Infrastructure as Code (IaC) Security Analysis

The IaC Security Analysis workflow examines infrastructure configuration files for security misconfigurations and compliance violations. This workflow helps identify security issues in your infrastructure definitions before they’re deployed.

Overview

  • Workflow ID: iac
  • Primary Use Case: Security analysis of infrastructure configuration files
  • Output: SARIF and HTML security reports

Quick Start

# Analyze current directory for IaC files
fraim run iac --location .

# Analyze a specific repository
fraim run iac --location https://github.com/username/terraform-repo

# High-confidence findings only
fraim run iac --location . --confidence 9

# Focus on Terraform files
fraim run iac --location . --globs "*.tf" "*.tfvars"

Common Use Cases

1. Pre-Deployment Validation

# Validate infrastructure before deployment
fraim run iac --location ./terraform/ --confidence 8

2. CI/CD Pipeline Integration

# Automated IaC security scanning
fraim --show-logs false \
  run iac --location . \
  --confidence 8 \
  --output ./iac-security-reports/

3. Terraform Security Review

# Comprehensive Terraform analysis
fraim run iac --location . \
  --globs "*.tf" "*.tfvars" \
  --confidence 6

4. Kubernetes Manifest Analysis

# Kubernetes security analysis
fraim run iac --location ./k8s/ \
  --globs "*.yaml" "*.yml" \
  --confidence 7

5. Docker Security Analysis

# Container configuration analysis
fraim run iac --location . \
  --globs "Dockerfile" "docker-compose.yml" \
  --confidence 7

GitHub Actions

Use the official Fraim GitHub Action: 
name: IaC Security
on:
  pull_request:
    paths:
      - '**.tf'
      - '**.yaml'
      - '**.yml'

jobs:
  iac-security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Fraim IaC Security Scan
        uses: fraim-dev/fraim-action@8d763963b80e2551c7ec3f5bdbd77bad6ce7658c
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
          workflow: iac
          workflow_args: |
            {
              "confidence": 8,
              "chunk-size": 400,
              "max-concurrent-chunks": 5
            }

Available workflow_args

ArgumentTypeDefaultDescription
confidenceinteger (1-10)7Minimum confidence threshold for filtering findings
chunk-sizeinteger500Number of lines per chunk
limitintegernullLimit the number of files to scan
globsarray of stringsnullFile patterns to include (uses workflow defaults if not provided)
max-concurrent-chunksinteger5Maximum number of chunks to process concurrently