Comparative Analysis of Infrastructure-as-Code Misconfiguration Detection Through Policy Driven Evaluation and Taint-Aware Static Reasoning
摘要
Infrastructure-as-Code (IaC) empowers scalable cloud deployments, but misconfigurations in IaC scripts can result in severe security breaches. This paper presents a comparative study between two approaches to IaC security scanning: Checkov, a well-known rule-based scanner, and TASCA (Taint-aware Static Configuration Analyzer), a custom algorithm based on taint flow analysis. Both tools are evaluated across accuracy, transparency, and traceability. TASCA illustrates enhanced contextual explainability with slightly lower coverage while Checkov functions best with predefined policies. This study evaluates six real-world Terraform configurations containing both direct and indirect misconfigurations. This comparison allows more informed decisions within DevSecOps pipelines.