is on Code scanning (SAST).

On the Code Scan page, the infrastructure scanner’s findings land in the Misconfig category (its secret hits land in Secrets), as do findings from other scanners whose rule or message references Terraform, Dockerfile, Kubernetes, CloudFormation, Helm or IaC.

Run the full scan series in your pipeline and fail the build on any RED finding. To scope the gate to your infrastructure code, point --path at the directory that holds it; to fail on anything YELLOW or worse, raise the tier with --fail-on yellow:

Terminal window
av sast scan --path infra --fail-on red