iac-scanner

# IaC Scanner

Wrapper for tfsec and Checkov to scan Infrastructure as Code.

## Prerequisites

```bash
# tfsec (Terraform focused)
brew install tfsec
# or
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest

# Checkov (multi-cloud)
pip install checkov
# or
brew install checkov
```

## Usage

```bash
# Scan with auto-detection
npx iac-scanner .

# Force specific scanner
npx iac-scanner . --scanner tfsec
npx iac-scanner . --scanner checkov

# JSON output
npx iac-scanner . --json

# Check available scanners
npx iac-scanner --check

# Scan specific framework
npx iac-scanner . --framework terraform
npx iac-scanner . --framework kubernetes
npx iac-scanner . --framework cloudformation
```

## Supported Frameworks

| Scanner | Frameworks |
|---------|------------|
| tfsec | Terraform |
| Checkov | Terraform, CloudFormation, Kubernetes, ARM, Serverless, Helm |

## Output Format

```json
{
  "tool": "tfsec",
  "scanPath": ".",
  "scanDate": "2024-01-15T10:30:00Z",
  "findings": [
    {
      "id": "aws-s3-enable-bucket-encryption",
      "severity": "high",
      "message": "Bucket does not have encryption enabled",
      "resource": "aws_s3_bucket.data",
      "file": "main.tf",
      "line": 15,
      "resolution": "Enable bucket encryption"
    }
  ],
  "summary": {
    "total": 5,
    "critical": 1,
    "high": 2,
    "medium": 1,
    "low": 1
  }
}
```

## Common Misconfigurations

| Category | Example |
|----------|---------|
| Encryption | S3 bucket without encryption |
| Access Control | Public S3 bucket, open security groups |
| Logging | Missing CloudTrail, no access logs |
| Network | VPC without flow logs, open CIDR |
| IAM | Overly permissive policies, wildcard actions |
| Secrets | Hardcoded credentials in config |

## Exit Codes

- `0`: No issues found
- `1`: Issues detected
- `2`: Tool not installed or error