Infrastructure-as-code review
Harden your Infrastructure-as-Code on every commit
Misconfigurations in Dockerfiles, Terraform plans, and Ansible playbooks are a leading cause of cloud security incidents. DeepSource analyzes your infrastructure-as-code on every commit, catching security risks, bad practices, and configuration errors before they reach production.
How it works
DeepSource includes dedicated analyzers for infrastructure-as-code that run alongside your application code analysis. On each commit to your default branch, DeepSource scans your infrastructure files for security risks and misconfigurations. Issues include file and line references and remediation guidance.
What it covers
Docker
Analyzes Dockerfiles for best-practice violations and security risks:
- Running containers as root
- Using
latestor unversioned base images - Missing health checks
- Exposing unnecessary ports
- Inefficient layer ordering
- Installing packages without pinned versions
Terraform
Analyzes Terraform files (.tf) for security and compliance issues:
- Unencrypted storage and databases
- Overly permissive IAM policies
- Public access to resources that should be private
- Missing logging and monitoring
- Insecure network configurations
- Non-compliant resource tagging
Ansible
Analyzes Ansible playbooks, roles, and collections for bugs and syntax issues:
- Deprecated module usage
- Missing or incorrect task attributes
- Insecure use of shell commands
- Hardcoded credentials in playbooks
- Syntax errors in YAML
Key features
- Same workflow as application code: IaC issues show up alongside your code quality and security issues in the same dashboard. No separate tool to manage
- Continuous, not periodic: every commit is scanned, not just scheduled runs. Misconfigurations are caught early, not after deployment
- Actionable output: each issue includes a description of the risk, the affected file and line, and a recommended fix
- Part of the full picture: IaC findings contribute to your OWASP Top 10 and CWE/SANS compliance reports, giving you a unified view of your security posture
Getting started
Enable the Docker, Terraform, or Ansible analyzers from your repository settings. IaC analyzers run alongside your language analyzers with no extra setup. See Configure analyzers for details.