Infrastructure as Code Security Scanning: Checkov, tfsec, KICS, and Web Security Monitoring

Infrastructure as Code Security Scanning: Checkov, tfsec, KICS, and Web Security Monitoring

Infrastructure as code security scanning is the practice of automatically identifying misconfigurations in IaC templates — Terraform, CloudFormation, Kubernetes manifests, Helm charts, Docker Compose files — before they are deployed. A publicly exposed S3 bucket, an unrestricted security group, or an unencrypted RDS instance can all be prevented at the code level if you scan your IaC.

This guide covers the major IaC security tools (Checkov, tfsec, KICS), common misconfiguration categories, CI/CD integration strategies, and how to use ZeriFlow to monitor the web-facing security of your deployed infrastructure.

Monitor your deployed infrastructure: After deploying your IaC, run ZeriFlow to verify that your web application's security configuration — headers, TLS, exposed paths — is correct. 80+ checks, zero setup required.

Why IaC Security Scanning Matters

The 2019 Capital One breach — which exposed 100 million customer records — originated from a misconfigured AWS WAF. The 2017 Accenture exposure — 137GB of sensitive data — came from publicly accessible S3 buckets. The 2021 Twitch breach involved infrastructure misconfiguration.

These breaches share a common pattern: cloud infrastructure misconfigurations that would have been trivially detectable by automated scanning at the code level. IaC security scanning catches these before deployment:

• Public S3 buckets, GCS buckets, Azure blobs
• Unrestricted inbound rules in security groups (0.0.0.0/0 on port 22)
• Databases without encryption at rest
• Missing CloudTrail logging
• IAM roles with wildcard permissions
• Kubernetes workloads running as root
• Secrets hardcoded in environment variables

Core IaC Security Tools

Checkov

Checkov by Bridgecrew is the most comprehensive open-source IaC security scanner:

Supported frameworks: - Terraform (AWS, GCP, Azure, Oracle) - CloudFormation - Kubernetes / Helm - Dockerfiles - GitHub Actions / GitLab CI - Azure Pipelines - Serverless Framework

Installation and basic usage:

pip install checkov

# Scan a Terraform directory
checkov -d ./terraform

# Scan a specific file
checkov -f main.tf

# Scan CloudFormation
checkov -f template.yaml --framework cloudformation

# Scan Kubernetes manifests
checkov -d ./k8s --framework kubernetes

# Output formats
checkov -d ./terraform --output json > checkov-results.json
checkov -d ./terraform --output sarif > checkov-results.sarif

Compact output (show only failures):

checkov -d ./terraform --compact --quiet

Setting a failure threshold:

# Fail if any HIGH or CRITICAL severity checks fail
checkov -d ./terraform --check CKV_HIGH,CKV_CRITICAL

Example findings Checkov catches:

Check: CKV_AWS_20: 'Ensure the S3 bucket has access control list (ACL) applied and is not public'
  FAILED for resource: aws_s3_bucket.data_bucket
  File: /terraform/main.tf:15-25

Check: CKV_AWS_8: 'Ensure that EC2 instances use Instance Metadata Service Version 2 (IMDSv2)'
  FAILED for resource: aws_instance.web_server
  File: /terraform/ec2.tf:5-20

tfsec

tfsec is a Terraform-focused IaC scanner with excellent speed and CI/CD friendliness:

# Install
brew install tfsec
# or
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest

# Basic scan
tfsec .

# Scan with severity filter
tfsec . --minimum-severity HIGH

# Output formats
tfsec . --format json > tfsec-results.json
tfsec . --format sarif > tfsec-results.sarif

# Specific checks
tfsec . --include-passed
tfsec . --exclude-checks aws-s3-enable-bucket-encryption

tfsec vs. Checkov: tfsec is Terraform-only but extremely fast and produces very clean output. Checkov covers more frameworks. Use tfsec for Terraform-heavy environments; use Checkov for multi-framework environments.

KICS (Keeping Infrastructure as Code Secure)

KICS by Checkmarx is a comprehensive multi-framework IaC scanner:

# Install via Docker
docker pull checkmarx/kics:latest

# Scan Terraform
docker run -t -v $(pwd):/path checkmarx/kics:latest scan   -p /path/terraform   -o /path/results   --report-formats json,html

# Scan Kubernetes manifests
docker run -t -v $(pwd):/path checkmarx/kics:latest scan   -p /path/k8s   --type Kubernetes

KICS stands out for its broad support and its ability to scan mixed-framework repositories in a single pass.

