> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# IaC Scanning

> Identify misconfigurations in your infrastructure-as-code before deployment

## How It Works

ZeroPath's Infrastructure-as-Code (IaC) scanner detects security misconfigurations in your infrastructure definitions before they're deployed. It runs alongside SAST, SCA, and secrets scanning as part of both full repository scans and PR scans.

* **Automated detection** analyzes your infrastructure files for misconfigurations that could expose your systems to attack — open security groups, missing encryption, overly permissive IAM policies, and more.
* **AI-enhanced validation** reviews each finding in context, providing human-readable descriptions, severity assessments, and exploitability **preconditions** tied to your specific infrastructure setup.
* **Unified findings** — IaC misconfigurations appear in the same ZeroPath findings stream as your other scan data, keeping remediation in one workflow.

## Supported Formats

ZeroPath scans the following infrastructure-as-code formats:

| Format                           | File Types                                 |
| -------------------------------- | ------------------------------------------ |
| **Terraform**                    | `.tf`, `.tfvars`                           |
| **Kubernetes**                   | YAML manifests, Helm charts                |
| **Docker**                       | `Dockerfile`, `docker-compose.yml`         |
| **CloudFormation**               | JSON and YAML templates                    |
| **Azure Resource Manager (ARM)** | JSON templates                             |
| **Helm**                         | Chart templates and `values.yaml`          |
| **GitHub Actions**               | Workflow YAML files (`.github/workflows/`) |

## Misconfiguration Categories

### Network & Access Control

* Overly permissive security groups (e.g., `0.0.0.0/0` ingress)
* Missing network policies in Kubernetes
* Unrestricted port exposure
* Public-facing resources without access controls

### Encryption & Data Protection

* Unencrypted storage volumes (EBS, S3, Azure Blob)
* Missing TLS/SSL configuration
* Unencrypted database connections
* Missing encryption at rest for managed services

### Identity & Permissions

* Overly broad IAM policies (e.g., `*` resource access)
* Missing least-privilege constraints
* Root/admin access without MFA requirements
* Service accounts with excessive permissions

### Container Security

* Containers running as root
* Missing resource limits (CPU, memory)
* Privileged container mode enabled
* Missing security contexts in Kubernetes pods
* Images pulled without digest pinning

### Logging & Monitoring

* Disabled audit logging
* Missing CloudTrail or equivalent
* Containers without health checks
* Missing log aggregation configuration

### CI/CD Pipeline Security

CI/CD pipeline findings now appear under their own dedicated **CI/CD** category in the dashboard, separate from IaC findings. This makes it easier to filter and triage pipeline-specific security issues.

* Insecure GitHub Actions workflow configurations
* Unpinned action versions vulnerable to supply chain attacks
* Excessive workflow permissions
* Script injection via untrusted inputs in workflow expressions

### Compliance

* Resources missing required tags
* Non-compliant storage configurations
* Missing backup and recovery settings

## Scan Modes

### Full Repository Scan

IaC scanning runs on all infrastructure files in your repository, reporting every detected misconfiguration.

### PR Scan

During PR scanning, only changed infrastructure files are analyzed. New misconfigurations appear as inline comments on the PR.

## Remediation

Each IaC finding includes:

* **Description** — what the misconfiguration is and why it matters.
* **Severity** — rated using the same CVSS-based scoring as SAST findings.
* **Affected resource** — the specific file, resource type, and configuration block.
* **Preconditions** — deployment-context factors that affect whether the misconfiguration is actually exploitable. Examples include whether the resource is in a private subnet, whether organizational policies override the setting, or whether the configuration is only used in non-production environments. Each precondition cites evidence from configuration files when available.
* **Remediation guidance** — AI-generated recommendations for fixing the misconfiguration.

## Configuration

IaC scanning is controlled through scanner settings with org/tag/repo-level inheritance:

| Setting                              | Default | What It Controls                              |
| ------------------------------------ | ------- | --------------------------------------------- |
| **IaC scanning enabled (full scan)** | On      | Run IaC scanning during full repository scans |
| **IaC scanning enabled (PR scan)**   | On      | Run IaC scanning during pull request scans    |

IaC findings appear alongside SAST and other findings in your dashboard, API, and integrations. All IaC misconfigurations are consistently categorized under the **IaC** finding type, ensuring accurate filtering and reporting.