How It Works
ZeroPath’s Infrastructure-as-Code (IaC) scanner detects security misconfigurations in your infrastructure definitions before they’re deployed. It runs alongside SAST, SCA, and secrets scanning as part of both full repository scans and PR scans.- Automated detection analyzes your infrastructure files for misconfigurations that could expose your systems to attack — open security groups, missing encryption, overly permissive IAM policies, and more.
- AI-enhanced validation reviews each finding in context, providing human-readable descriptions and severity assessments tied to your specific infrastructure setup.
- Unified findings — IaC misconfigurations appear in the same ZeroPath findings stream as your other scan data, keeping remediation in one workflow.
Supported Formats
ZeroPath scans the following infrastructure-as-code formats:| Format | File Types |
|---|---|
| Terraform | .tf, .tfvars |
| Kubernetes | YAML manifests, Helm charts |
| Docker | Dockerfile, docker-compose.yml |
| CloudFormation | JSON and YAML templates |
| Azure Resource Manager (ARM) | JSON templates |
| Helm | Chart templates and values.yaml |
Misconfiguration Categories
Network & Access Control
- Overly permissive security groups (e.g.,
0.0.0.0/0ingress) - Missing network policies in Kubernetes
- Unrestricted port exposure
- Public-facing resources without access controls
Encryption & Data Protection
- Unencrypted storage volumes (EBS, S3, Azure Blob)
- Missing TLS/SSL configuration
- Unencrypted database connections
- Missing encryption at rest for managed services
Identity & Permissions
- Overly broad IAM policies (e.g.,
*resource access) - Missing least-privilege constraints
- Root/admin access without MFA requirements
- Service accounts with excessive permissions
Container Security
- Containers running as root
- Missing resource limits (CPU, memory)
- Privileged container mode enabled
- Missing security contexts in Kubernetes pods
- Images pulled without digest pinning
Logging & Monitoring
- Disabled audit logging
- Missing CloudTrail or equivalent
- Containers without health checks
- Missing log aggregation configuration
Compliance
- Resources missing required tags
- Non-compliant storage configurations
- Missing backup and recovery settings
Scan Modes
Full Repository Scan
IaC scanning runs on all infrastructure files in your repository, reporting every detected misconfiguration.PR Scan
During PR scanning, only changed infrastructure files are analyzed. New misconfigurations appear as inline comments on the PR.Remediation
Each IaC finding includes:- Description — what the misconfiguration is and why it matters.
- Severity — rated using the same CVSS-based scoring as SAST findings.
- Affected resource — the specific file, resource type, and configuration block.
- Remediation guidance — AI-generated recommendations for fixing the misconfiguration.
Configuration
IaC scanning is controlled through scanner settings with org/tag/repo-level inheritance:| Setting | Default | What It Controls |
|---|---|---|
| IaC scanning enabled (full scan) | On | Run IaC scanning during full repository scans |
| IaC scanning enabled (PR scan) | On | Run IaC scanning during pull request scans |