Common IaC Security Issues and How to Fix Them

AWS: Public S3 Buckets

Vulnerable Terraform:

resource 'aws_s3_bucket' 'data' {
  bucket = 'my-data-bucket'
  acl    = 'public-read'   # DANGEROUS
}

Secure Terraform:

resource 'aws_s3_bucket' 'data' {
  bucket = 'my-data-bucket'
}

resource 'aws_s3_bucket_public_access_block' 'data' {
  bucket                  = aws_s3_bucket.data.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

AWS: Unrestricted Security Groups

Vulnerable:

resource 'aws_security_group_rule' 'ssh' {
  type        = 'ingress'
  from_port   = 22
  to_port     = 22
  protocol    = 'tcp'
  cidr_blocks = ['0.0.0.0/0']   # DANGEROUS: SSH open to the world
}

Secure:

resource 'aws_security_group_rule' 'ssh' {
  type        = 'ingress'
  from_port   = 22
  to_port     = 22
  protocol    = 'tcp'
  cidr_blocks = [var.vpn_cidr]   # Only from VPN
}

Kubernetes: Running as Root

Vulnerable:

apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      containers:
      - name: app
        image: myapp:latest
        # No securityContext = runs as root

Secure:

spec:
  template:
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
      containers:
      - name: app
        image: myapp:latest
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
              - ALL

CI/CD Integration

GitHub Actions (Checkov)

name: IaC Security Scan
on:
  pull_request:
    paths:
      - 'terraform/**'
      - 'k8s/**'

jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: terraform/
          framework: terraform
          output_format: sarif
          output_file_path: results.sarif
          soft_fail: false
          check: CKV_AWS_*

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI (tfsec)

tfsec_scan:
  image: aquasec/tfsec-ci:latest
  script:
    - tfsec . --format json --out gl-sast-report.json --minimum-severity HIGH
  artifacts:
    reports:
      sast: gl-sast-report.json

IaC Security vs. Runtime Web Security: Two Different Layers

IaC scanning and web application security scanning operate at different layers:

Even with perfect IaC security, your web application layer can still have misconfigured security headers or weak TLS. These are set at the application or web server level (nginx, Apache, CloudFront, load balancer configuration), not in your Terraform code.

This is why pairing IaC scanning with ZeriFlow gives you complete coverage: - IaC scanners ensure your infrastructure is correctly configured. - ZeriFlow ensures your application's HTTP-level security posture is correct.

FAQ

Q: Should I run IaC scanning on every commit or only on plan/apply?

A: Run a fast scan on every PR that touches IaC files (Checkov takes 10-30 seconds). This gives developers immediate feedback. Also run scanning during terraform plan to catch any drift between the code and the actual plan output.

Q: How do I handle false positives in IaC scanning?

A: Most IaC scanners support inline suppression comments:

#checkov:skip=CKV_AWS_18:S3 access logging not required for this bucket
resource 'aws_s3_bucket' 'logs' {
  bucket = 'app-logs'
}

Document your reasoning and review suppressions quarterly.

Q: Can IaC scanners find secrets in Terraform files?

A: IaC scanners have some secret detection, but dedicated secret scanners (Gitleaks, TruffleHog) are better at this. Always run both: IaC scanners for configuration issues, secret scanners for credentials.

Q: Is there a free tier for Checkov?

A: Yes. Checkov (the CLI tool) is completely open-source and free. Bridgecrew/Prisma Cloud (the commercial platform built on top) adds dashboards, drift detection, and runtime monitoring for a fee.

Q: Does ZeriFlow check cloud infrastructure security?

A: ZeriFlow focuses on the web application layer — HTTP security headers, TLS/SSL configuration, exposed paths, cookie attributes, and DNS security. For cloud infrastructure misconfiguration (S3, security groups, IAM), use Checkov, tfsec, or KICS. The two layers are complementary.

Conclusion: Secure Your Infrastructure Before and After Deployment

IaC security scanning is one of the highest-leverage security investments for cloud-native teams. A single Checkov check in your pipeline prevents the class of misconfigurations responsible for some of the largest data breaches in recent years.

Implement Checkov or tfsec in your Terraform pipeline today. Add KICS for multi-framework environments. Block PRs on High and Critical severity findings.

And after deployment, run ZeriFlow to verify that your web-facing security configuration — the HTTP headers, TLS settings, and exposed paths that IaC scanners cannot see — is as secure as the infrastructure underneath it.