Infrastructure as Code Security

Secure your infra
before you deploy it.

Misconfigurations cause 65% of cloud security incidents. codelake catches them in your IaC templates, not in production.

From Terraform modules to Kubernetes manifests, from Helm charts to Dockerfiles — codelake scans your infrastructure definitions against CIS Benchmarks, cloud provider best practices, and custom organizational policies.

Scan your infrastructure free Try FreeScan first
codelake scan --iac .

$ codelake scan --iac .

 

▸ IaC scanning running...

  Found 24 Terraform files, 8 K8s manifests, 3 Dockerfiles

  Checking against CIS AWS Benchmark v1.5...

  Validating Kubernetes security policies...

 

CRITICAL  S3 bucket with public read access

  ↳ infra/storage.tf:14 · CIS 2.1.1

CRITICAL  Container running as root

  ↳ k8s/deployment.yaml:28 · PSS Restricted

HIGH     RDS instance without encryption

  ↳ infra/database.tf:7 · CIS 2.3.1

HIGH     Dockerfile uses latest tag

  ↳ Dockerfile:1 · Pin to specific version

 

✓ 35 files · 18 findings · 4 critical · 7 high · 7 medium

Supported Platforms

Every IaC tool. Every cloud provider.

codelake understands the full range of infrastructure-as-code formats, from cloud provisioning tools to container orchestration.

deployed_code

Terraform

Full HCL parsing for all major providers — AWS, GCP, Azure, DigitalOcean, Cloudflare. Understands modules, variables, and resource references.

500+ rules · CIS Benchmarks

cloud_upload

CloudFormation

JSON and YAML template support. Resolves Fn::Ref, Fn::GetAtt, and conditional resources. Validates against AWS best practices.

300+ rules · AWS Well-Architected

view_in_ar

Kubernetes

Validates Deployments, Services, Ingresses, RBAC, NetworkPolicies, and all custom resources. Checks Pod Security Standards.

200+ rules · PSS Baseline & Restricted

sailing

Helm Charts

Renders Helm templates with values and scans the resulting manifests. Supports chart dependencies and sub-charts.

Full template rendering

package_2

Dockerfiles

Checks for running as root, unpinned base images, secrets in build args, unnecessary privileges, and inefficient layer ordering.

50+ rules · CIS Docker Benchmark

settings

Docker Compose

Validates compose files for privileged containers, exposed ports, volume mounts, network configurations, and secret handling.

30+ rules · Security best practices

What We Check

Every misconfiguration category that matters.

From overly permissive IAM policies to unencrypted storage, codelake covers every infrastructure security domain.

admin_panel_settings

IAM & Access Control

Overly permissive policies, wildcard permissions, missing MFA requirements, unused roles, and cross-account access misconfigurations.

public

Network Security

Open security groups, missing network policies, public subnets without NAT, unrestricted ingress/egress, and VPC misconfigurations.

enhanced_encryption

Encryption

Unencrypted storage (S3, EBS, RDS), missing TLS configuration, unmanaged KMS keys, and data-at-rest encryption gaps.

monitoring

Logging & Monitoring

Missing CloudTrail, disabled VPC Flow Logs, no access logging on S3, missing audit trails, and incomplete monitoring coverage.

shield

Container Security

Running as root, privileged mode, missing resource limits, host network access, writable root filesystem, and missing security contexts.

backup

Backup & Recovery

Missing backup configurations, disabled versioning, no deletion protection, missing lifecycle policies, and single-AZ deployments.

CIS Benchmark Compliance

Industry-standard compliance, built in.

codelake maps every IaC finding to CIS Benchmarks for AWS, GCP, and Azure — giving you compliance-ready reports without separate tooling.

  • check_circle

    CIS AWS Foundations Benchmark v1.5

    100+ controls covering IAM, storage, logging, monitoring, and networking for AWS infrastructure.

  • check_circle

    CIS GCP Foundations Benchmark v1.3

    Identity, storage, networking, and compute controls for Google Cloud Platform resources.

  • check_circle

    CIS Azure Foundations Benchmark v1.5

    Security controls for Azure identity, storage, database, logging, and networking services.

  • check_circle

    CIS Kubernetes Benchmark v1.7

    Pod security, RBAC configuration, network policies, secrets management, and audit logging controls.

CIS AWS Benchmark Compliance

1. Identity & Access Management 92%
2. Storage 68%
3. Logging 85%
4. Monitoring 45%
5. Networking 78%
Overall Compliance 74%

Example Findings

Real findings from real infrastructure.

Critical

S3 bucket allows public read access

# infra/storage.tf:14

resource "aws_s3_bucket_acl" "data" {

  bucket = aws_s3_bucket.data.id

  acl = "public-read"

}

CIS Control

2.1.1 — Ensure S3 bucket is not publicly accessible

Risk

Anyone on the internet can read all objects in this bucket

Fix

Set acl = "private" and use bucket policies for authorized access

Critical

Kubernetes pod running as root

# k8s/deployment.yaml:28

spec:

  containers:

    - name: api

      securityContext:

        runAsUser: 0

Standard

Pod Security Standards — Restricted profile

Risk

Container escape could give attacker root access to the host node

Fix

Set runAsNonRoot: true and runAsUser: 1000 (or higher)

Catch misconfigurations before they reach production.

Scan your Terraform, Kubernetes, and Docker files in under 2 minutes. CIS Benchmark compliance reports included. No credit card required.

Start free — scan your infra View pricing