Aikido
Infrastructure as code (IaC)

Catch IaC Misconfigurations Early

Scan every Terraform, CloudFormation, and Helm change for critical misconfigurations.

  • Find misconfigs that expose your cloud
  • Catch issues before they merge to main
  • Filter out false positives automatically
Trusted by 25k+ orgs | See results in 30sec.
Dashboard with autofixes tab

"With Aikido, we can fix an issue in just 30 seconds – click a button, merge the PR, and it’s done."

"Aikido's auto-remediation feature is a huge time-saver for our teams. It cuts through the noise, so our developers can focus on what really matters."

“With Aikido, security is just part of the way we work now. It’s fast, integrated, and actually helpful for developers.”

Chosen by 25,000+ orgs worldwide

Importance of Infrastructure as Code Scanning

Why IaC Scanning Matters

down arrow

Infrastructure as Code (IaC) scanning is crucial because it shifts security to the start of development.

It checks your infrastructure definition scripts (Terraform, CloudFormation, Helm, etc.) for misconfigurations before they provision your cloud resources.

Vanta

CI/CD Integration

By integrating Aikido into your CI/CD pipeline, IaC misconfigurations are identified before they reach your main branch.

Vanta

Only Shows Security Issues

Shows only misconfigurations that pose a security risk, so you aren’t overwhelmed by noise.

Features

Aikido's IaC features

Secure Your Pipeline

By integrating Aikido in your CI/CD pipeline, vulnerabilities are identified before they're committed to the default branch.

CI CD Integration

Removes False Positives

Aikido catches software that was manually installed (e.g. nginx), unlike other tooling such as docker hub.

Aikido alerts

Also Scans Dockerfiles

By scanning dockerfiles Aikido is able to, for example, already detect imdsv1 instances that are SSRF sensitive in AWS.

AI Autofix for IaC (& SAST)

Save time using Aikido’s LLM-based autofix. Preview the proposed solution, and generate a PR with a single click.

Scans production environment

IaC scans your code pre-deployment. Do you want to secure your production environment? Check our CSPM Scanner.

Only Shows Security Issues

Only shows misconfigurations that pose a security risk, so you don’t get overwhelmed with too many issues.

No Unnecessary alerts

Full Coverage in One Platform

Replace your scattered toolstack with one platform that does it all—and shows you what matters.

Code

Dependencies

Find vulnerable open-source packages in your dependencies, including transitive ones.

Learn more
Cloud

Cloud (CSPM)

Detects cloud infrastructure risks (misconfigurations, VMs, Container images) across major cloud providers.

Learn more
Code

Secrets

Checks your code for leaked and exposed API keys, passwords, certificates, encryption keys, etc...

Learn more
Code

Static Code Analysis (SAST)

Scans your source code for security risks before an issue can be merged.

Learn more
Code

Infrastructure as Code Scanning (IaC)

Scans Terraform, CloudFormation & Kubernetes infrastructure-as-code for misconfigurations.

Learn more
Test

Dynamic Testing (DAST)

Dynamically tests your web app’s front-end & APIs to find vulnerabilities through simulated attacks.

Learn more
Code

License Risk & SBOMs

Monitors your licenses for risks such as dual licensing, restrictive terms, bad reputation, etc... And generate SBOMs.

Learn more
Code

Outdated Software (EOL)

Checks if any frameworks & runtimes you are using are no longer maintained.

Learn more
Cloud

Container Images

Scans your container images for packages with security issues.

Learn more
Code

Malware

Prevent malicious packages from infiltrating your software supply chain. Powered by Aikido Intel.

Learn more
Test

API Scanning

Automatically map out and scan your API for vulnerabilities.

Learn more
Cloud

Virtual Machines

Scans your virtual machines for vulnerable packages, outdated runtimes and risky licenses.

