IaC Rules
IaC rules detect insecure infrastructure configuration in code and build artifacts.
Sttor supports the full Checkov ruleset and a broad range of Infrastructure-as-Code formats.
Supported IaC Formats
- Terraform (
.tf) - OpenTofu (
.tf) - AWS CDK (as applicable in the pipeline)
- Kubernetes manifests (
.yaml,.yml) - Dockerfile
- Helm templates (when rendered or available in scan inputs)
- Other IaC formats supported through Checkov inputs
IaC Rule Identity
Because Sttor supports the complete Checkov ruleset, IaC findings can be represented in two forms:
Native Sttor Rule IDs (
IAC-####)
Used for standardized reporting, governance, and consistency across scans.Mapped Source Rule IDs
Underlying rule identifiers (for example, Checkov rule references) are preserved as metadata or tags for traceability.
IaC Rule Table (Example)
| ID | Title | Description | Remediation | Tags |
|---|---|---|---|---|
| IAC-0001 | Publicly exposed resource configuration | Detects IaC patterns that expose services or resources publicly without explicit justification. | Restrict exposure; use private networking; enforce least-privilege access controls. | iac, terraform, networking |
| IAC-0002 | Weak encryption / missing encryption | Detects storage or resources missing encryption at rest or using weak cryptographic configuration. | Enable encryption at rest; use managed keys or KMS as required. | iac, terraform, encryption |
| IAC-0003 | Kubernetes workload missing security hardening | Detects missing securityContext or risky default settings in Kubernetes manifests. | Add least-privilege pod and container security settings. | iac, kubernetes, workload-security |