II.
Workflow overview
Reference · liveworkflow:iac-security-scanning
IaC Security Scanning overview
Scans Infrastructure-as-Code templates (Terraform, CloudFormation, Helm, Pulumi) for misconfigurations, overly permissive IAM policies, unencrypted storage, public network exposure, and CIS benchmark violations before merge -- triaging findings by severity, suppressing accepted risks, and blocking deployments with critical violations. Excludes IaC authoring and drift remediation.
Attributes
displayName
IaC Security Scanning
workflowKind
security
triggerType
event-driven
typicalCadence
per-pull-request
complexity
single-team
description
Scans Infrastructure-as-Code templates (Terraform, CloudFormation, Helm,
Pulumi) for misconfigurations, overly permissive IAM policies, unencrypted
storage, public network exposure, and CIS benchmark violations before
merge -- triaging findings by severity, suppressing accepted risks, and
blocking deployments with critical violations. Excludes IaC authoring and
drift remediation.
Outgoing edges
applies_to_domain2
- domain:security·DomainSecurity
- domain:cloud-infra·DomainCloud Infrastructure
involves_role3
- role:security-reviewer·RoleSecurity Reviewer
- role:platform-engineer·RolePlatform Engineer
- role:cloud-architect·RoleCloud Architect
performed_by_org_unit2
- org-unit:security-team·OrgUnitSecurity Team
- org-unit:platform-team·OrgUnitPlatform Team
requires_skill_area2
- skill-area:terraform-infrastructure·SkillAreaTerraform Infrastructure as Code
- skill-area:container-security·SkillAreaContainer Security
triggers_responsibility2
- responsibility:run-security-scans·ResponsibilityRun security scans
- responsibility:terraform-state-mgmt·ResponsibilityTerraform state management
Incoming edges
follows_workflow2
- stack-profile:security-operations·StackProfileSecurity Operations Stack (Trivy, Falco, OPA, Vault, Snyk)
- stack-profile:terraform-landing-zone·StackProfileTerraform Landing Zone (Terraform, HCL, Vault, Go, OPA)