Scan IaC Command¶
Overview¶
The scan iac command performs comprehensive security scanning of Infrastructure as Code templates using multiple security tools.
Usage¶
# Basic security scan (Checkov by default)
thothctl scan iac
# Multi-tool scan
thothctl scan iac -t checkov -t trivy -t opa
# Hard enforcement — exit 1 on violations
thothctl scan iac -t checkov -t opa --enforcement hard
Features¶
- Custom Policy Evaluation: Write Rego policies for organization-specific rules via OPA
- Enforcement Modes: Soft (report only) or hard (fail pipeline) for all tools
- Security Policy Checking: CIS benchmarks and best practices
- Vulnerability Detection: Identify security misconfigurations
- Compliance Reporting: Generate HTML, Markdown, and JSON reports
- CI/CD Integration:
--enforcement hard+--post-to-prfor automated pipelines
Supported Scanners¶
| Scanner | Description |
|---|---|
| Checkov | Policy-as-code scanning with built-in rules |
| Trivy | Vulnerability and misconfiguration detection |
| KICS | Static analysis via Docker |
| OPA/Conftest | Custom Rego policy evaluation (static HCL + plan-based) |
Output¶
Every scan produces:
- Rich terminal table with per-tool breakdown
scan_summary.mdin the reports directory (always generated)- HTML reports per tool
- PR comment (when
--post-to-pris set)
Examples¶
Basic Security Scan¶
Comprehensive Scan with Enforcement¶
OPA Custom Policies¶
# Static HCL analysis with Conftest
thothctl scan iac -t opa -o "policy_dir=my-policies"
# Plan-based evaluation with OPA
thothctl scan iac -t opa -o "mode=opa,decision=terraform/analysis/authz"
Related Commands¶
check iac- Structure validationinventory iac- Component inventorydocument iac- Documentation generation