![[The AI Show Episode 153]: OpenAI Releases o3-Pro, Disney Sues Midjourney, Altman: “Gentle Singularity” Is Here, AI and Jobs & News Sites Getting Crushed by AI Search](https://www.marketingaiinstitute.com/hubfs/ep%20153%20cover.png)
![GrandChase tier list of the best characters available [June 2025]](https://media.pocketgamer.com/artwork/na-33057-1637756796/grandchase-ios-android-3rd-anniversary.jpg?#)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[Fixed] How to Recover Unsaved Word Document on Windows 10/11](https://www.pcworld.com/wp-content/uploads/2025/06/How-to-recover-unsaved-word-document-main.png?#)
![Some of our favorite Pixel 9 accessories [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/12/Pixel-9-cases-and-accessories-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Apple's F1 Camera Rig Revealed [Video]](https://www.iclarified.com/images/news/97651/97651/97651-640.jpg)
![Apple Shares New Apple Arcade Ad: 'Hold That Train!' [Video]](https://www.iclarified.com/images/news/97653/97653/97653-640.jpg)
What Is infrastructure As Code (IaC) Scanning?
This article was brought to you by Kumar Harsh, draft.dev. Infrastructure as code (IaC) is a popular practice in modern DevOps security and automation workflows. By treating infrastructure as code, teams can automate resource provisioning and deployments and significantly reduce efforts spent on manual configurations. However, just as with application code, IaC configurations can introduce […]
This article was brought to you by Kumar Harsh, draft.dev.
Infrastructure as code (IaC) is a popular practice in modern DevOps security and automation workflows. By treating infrastructure as code, teams can automate resource provisioning and deployments and significantly reduce efforts spent on manual configurations.
However, just as with application code, IaC configurations can introduce vulnerabilities and security misconfigurations when not adequately secured. They can even expose sensitive data or provide unintended access to cloud resources.
Misconfigured and unsecured IaC files are a leading cause of cloud security breaches. They’re part of the reason why Gartner says that through 2025, 99 percent of cloud security failures will be the customer’s fault.
To address this proactively, IaC scanning has emerged as a critical security practice. IaC scanning tools detect vulnerabilities, identify risky configurations, and verify compliance early in the development lifecycle—long before any infrastructure goes live.
In this article, you’ll discover why IaC scanning is essential and how it works and explore popular scanning tools like Checkov, Trivy, and Terrascan. You’ll also see how TeamCity simplifies integrating IaC scanning into your automated pipelines by providing built-in mechanisms to ensure your infrastructure remains secure and compliant from code to cloud.
TL;DR
- What is IaC scanning?
Infrastructure as Code (IaC) scanning is the process of statically analyzing infrastructure configuration files (like Terraform, CloudFormation, Kubernetes manifests) to detect misconfigurations, security vulnerabilities, and policy violations before they are deployed. - Why does it matter?
IaC scanning helps catch issues early in the development pipeline, ensuring secure cloud infrastructure, preventing breaches, and supporting compliance with standards like SOC 2, ISO 27001, and NIST. - How does TeamCity support it?
TeamCity allows seamless integration of IaC scanning tools into your CI/CD workflows. You can:- Add build steps for tools like Trivy or Checkov
- Configure failure conditions based on scan results
- Manage pipeline logic with Kotlin DSL
- Use the TeamCity Terraform Provider for full infrastructure-as-code CI/CD configuration
- Which tools are covered?
This article explores three leading open-source IaC scanning tools:- Checkov (Bridgecrew / Palo Alto Networks)
- Trivy (Aqua Security)
- Terrascan (Tenable / Accurics)
Why IaC scanning is important
As teams adopt IaC tools to automate provisioning, infrastructure definitions become as critical as application code. However, they often receive far less scrutiny. IaC allows developers to spin up complex cloud environments with a few lines of code, but small mistakes in these configurations can lead to outsized consequences.
Common IaC security issues include hard-coded secrets, overly permissive IAM roles, and unencrypted storage buckets, each capable of exposing your organization to breaches, data loss, or compliance violations. If left unchecked, these misconfigurations can quietly propagate across environments.
IaC scanning tools are foundational to IaC security practices, helping catch these risk points early in the production lifecycle. By analyzing your Terraform, CloudFormation, or Kubernetes manifests before deployment, scanning tools help you catch vulnerabilities and ensure adherence to organizational and regulatory standards like SOC 2, ISO 27001, and NIST.
How IaC works
IaC tools use static analysis, meaning they inspect the code directly without executing it, to identify configuration risks early in the lifecycle. Many scanners operate using a policy-as-code approach, where best practices and compliance requirements are defined as machine-readable rules.
For example, a policy might require that all storage buckets be encrypted or that no security group exposes port 22 to the public internet.
Tools like Checkov, Trivy, and Terrascan each offer extensive built-in policies for security, code compliance, and operational best practices. These rule sets can be extended or customized to match the standards your organization needs to follow (such as SOC 2, ISO 27001, or NIST).
The real value of these tools emerges when they’re embedded into your development workflow, especially your CI/CD pipelines. Instead of relying on ad hoc reviews or post-deployment audits, every commit or pull request can automatically trigger a scan.
Unsafe changes can be flagged or blocked entirely before they reach production. Developers receive fast, actionable feedback, and platform teams can enforce security and compliance at scale without slowing down releases.
This approach is often referred to as “shifting security left,” meaning moving checks earlier in the software delivery process. By catching issues during development rather than after deployment, teams reduce remediation costs, avoid downtime, and build infrastructure that’s secure by default.