Learn more
Defend

Runtime Protection

An in-app firewall for peace of mind. Automatically block critical injection attacks, introduce API rate limiting & more

Learn more
Code

IDE Integrations

Fix issues as you code– not after. Get in-line advice to fix vulnerabilities before commit.

Learn more
Code

On-Prem Scanner

Run Aikido’s scanners inside your environment.

Learn more
Code

CI/CD Security

Automate security for every build & deployment.

Learn more
Cloud

AI Autofix

One-click fixes for SAST, IaC, SCA & containers.

Learn more
Cloud

Cloud Asset Search

Search your entire cloud environment with simple queries to instantly find risks, misconfigurations, and exposures.

Learn more

Review

“Aikido is used by different departments (Dev teams, infra, CISO) to view our security posture. This improves security awareness as well as helps us to place the right priorities to solve issues”

Patrick L

Patrick L

CISO at HRlinkIT

What is Infrastructure-as-Code (IaC) scanning, and why should I scan my Terraform or CloudFormation code for security issues?

IaC scanning analyzes your infrastructure code (e.g., Terraform, CloudFormation, Kubernetes YAML) for misconfigurations before deployment. It helps catch issues like open S3 buckets or weak firewall rules early in the dev cycle. Fixing them in code is far easier than after they're live. Scanning ensures your cloud is secure by design - no surprises in production.

What kinds of misconfigurations can Aikido's IaC scanner catch (for example, open S3 buckets or overly permissive security groups)?

Aikido flags public storage buckets, overly open security groups (e.g., 0.0.0.0/0), unencrypted databases, excessive IAM permissions, and public VMs. It checks your code against best practices to catch common and critical misconfigs before deployment.

Which IaC frameworks does Aikido support (Terraform, CloudFormation, Kubernetes manifests, Helm charts, etc.)?

Aikido supports Terraform, CloudFormation, Kubernetes manifests, Helm charts, Azure ARM/Bicep templates, and more. Whether you use HCL, YAML, or JSON, Aikido can scan it for risks. Pulumi support is coming soon.

Can Aikido automatically fix or suggest fixes for issues found in my IaC configuration files?

Yes. Aikido suggests best-practice fixes and can auto-generate code patches or pull requests. For example, it can fix open security groups or missing encryption with one click. The fix will be available as a PR/MR for you to review and merge.

How do I integrate Aikido's IaC scanning into my development workflow or CI/CD pipeline?

You can integrate Aikido into CI/CD tools (GitHub Actions, GitLab, Jenkins, etc.), pre-commit hooks, or IDEs. Scans run automatically on commits or PRs and can block misconfigurations before merge or deploy.

Is Aikido's IaC scan fast enough for CI use? Will it slow down my Terraform apply or build pipeline?

Yes, it's fast and CI-friendly. Scans typically take seconds and don't interfere with Terraform apply. Even large projects complete quickly, making it practical for everyday use.

How does Aikido's IaC scanning compare to tools like Bridgecrew (Checkov) or Snyk IaC?

Aikido offers similar coverage but integrates with your full security stack. It reduces noise, auto-suggests fixes, and correlates IaC issues with running cloud resources. Unlike using multiple tools, it's all in one platform.

Can I define custom policies or rules for IaC checks in Aikido to fit our internal best practices?

Yes. You can create custom rules - e.g., "S3 buckets must have logging" or "disallow region X." Aikido supports flexible policy controls so your scans reflect your internal security standards.

If the IaC scanner flags something I consider acceptable, can I override it or prevent it from blocking deployments?

You can mark findings as ignored, accepted risk, or false positive. You can also customize rules to avoid blocking your CI/CD pipeline for intentional configs.

What if Aikido's IaC scanner reports a false positive or flags an intended config? How do I handle that?

You can adjust severity, add code annotations, or use config files to suppress specific checks. Aikido is built to adapt to your environment and reduce friction - not to block intended workflows.

Get secure for free

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

No credit card required |Scan results in 32secs.