IaC Scan
Infrastructure as Code (IaC) scanning detects security misconfigurations in your deployment files before they reach production. Gerion uses KICS (Keeping Infrastructure as Code Secure) by Checkmarx.
Run
gerion iac-scan [PATH]# Scan the current directorygerion iac-scan .
# Save results as JSONgerion iac-scan . --format json --output-file iac.json
# Send results to the Gerion APIgerion iac-scan . --api-url $GERION_API_URL --api-key $GERION_API_KEYSupported technologies
| Platform | File types |
|---|---|
| Terraform | .tf, .tfvars, modules |
| Kubernetes | .yaml / .yml manifests |
| Helm | Chart.yaml, values.yaml, templates |
| Docker | Dockerfile, docker-compose.yml |
| AWS CloudFormation | .yaml, .json |
| Azure Resource Manager | ARM templates .json |
| Azure Bicep | .bicep |
| Google Deployment Manager | .yaml, .jinja |
| Ansible | playbooks, roles |
| OpenAPI / Swagger | .yaml, .json |
| Crossplane | resources .yaml |
Detected misconfiguration categories
| Category | Examples |
|---|---|
| Unauthorized access | Ports exposed to the world (0.0.0.0/0), public SSH |
| Insecure containers | Running as root, privileged: true, excessive capabilities |
| Exposed storage | Public S3/GCS buckets, unencrypted disks |
| Disabled encryption | Databases without at-rest encryption, HTTP traffic |
| Logging & auditing | Disabled CloudTrail, missing access logs |
| Permissive IAM | *:* policies, overly broad roles |
| Networking | Open security groups, VPCs without private subnets |
| Secrets in IaC | Environment variables with hardcoded values |
Options
| Option | Description |
|---|---|
--format | Output format: json | markdown | sarif |
--output-file | Save results to a file (disables API submission) |
--queries-path | Path to a custom KICS queries directory |
--api-url | Gerion API Gateway URL |
--api-key | M2M API key |
--timeout | Timeout in seconds (default: 180) |
--log-level | debug | info | warning | error |