Infrastructure-as-code (IaC) tools like Terraform and CloudFormation allow teams to define, manage, and provision their cloud infrastructure using code, as opposed to clicking through consoles or executing commands via a CLI. IaC adoption is now widespread and helps teams increase productivity and efficiency, but it also introduces new surface area for mistakes, defects, and other risks. For example, IaC templates can include misconfigurations such as overprivileged access policies or hardcoded credentials, which could provide threat actors with a potential attack path.
To catch these issues, many organizations use one tool to scan IaC in pull requests and another to scan the deployed cloud environment. This approach can work temporarily for smaller environments—but as infrastructure grows, producing reports and managing detection rules across multiple tools becomes difficult.
Datadog IaC Security addresses these challenges by surfacing IaC misconfigurations so you can monitor and mitigate risks from code to cloud. In this post we will discuss how Datadog IaC Security enables your team to:
- Detect cloud misconfigurations in code before they get to production
- View code and cloud misconfigurations together in one place
- Unify detection rules across code and infrastructure
Detect cloud misconfigurations in code before they get to production
IaC scanning is most commonly done in two places: in pull requests where new changes are suggested and in pipelines where IaC is processed and prepared for deployment. With Terraform, for example, scanning at the pull request stage involves parsing the Terraform HCL for misconfigurations in code. Scanning at the pipeline stage involves looking at the Terraform plan or state to see if there are misconfigurations in planned changes or existing infrastructure.
With Datadog IaC Security, you can install a GitHub app that will scan the Terraform HCL changes within pull requests. When misconfigurations are found, Datadog will leave a comment directly on the pull request with details about the finding and remediation steps where applicable. This keeps developers within the tool where code review normally happens and prevents context-switching, which is inefficient and error-prone. In the first half of 2025, we will introduce IaC scanning within pipelines via CLI.
View code and cloud misconfigurations together in one place
In addition to commenting on pull requests that contain misconfigured code, Datadog IaC Security also enables you to view all IaC issues in the Cloud Security Management (CSM) Misconfiguration Explorer. Simply toggle the Explorer to Static view to see the list of IaC findings with severity and code location.
Clicking into a misconfiguration finding will open the side panel where you can find additional details, including a brief description of the IaC rule associated with the finding, a preview of the offending code, and suggested steps for remediation.
Unify detection rules across code and infrastructure
In Datadog CSM, out-of-the-box and custom cloud misconfiguration rules are written in the Rego policy language and executed using Open Policy Agent. Datadog IaC Security uses the same engine and rule language which makes writing and managing rules easier for your team as your cloud environment grows.
Datadog IaC Security offers will come with several out-of-the-box rules to help you catch common IaC misconfigurations, such as unencrypted EBS volumes and unsafe YAML deserializations. By detecting these issues at the pull request stage, IaC Security helps you prevent these types of misconfigurations from ever reaching your production environment.
Secure your IaC with Datadog
Datadog IaC Security provides end-to-end coverage of your cloud environment, helping you detect issues before they make it to production. Datadog IaC Security integrates seamlessly into your developer workflows to provide a unified view of findings across code and cloud, and because you can use IaC Security alongside CSM and other Datadog products, you can manage all of your detection rules in a single platform.
Datadog IaC Security is now available in preview—sign up here to get started. If you’re not already using Datadog, get started today with a 14-day free trial.
