IaC Scanning

DryRun Security scans Terraform configurations for security misconfigurations and insecure defaults in pull requests.

Overview

DryRun Security provides Infrastructure as Code scanning focused on Terraform configurations. When a pull request modifies .tf files, DryRun Security analyzes the changes for security misconfigurations and flags findings as part of its PR scanning workflow.

What It Detects

IaC scanning identifies common Terraform security issues including:

Overly permissive IAM policies - Roles granting broader access than required, violating least privilege
Exposed resources - Security groups, firewall rules, or storage buckets with unintended public access
Insecure defaults - Unencrypted data stores, disabled logging, or missing audit trails
Subdomain takeover risks - Dangling DNS records or CDN configurations that could be claimed by an attacker

Beyond the built-in IaC checks, teams can use Custom Code Policies to monitor additional infrastructure concerns. Custom policies let you enforce specific configuration requirements, flag unapproved resource types, or define any other infrastructure rules that matter to your organization. This extends IaC coverage to match your team's specific infrastructure security requirements.

How Findings Appear

IaC findings are reported the same way as other DryRun Security results: as comments on pull requests and as entries in the Risk Register dashboard. Each finding includes the affected resource, a description of the risk, and guidance on remediation.