# Infrastructure as Code (IaC) ## About Infrastructure as Code (IaC) is the practice of managing and provisioning infrastructure with machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. It's a key practice in DevOps and is used in conjunction with cloud computing. When it comes to security, IaC can both help and pose challenges. IaC is a powerful tool for managing infrastructure, and it can significantly enhance security when used properly. However, it requires careful management to avoid introducing new security risks. ## Tools * Aqua [tfsec](https://github.com/aquasecurity/tfsec) ([web](https://aquasecurity.github.io/tfsec/)): a static analysis security scanner for your Terraform code. * Tenable [terrascan](https://github.com/tenable/terrascan) ([web](https://runterrascan.io/)): Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. * Bridgecrew [Checkov](https://github.com/bridgecrewio/checkov) ([web](https://www.checkov.io/)): prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages. * [Regula](https://github.com/fugue/regula) ([web](https://regula.dev/)): checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego. * [Terraform Compliance](https://github.com/terraform-compliance/cli) ([web](https://terraform-compliance.com/)): is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code. * Checkmarx [kics](https://github.com/Checkmarx/kics) ([web](https://kics.io/)): keeping infrastructure as code secure is an open source solution for static code analysis of Infrastructure as Code. * Stelligent [Cfn Nag](https://github.com/stelligent/cfn_nag): looks for patterns in CloudFormation templates that may indicate insecure infrastructure. * [ggshield](https://github.com/GitGuardian/ggshield) ([GitGuardian](https://www.gitguardian.com/)): find and fix hardcoded secrets and infrastructure-as-code misconfigurations. * [Ansible lint](https://github.com/ansible/ansible-lint) ([web](https://ansible-lint.readthedocs.io/)): ansible-lint checks playbooks for practices and behavior that could potentially be improved. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.devsec.fyi/tools/infrastructure-as-code-iac.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.