Day 49 of 60
·
Data, ML & infrastructure
IaC scanning (Terraform, Kubernetes)
In 2024–2026, misconfigured infrastructure caused more breaches than vulnerable code. The open S3, the permissive IAM, the exposed Helm value, Checkov finds them before the attacker does.
ProblemMisconfigured infrastructure is the leading cause of production breaches in 2024–2026, open S3 buckets, permissive IAM, exposed secrets in helm values.
How it works
Static analysis of Terraform, CloudFormation, Kubernetes manifests, Helm charts. Pattern-based rules + policy engines. Run on every PR.
What it catches
Open ports, permissive IAM, missing encryption-at-rest, public S3 buckets, privileged pods, exposed secrets, CIS-benchmark violations.
Tools
Checkov · OSS tfsec · OSS KICS · OSS kube-bench · OSS Trivy IaC · OSS
Verdict by project size
Small
Opt
Medium
Must
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 4h | 0.5h | $0 | +0.5m |
| Medium 10–100k LOC | 1d | 2h | $0 | +1m |
| Large 100k–1M LOC | 5d | 10h | $500 | +2m |
| Extra-large >1M LOC | 15d | 40h | $5k | +5m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Operate
Per pull request · Runs in CI on every PR; gates merge.
Who owns it
Data Engineer
Pipelines, schemas, lineage
Collaborates with: SRE / DevOps / Platform, Security / AppSec
Reference implementations
-
Checkov quick start
Infrastructure-as-code scanning examples for Terraform and cloud resources.
-
tfsec examples
Terraform security scanning examples and rule fixtures.
-
KICS queries
Infrastructure misconfiguration rules across Terraform, Kubernetes, and cloud templates.
Quick check
In 2024–2026, what has caused more production breaches than vulnerable code?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.