One post tagged with "checkov"

Every cloud breach investigation that starts with an exposed credential or an open S3 bucket ends the same way: someone finds a .tf file, or a terraform.tfstate in an S3 bucket, or a CI pipeline that ran terraform apply with admin keys baked into an environment variable. Terraform is not inherently insecure but the patterns that make it fast to use are precisely the patterns that create the largest attack surface. Hardcoded secrets survive in Git history after deletion. State files store every resource attribute in plaintext, including passwords, private keys, and connection strings, regardless of whether you marked them sensitive. Security groups drift from 0.0.0.0/0 during a 2 AM incident and never get corrected. IAM policies accumulate wildcards because the initial prototype was never tightened. These are not hypothetical risks they are the literal findings in every major cloud IR engagement of the past five years.