Browser-based Infrastructure as Code security scanner. Analyzes Terraform, Kubernetes, Docker, and CloudFormation files directly in your browser. No server, no uploads, everything runs client-side.
- 180+ security rules covering common misconfigurations
- Supports Terraform, Kubernetes, Docker, CloudFormation
- GitHub repository scanning with rate limit handling
- PDF report export
- Single file HTML output for easy deployment
Node.js 18+ and npm
git clone https://github.com/yourusername/iac-security-scanner.git
cd iac-security-scanner
npm installnpm run devOpens at http://localhost:5173
npm run buildBuilds a single index.html file in the docs/ folder. Open docs/index.html in your browser to use the scanner.
The build bundles all CSS and JavaScript inline into one HTML file using vite-plugin-singlefile.
Upload docs/index.html to any static hosting service. Works with GitHub Pages, Netlify, Vercel, or any web server.
For GitHub Pages, enable Pages in repository settings and point to the docs folder. The included GitHub Actions workflow automatically builds on push to main branch.
- Upload a file or paste code
- Enter a GitHub repository URL to scan entire repos
- Review findings with severity ratings
- Export PDF reports
- Terraform:
.tf,.tfvars,.hcl - Kubernetes:
.yaml,.yml - Docker:
Dockerfile,docker-compose.yml - CloudFormation:
.template,.json,.yaml,.yml
Scan public GitHub repositories by entering the repository URL. The scanner handles rate limiting automatically with 200ms delays between requests. Unauthenticated GitHub API limit is 60 requests per hour.
src/
├── components/ # React components
├── rules/ # 180+ security rules by IaC type
├── parsers/ # File parsers for each format
├── engine/ # Core scanning logic
└── utils/ # GitHub client, PDF export, etc.
npm run dev- Development servernpm run build- Production build todocs/foldernpm run preview- Preview production build locallynpm run lint- Run ESLint
- Client-side only, no server required
- Single file HTML output for production
- Security rules based on Checkov and tfsec
- Custom parsers for each IaC format
- PDF generation with jsPDF
No findings detected: Check file format is supported and syntax is valid.
GitHub scanning errors: Rate limit (403) or private repository (404). Wait a few minutes and retry.
Large repositories: May take several minutes. Progress is shown during scanning.
Security rules inspired by:
- Checkov (bridgecrewio/checkov)
- tfsec (aquasecurity/tfsec)
- GitHub scanning functionality from sbomplay (cyfinoid/sbomplay)
GPL-3.0. See LICENSE file for details.
This tool is designed for security auditing and analysis of Infrastructure as Code configurations you own or have explicit permission to analyze. Always ensure you have proper authorization before scanning repositories or configurations you don't own. The authors are not responsible for any misuse of this software.
This website, apps, scanner and results are provided strictly for educational purposes, independently authored and not endorsed by the author's employers or any corporate entity, provided without warranties or guarantees, with no liability accepted for misuse or misapplication.
Hands-On Multi-Cloud & Cloud-Native Security Education
Created by The Shukla Duo (Anjali & Divyanshu), this tool is part of our mission to make cloud security accessible through practical, hands-on learning. We specialize in AWS, GCP, Kubernetes security, and DevSecOps practices.
Explore our educational content and training programs:
YouTube Channel | Website | 1:1 Consultations
Learn cloud security through hands-on labs, real-world scenarios, and practical tutorials covering GCP & AWS, GKE & EKS, Kubernetes, Containers, DevSecOps, and Threat Modeling.
If this tool helps you secure your infrastructure, consider supporting our educational mission:
Your support helps us create more free educational content and security tools for the community.
