IaC Scan

Infrastructure as Code (IaC) scanning detects security misconfigurations in your deployment files before they reach production. Gerion uses KICS (Keeping Infrastructure as Code Secure) by Checkmarx.

Run

gerion iac-scan [PATH]

# Scan the current directory
gerion iac-scan .

# Save results as JSON
gerion iac-scan . --format json --output-file iac.json

# Send results to the Gerion API
gerion iac-scan . --api-url $GERION_API_URL --api-key $GERION_API_KEY

Supported technologies

Platform	File types
Terraform	`.tf`, `.tfvars`, modules
Kubernetes	`.yaml` / `.yml` manifests
Helm	`Chart.yaml`, `values.yaml`, templates
Docker	`Dockerfile`, `docker-compose.yml`
AWS CloudFormation	`.yaml`, `.json`
Azure Resource Manager	ARM templates `.json`
Azure Bicep	`.bicep`
Google Deployment Manager	`.yaml`, `.jinja`
Ansible	playbooks, roles
OpenAPI / Swagger	`.yaml`, `.json`
Crossplane	resources `.yaml`

Detected misconfiguration categories

Category	Examples
Unauthorized access	Ports exposed to the world (0.0.0.0/0), public SSH
Insecure containers	Running as root, `privileged: true`, excessive capabilities
Exposed storage	Public S3/GCS buckets, unencrypted disks
Disabled encryption	Databases without at-rest encryption, HTTP traffic
Logging & auditing	Disabled CloudTrail, missing access logs
Permissive IAM	`:` policies, overly broad roles
Networking	Open security groups, VPCs without private subnets
Secrets in IaC	Environment variables with hardcoded values

Options

Option	Description
`--format`	Output format: `json` \| `markdown` \| `sarif`
`--output-file`	Save results to a file (disables API submission)
`--queries-path`	Path to a custom KICS queries directory
`--api-url`	Gerion API Gateway URL
`--api-key`	M2M API key
`--timeout`	Timeout in seconds (default: 180)
`--log-level`	`debug` \| `info` \| `warning` \| `error`