Author: Fabrizio Salvador Elias Perez Peralta
Abstract
As Infrastructure as Code (IaC) evolves, the boundary between cloud provisioning and container configuration blurs. This article explores the application of Static Application Security Testing (SAST) using Trivy, an open-source vulnerability scanner listed in the OWASP tools catalog. While my colleague Gianfranco demonstrated the power of Checkov for AWS (referenced in GianfrancoArocutipa/checkov-iac-demo), this piece expands the scope by scanning both a Terraform deployment and a Docker container configuration in a single pass. The demonstration uncovers critical misconfigurations—including root-level container execution and unencrypted cloud storage—and details how to remediate them. Finally, it showcases how Trivy's SARIF output can be integrated into GitHub Actions, emphasizing the importance of developer experience and automated security gates in modern DevSecOps workflows.
The Evolution of IaC and the Need for SAST
In the modern DevSecOps landscape, a vulnerable system is rarely just about bad PHP or Python code. Often, the breach happens at the infrastructure level. You can write the most secure application in the world, but if the Docker container runs as root and the Terraform-managed S3 bucket holding the backups is public, you are compromised.







