Terraform, CloudFormation and Kubernetes manifests scanned for privilege escalation, insecure capabilities and CIS misconfigurations — in the same pass as your code and dependencies.
What it does
Terraform · CloudFormation · K8s
HCL, CloudFormation (JSON + YAML) and Kubernetes manifests parsed and checked against a misconfiguration ruleset.
Privilege + capability checks
Detects privilege escalation, path traversal, insecure Linux capabilities, privileged containers and risky host mounts.
CIS-aligned
Misconfigurations mapped to recognised CIS benchmark expectations, each with concrete remediation.
An OCI tarball parser walks every layer, builds a per-layer SBOM and correlates vulnerabilities across nine in-image ecosystems — with base-image upgrade guidance.
Static analysis of your pipeline definitions across six CI platforms — mapped to the OWASP Top 10 CI/CD risks, with concrete remediation on every finding.
A proprietary interprocedural taint engine across 24 languages, tracking user input from source through sanitiser to sink with a per-finding data-flow trace. Confidence-tiered, so the noise doesn't bury the real bugs.