Infrastructure-as-code security scanning validates that infrastructure definitions follow security best practices before deployment. Checkov, tfsec, and KICS scan Terraform, Kubernetes manifests, CloudFormation templates, and other IaC definitions for security misconfigurations: open security groups, unencrypted storage, overly permissive IAM policies, missing logging configurations, and non-compliant data residency settings.

IaC scanning runs in the CI pipeline on every infrastructure change, catching misconfigurations before they reach production. Reference OPA/Rego policies that enforce compliance-specific constraints such as mandatory tags on AI infrastructure resources and EU data residency enforcement.

IaC scanning complements the cloud security posture management (CSPM) described above. CSPM detects configuration drift in deployed infrastructure; IaC scanning prevents misconfigurations from being deployed in the first place. Both layers are necessary for defence in depth. Scan results are retained as Module 9 evidence.

Key outputs

• IaC scanning in the CI pipeline (Checkov, tfsec, KICS)
• Compliance-specific policy enforcement (OPA/Rego)
• Complementary to CSPM for deployed infrastructure
• Module 9 AISDP evidence