DEV Community

Sebastian Rodrigo ARCE BRACAMONTE
Sebastian Rodrigo ARCE BRACAMONTE

Posted on

Applying Any SAST Tools for an Infrastructure as Code Application in Terraform

#devops #terraform #tooling #security

Abstract

Infrastructure as Code (IaC) with Terraform accelerates cloud provisioning but also increases the risk of security misconfigurations being deployed to production if not detected early. This article explores how Static Application Security Testing (SAST), commonly applied to application code, can also be used to scan Terraform projects for insecure configurations, hardcoded secrets, and unsafe defaults. We analyze the strengths (early detection, scalability, developer feedback), limitations (false positives, lack of runtime context, need for complete project scope), and practical selection criteria (Terraform support, precision, CI/CD integration, SARIF output). A complete GitHub demo project with automated scans using Semgrep and GitHub Actions is included, showing how to integrate SAST into a modern IaC security pipeline.

Introduction

Terraform has transformed the way organizations manage infrastructure by adopting Infrastructure as Code (IaC). However, IaC brings not only speed and automation but also new attack surfaces. A simple misconfiguration—such as a publicly accessible S3 bucket or overly permissive security group—can expose entire environments.
To prevent these issues, SAST tools like Semgrep can be applied directly to Terraform code. Unlike runtime security checks, SAST analyzes the codebase before deployment, making it possible to shift security left in the Software Development Lifecycle (SDLC).

Why Apply SAST to Terraform IaC?

  • Early detection: Issues are identified before provisioning resources.
  • Automation-friendly: Fits directly into CI/CD pipelines.
  • Scalable: Rules can be shared across teams and projects.
  • Customizable: Teams can define their own policies (e.g., enforcing encryption, disallowing public access).

Strengths of SAST for Terraform

  • Scalability – SAST tools can be integrated into nightly builds, CI/CD pipelines, and pull request checks.
  • Early Detection – Security flaws are discovered before deployment, reducing exposure in production environments.
  • Developer-Friendly Feedback – Many SAST tools highlight the exact Terraform file, resource, and line number where a problem occurs.
  • Automation Ready – IaC pipelines can automatically block deployments when high-severity issues are detected.

Weaknesses and Challenges

Despite its value, applying SAST to IaC is not without limitations:

  • High False Positives – Rules may flag patterns that are not real vulnerabilities.
  • Configuration Gaps – SAST cannot always detect contextual issues, such as overly permissive IAM roles combined across multiple files.
  • Dependency on Buildable Context – Some tools require the full Terraform project with providers and modules to analyze correctly.
  • Limited Coverage – Authentication logic, cryptographic misuse, or cloud-native misconfigurations may remain undetected.
  • Thus, SAST for Terraform should be complemented with dynamic tests, policy-as-code engines (e.g., Open Policy Agent), and runtime monitoring.
  • Semgrep and Terraform Semgrep is an open-source static analysis tool that allows writing custom security rules in YAML. It can parse Terraform files and detect risky patterns.

Example rule to detect a public S3 bucket:

rules:
  - id: s3-bucket-public
    patterns:
      - pattern: |
          resource "aws_s3_bucket" $X {
            acl = "public-read"
          }
    message: "S3 bucket configured with public access."
    severity: ERROR
    languages: [terraform]
Enter fullscreen mode Exit fullscreen mode

When applied to Terraform files, this rule highlights misconfigurations before they reach production.

Vulnerable Code Example (Terraform)

resource "aws_s3_bucket" "demo" {
  bucket = "demo-bucket-public"
  acl    = "public-read"
}
Enter fullscreen mode Exit fullscreen mode

Secure Code Example (Terraform)

resource "aws_s3_bucket" "demo" {
  bucket = "demo-bucket-private"
  acl    = "private"
}
Enter fullscreen mode Exit fullscreen mode

GitHub Actions Automation

The workflow .github/workflows/semgrep.yml ensures that every push and pull request is scanned:

name: Semgrep IaC Scan
on: [push, pull_request]
jobs:
  semgrep:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: returntocorp/semgrep-action@v1
        with:
          config: ./semgrep-rules/terraform-public-resources.yml
Enter fullscreen mode Exit fullscreen mode

Any insecure configuration is flagged automatically.
Prevents insecure Terraform from merging into main.
Provides instant feedback to developers.

Demo repository

👉 You can access the source code and configurations used in this article at the following link:
🔗 https://github.com/KrCrimson/semgrep-terraform-iac-demo.git

Conclusion

  • Applying SAST to Terraform is an effective way to prevent insecure IaC deployments.
  • Semgrep provides a flexible and open-source approach to scanning.
  • With GitHub Actions automation, security checks become continuous and scalable.
  • The demo repository offers a ready-to-use template for organizations looking to adopt security-as-code in their IaC workflows.

Top comments (0)