Infrastructure-as-Code scanning
dpndncY parses Terraform (HCL), CloudFormation (JSON + YAML), and Kubernetes manifests, then flags misconfigurations that lead to privilege escalation, data exposure, and insecure runtime posture — aligned to CIS benchmarks and mapped to CWE.
Supported formats
- Terraform —
.tfHCL (resources, modules, variables). - CloudFormation — JSON and YAML templates.
- Kubernetes — Deployment / Pod / Service / RBAC manifests (YAML & JSON).
What it detects
| Class | Examples |
|---|---|
| Privilege escalation (CWE-269) | Over-broad IAM policies, privileged: true pods, allowPrivilegeEscalation, host PID/IPC/network |
| Public exposure | 0.0.0.0/0 security-group ingress, public S3 buckets, unauthenticated load balancers |
| Insecure defaults | Unencrypted volumes / buckets, no TLS, plaintext secrets in env, missing log/audit config |
| Capabilities & host settings | Added Linux capabilities, writable root filesystem, host-path mounts |
| Path traversal (CWE-22) | Unsafe template substitution into file paths |
Run it
CLI
# scan a repo that contains IaC (auto-detected by file type)
dpndncy scan ./infra --iac
# fail CI on high-severity misconfigurations
dpndncy scan ./infra --iac --fail-on highOne findings view
IaC results land in the same unified findings view and policy gates as SCA, SAST, and secrets — so a single CI verdict covers code, dependencies, and infrastructure.
Custom rules
Author organisation-specific checks (required tags, mandated encryption settings, banned regions) in the same YAML rule DSL used by SAST, and apply them per project via policy.
See also
- Policy reference
- Secret scanning — for credentials embedded in manifests