Abstract
Infrastructure as Code (IaC) has turned cloud infrastructure into source code — and, therefore, into a valid target for Static Application Security Testing (SAST). This article demonstrates the complete application of Checkov, an open-source IaC static analysis tool listed in the OWASP Source Code Analysis Tools catalog, to a Terraform project describing a small cloud system (S3, RDS and EC2). The initial scan detected 27 failed security checks — including a publicly readable bucket, a database exposed to the internet with a hardcoded password, and an instance vulnerable to SSRF credential theft — in roughly ten seconds, without an AWS account and without executing terraform. The configuration was then hardened to 0 failed checks (61 passed), with the three non-applicable policies suppressed through inline, documented justifications. Finally, the scan was integrated into a GitHub Actions pipeline that blocks any pull request reintroducing a misconfiguration, illustrating the DevSecOps principle of security as an automated gate. The full demo code and CI workflow are available at https://github.com/GianfrancoArocutipa/checkov-iac-demo.
SAST for infrastructure? Yes.
Static Application Security Testing (SAST) is usually explained with application code: find SQL injection in PHP, XSS in JavaScript. But since Infrastructure as Code became the standard — Terraform, Pulumi, OpenTofu, CloudFormation — your infrastructure is also source code. And it fails in its own ways: a public S3 bucket, a database exposed to the internet, an SSH port open to the world. These misconfigurations are behind a huge share of real cloud breaches, and the beautiful part is that they are visible in the code before anything is deployed. That is exactly what IaC SAST tools do: parse your .tf files and compare every resource against hundreds of security policies — no cloud account needed, no terraform apply, no risk.







