Infrastructure-as-Code Security Misconfiguration
highWhat is IaC Misconfig?
Infrastructure-as-Code files (Docker Compose, Kubernetes YAML, Terraform) deployed with insecure defaults create attack vectors before code even reaches production. Privileged containers, exposed ports, missing resource limits, and insecure configurations are common.
How it works
Developers write IaC manifests using default settings that prioritize convenience over security. Containers run as root, ports bind to 0.0.0.0 instead of localhost, secrets are hardcoded in environment variables, resource limits are missing (enabling DoS), and network policies allow unrestricted pod-to-pod communication.
Impact
Container escape to host system, privilege escalation, denial of service through resource exhaustion, lateral movement between containers, secret exposure, and full cluster compromise.
ShieldReport's IaC Scanner statically analyses Docker Compose, Kubernetes YAML, and Terraform files for security anti-patterns including privileged mode, host networking, missing security contexts, exposed ports, and hardcoded secrets.
How to fix it
Run containers as non-root users. Set readOnlyRootFilesystem. Define CPU and memory limits. Use network policies to restrict traffic. Never hardcode secrets — use external secret managers. Scan IaC files in CI/CD before deployment.
Code example
Vulnerable
# VULNERABLE: privileged container, no limits
services:
app:
image: myapp:latest
privileged: true
ports:
- "0.0.0.0:3306:3306"
environment:
- DB_PASSWORD=hunter2Secure
# SECURE: non-root, limited, secrets external
services:
app:
image: myapp:latest
user: "1000:1000"
read_only: true
ports:
- "127.0.0.1:3306:3306"
secrets:
- db_password
deploy:
resources:
limits:
memory: 512M
cpus: "0.5"Tags
Is your site vulnerable to IaC Misconfig?
Run a free scan to find out in under 2 minutes.
Scan Now