Choosing an IaC scanning tool
Now that you understand what IaC scanning is and how it works, it’s time to choose a tool for your use case. Before you start looking at your options, here are five factors to keep in mind when evaluating these tools:
- IaC framework support: Ensure your selected tool aligns with your chosen IaC platform (Terraform, Kubernetes, CloudFormation, etc.).
- Customizability and policy enforcement: Look for tools with robust, extensible policy-as-code capabilities that allow tailored compliance enforcement.
- CI/CD integration: Verify ease of integration with your CI/CD pipeline (such as TeamCity) to ensure smooth automation and clear feedback to developers.
- Speed and performance: Pick a tool optimized for fast scanning to avoid slowing down your development process.
- Community and ecosystem: Consider tools backed by active communities that provide consistent updates, rich documentation, and responsive support.
Let’s now take a closer look at three popular tools that have gained significant traction within the IaC community.
IaC scanning tools comparison
| Feature | Checkov | Trivy | Terrascan |
| Supported platforms | Terraform, CloudFormation, Azure ARM, Kubernetes, Helm, Serverless | Terraform, Kubernetes, CloudFormation, Docker, Helm, YAML, JSON | Terraform, Kubernetes, CloudFormation, Azure ARM, Dockerfile, Helm |
| Policy customization | Python/YAML-based custom rules; 750+ built-in | Custom rules supported; broad coverage inherited from tfsec | Rego (OPA) based policies; 500+ built-in; highly extensible |
| TeamCity integration | Easy via script steps or Docker; CI-friendly output formats | Very easy; single-line install, fast scan, great for pipelines | Moderate; supports JSON/XML output for build parsing |
| Reporting formats | CLI output, JSON, JUnit, SARIF, GitHub PR comments | CLI, JSON, JUnit, GitHub annotations, SBOM | JSON, JUnit XML, SARIF, file output formats |
Notes:
- Checkov is the most mature for multi-framework support and compliance presets.
- Trivy is extremely lightweight and ideal for Terraform-first or speed-focused pipelines.
Terrascan stands out for enterprise policy control via OPA/Rego, but may require more setup.
Here’s a detailed description of each tool.
Checkov (by Bridgecrew)
Checkov is an open source tool from Bridgecrew (part of Palo Alto Networks) that supports an impressive array of IaC frameworks, such as Terraform, CloudFormation, Azure Resource Manager, Kubernetes, Helm, and Serverless Framework.
Checkov provides over 750 built-in policies covering security best practices. Its extensible framework also allows custom policy creation using Python or YAML, making it a flexible choice for teams with specific regulatory requirements.
You can integrate Checkov easily with popular CI/CD platforms like GitHub Actions, GitLab CI, Jenkins, and more to get concise, actionable feedback directly within build results. This can help you remediate issues swiftly and confidently.
Its robust reporting capabilities and compatibility with popular CI tools, including TeamCity, make Checkov a widely used, versatile choice.
Trivy (by Aqua Security)
Trivy (the successor of tfsec) is a fast, developer-friendly IaC scanning tool from Aqua Security that has great support for Terraform projects.
tfsec was designed with speed and usability in mind. It could parse Terraform code directly, quickly identifying common security vulnerabilities like unencrypted resources, overly permissive IAM policies, or potential network exposure.
Trivy retains all that, along with access to more languages and features in the same tool, as well as additional integrations with external tools and services.
Trivy offers support for IaC scanning in a wide range of configurations, including Kubernetes, Docker, Terraform, CloudFormation, Azure ARM templates, Helm, YAML, and JSON. Trivy is straightforward to install and use in continuous integration workflows. This makes it easy to integrate with TeamCity and other CI/CD tools for clear and actionable insights within pipeline outputs.
Just like Checkov, Trivy includes a comprehensive library of prebuilt security checks and also supports custom rule definitions. This flexibility, combined with exceptional ease of use, has earned tfsec and Trivy widespread popularity among Terraform-centric development teams.
Terrascan (by Accurics/Tenable)
Terrascan is another leading open source IaC scanning tool, developed by Accurics (now part of Tenable). It supports multiple IaC frameworks—including Terraform, Kubernetes, AWS CloudFormation, Helm, Dockerfile, and Azure ARM templates—making it ideal for teams managing multicloud or hybrid infrastructure.
Terrascan adopts a policy-as-code approach powered by Rego, Open Policy Agent’s policy language. This allows teams to easily create detailed, custom code compliance rules aligned with security standards like CIS Benchmarks, NIST SP 800-53, PCI DSS, and SOC 2.
This is in addition to the 500 policies it ships with out of the box. Terrascan is well-suited for organizations with complex compliance and policy enforcement requirements.
The use of the flexible Open Policy Agent framework differentiates Terrascan from other tools in the list. Integration into CI/CD pipelines is seamless as well; Terrascan easily exports results in formats such as JUnit XML or JSON, streamlining integrations with tools like TeamCity.
Using TeamCity for IaC scanning
Once you’ve selected an IaC scanning tool, the next step is to operationalize it within your CI/CD pipeline. That’s where TeamCity comes in.
As a powerful on-premise CI/CD solution, TeamCity allows you to automate your software and infrastructure deployments. TeamCity supports embedding IaC scanning seamlessly into its pipelines, enhancing security and compliance without compromising productivity.
This section explores how you can leverage TeamCity On-Premises to integrate popular IaC scanning tools (such as Checkov, Trivy, or Terrascan) into your build pipelines. We’ll demonstrate how you can set up automated scanning steps, define automatic failure conditions, and ensure secure infrastructure deployments by managing everything as code.
