dpndncY

Infrastructure-as-Code scanning

dpndncY parses Terraform (HCL), CloudFormation (JSON + YAML), and Kubernetes manifests, then flags misconfigurations that lead to privilege escalation, data exposure, and insecure runtime posture — aligned to CIS benchmarks and mapped to CWE.

Supported formats

  • Terraform.tf HCL (resources, modules, variables).
  • CloudFormation — JSON and YAML templates.
  • Kubernetes — Deployment / Pod / Service / RBAC manifests (YAML & JSON).

What it detects

ClassExamples
Privilege escalation (CWE-269)Over-broad IAM policies, privileged: true pods, allowPrivilegeEscalation, host PID/IPC/network
Public exposure0.0.0.0/0 security-group ingress, public S3 buckets, unauthenticated load balancers
Insecure defaultsUnencrypted volumes / buckets, no TLS, plaintext secrets in env, missing log/audit config
Capabilities & host settingsAdded Linux capabilities, writable root filesystem, host-path mounts
Path traversal (CWE-22)Unsafe template substitution into file paths

Run it

CLI
# scan a repo that contains IaC (auto-detected by file type)
dpndncy scan ./infra --iac

# fail CI on high-severity misconfigurations
dpndncy scan ./infra --iac --fail-on high
One findings view
IaC results land in the same unified findings view and policy gates as SCA, SAST, and secrets — so a single CI verdict covers code, dependencies, and infrastructure.

Custom rules

Author organisation-specific checks (required tags, mandated encryption settings, banned regions) in the same YAML rule DSL used by SAST, and apply them per project via policy.

See also