Repository files navigation

Browser-based Infrastructure as Code security scanner. Analyzes Terraform, Kubernetes, Docker, and CloudFormation files directly in your browser. No server, no uploads, everything runs client-side.

• 180+ security rules covering common misconfigurations
• Supports Terraform, Kubernetes, Docker, CloudFormation
• GitHub repository scanning with rate limit handling
• PDF report export
• Single file HTML output for easy deployment

Node.js 18+ and npm

git clone https://github.com/yourusername/iac-security-scanner.gitcd iac-security-scannernpm install

npm run dev

Opens athttp://localhost:5173

npm run build

Builds a singleindex.html file in thedocs/ folder. Opendocs/index.html in your browser to use the scanner.

The build bundles all CSS and JavaScript inline into one HTML file using vite-plugin-singlefile.

Uploaddocs/index.html to any static hosting service. Works with GitHub Pages, Netlify, Vercel, or any web server.

For GitHub Pages, enable Pages in repository settings and point to thedocs folder. The included GitHub Actions workflow automatically builds on push to main branch.

1. Upload a file or paste code
2. Enter a GitHub repository URL to scan entire repos
3. Review findings with severity ratings
4. Export PDF reports

• Terraform:.tf,.tfvars,.hcl
• Kubernetes:.yaml,.yml
• Docker:Dockerfile,docker-compose.yml
• CloudFormation:.template,.json,.yaml,.yml

Scan public GitHub repositories by entering the repository URL. The scanner handles rate limiting automatically with 200ms delays between requests. Unauthenticated GitHub API limit is 60 requests per hour.

src/├── components/     # React components├── rules/          # 180+ security rules by IaC type├── parsers/        # File parsers for each format├── engine/         # Core scanning logic└── utils/          # GitHub client, PDF export, etc.

• npm run dev - Development server
• npm run build - Production build todocs/ folder
• npm run preview - Preview production build locally
• npm run lint - Run ESLint

• Client-side only, no server required
• Single file HTML output for production
• Security rules based on Checkov and tfsec
• Custom parsers for each IaC format
• PDF generation with jsPDF

No findings detected: Check file format is supported and syntax is valid.

GitHub scanning errors: Rate limit (403) or private repository (404). Wait a few minutes and retry.

Large repositories: May take several minutes. Progress is shown during scanning.

Security rules inspired by:

• Checkov (bridgecrewio/checkov)
• tfsec (aquasecurity/tfsec)
• GitHub scanning functionality from sbomplay (cyfinoid/sbomplay)

GPL-3.0. See LICENSE file for details.

This tool is designed for security auditing and analysis of Infrastructure as Code configurations you own or have explicit permission to analyze. Always ensure you have proper authorization before scanning repositories or configurations you don't own. The authors are not responsible for any misuse of this software.

This website, apps, scanner and results are provided strictly for educational purposes, independently authored and not endorsed by the author's employers or any corporate entity, provided without warranties or guarantees, with no liability accepted for misuse or misapplication.

Hands-On Multi-Cloud & Cloud-Native Security Education

Created by The Shukla Duo (Anjali & Divyanshu), this tool is part of our mission to make cloud security accessible through practical, hands-on learning. We specialize in AWS, GCP, Kubernetes security, and DevSecOps practices.

Explore our educational content and training programs:

YouTube Channel |Website |1:1 Consultations

Learn cloud security through hands-on labs, real-world scenarios, and practical tutorials covering GCP & AWS, GKE & EKS, Kubernetes, Containers, DevSecOps, and Threat Modeling.

If this tool helps you secure your infrastructure, consider supporting our educational mission:

Sponsor on GitHub

Your support helps us create more free educational content and security tools for the community.