Infrastructure-as-Code (IaC) empowers scalable cloud deployments, but misconfigurations in IaC scripts can result in severe security breaches. This paper presents a comparative study between two approaches to IaC security scanning: Checkov, a well-known rule-based scanner, and TASCA (Taint-aware Static Configuration Analyzer), a custom algorithm based on taint flow analysis. Both tools are evaluated across accuracy, transparency, and traceability. TASCA illustrates enhanced contextual explainability with slightly lower coverage while Checkov functions best with predefined policies. This study evaluates six real-world Terraform configurations containing both direct and indirect misconfigurations. This comparison allows more informed decisions within DevSecOps pipelines.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Comparative Analysis of Infrastructure-as-Code Misconfiguration Detection Through Policy Driven Evaluation and Taint-Aware Static Reasoning

  • Anshuman B. Gokhale,
  • Vaishnavi Jayaprakash,
  • Nagasundari Singaravelu

摘要

Infrastructure-as-Code (IaC) empowers scalable cloud deployments, but misconfigurations in IaC scripts can result in severe security breaches. This paper presents a comparative study between two approaches to IaC security scanning: Checkov, a well-known rule-based scanner, and TASCA (Taint-aware Static Configuration Analyzer), a custom algorithm based on taint flow analysis. Both tools are evaluated across accuracy, transparency, and traceability. TASCA illustrates enhanced contextual explainability with slightly lower coverage while Checkov functions best with predefined policies. This study evaluates six real-world Terraform configurations containing both direct and indirect misconfigurations. This comparison allows more informed decisions within DevSecOps pipelines.