Practice English vocabulary for IaC security scanning: Checkov, policy checks, CI integration, finding suppression, and tools like TFSEC, Terrascan, and KICS.
0 / 5 completed
1 / 5
What does 'Checkov scans the Terraform for security misconfigurations' mean?
Checkov (by Bridgecrew/Prisma Cloud) is one of the most widely used IaC security scanners. It evaluates Terraform, CloudFormation, ARM, Kubernetes, and other IaC formats against hundreds of security policies before deployment.
2 / 5
What is 'the policy check found an S3 bucket with public access'?
IaC security scanning catches misconfigurations at the code review stage, before deployment. Finding 'public access enabled on S3' in IaC allows the team to fix it in the code — preventing the vulnerable infrastructure from ever being created.
3 / 5
What does 'the scan is part of the CI pipeline' mean?
Shifting IaC security scanning left into CI means every proposed infrastructure change is scanned for security issues before it can be merged. This prevents misconfigurations from reaching the main branch or production.
4 / 5
What does 'the finding is suppressed with justification' mean?
When a security finding is a known false positive or a deliberate design decision, teams suppress it with justification (e.g., '#checkov:skip=CKV_AWS_21:Bucket intentionally public for static website'). Suppression with justification maintains auditability.
5 / 5
What are TFSEC, Terrascan, and KICS in the IaC security ecosystem?
Multiple IaC security scanners exist alongside Checkov: TFSEC (Aqua Security) focuses specifically on Terraform, Terrascan uses OPA policies for multi-cloud IaC, and KICS (Checkmarx) covers Terraform, CloudFormation, Ansible, Dockerfile and more.