All features Scanning · Container & IaC

Catch misconfig and CVEs before they ship

On-demand scanning for infrastructure-as-code and container images — 32 Terraform and CloudFormation misconfiguration rules plus container SBOM CVE scanning, ranked by KEV and EPSS.

Get started Run a free scan
32IaC rules
SBOMCVE scan
KEVEPSS ranked
container-iac-scan 58
TFTerraform misconfigFAIL
CFNCloudFormation rulesCHECK
SBOMImage bill of materialsPASS
CVEKEV-listed packageHIGH
What we check

Misconfiguration and vulnerable dependencies, before deploy

Point the scanner at a Terraform or CloudFormation template or a container image and it runs on demand — 32 IaC misconfiguration rules plus a full SBOM CVE match, so risky infrastructure and vulnerable packages surface before they reach production.

Terraform misconfiguration

Public resources, security groups open to the internet, unencrypted storage and over-broad IAM caught straight from the .tf before an apply ever runs.

CloudFormation misconfiguration

The same rule pack runs against CloudFormation templates and stacks — public buckets, wide-open ingress, disabled logging and missing encryption flagged before the stack is created.

32-rule policy pack

A curated set of 32 high-impact rules covering encryption, public exposure, logging and IAM — the misconfigurations that actually turn into incidents, not a noisy 500-rule dump.

Container SBOM

Every container image is inventoried into a software bill of materials — OS packages and application dependencies — so you know exactly what is inside each image you ship.

CVE matching, KEV/EPSS-ranked

Every SBOM package is matched to published CVEs and ranked by CISA KEV listing and EPSS exploit probability — so a vulnerable image is prioritized by real-world risk, not raw CVSS.

One findings queue

Container and IaC results fold into the same workflow as every other source — assigned, SLA-tracked, paired with AI remediation guidance and mapped to your compliance frameworks.

How it works

On demand, no build pipeline required

Run a scan whenever you need one — no CI integration to stand up first, and no agent inside the build.

Point it at the source

Submit a Terraform or CloudFormation template, or name a container image or registry reference. No pipeline wiring and no credentials stored in the build.

On-demand scan

The 32-rule IaC pack and the SBOM CVE match run on demand and return in-line — misconfigurations and vulnerable packages listed with the exact rule or CVE that fired.

Unified findings

Results land in the same queue as every other source — ranked by real-world risk, paired with AI remediation guidance, mapped to your compliance frameworks, and folded into cross-surface attack paths.

Part of one platform

Build-time exposure, in the context of everything else

A misconfigured template or a vulnerable image never sits in its own console. Every finding is correlated with your endpoint agents and your AWS, Azure and Google cloud posture on one platform — so a risky resource in code becomes a named step in a real attack path, not an isolated ticket.

  • Correlated with cloud posture & endpoints
  • Findings become steps in named attack paths
  • KEV / EPSS-ranked, real-world severity
  • Paired with AI remediation, mapped to 10 frameworks
See the full platform
82
+27 pts
projected after top fixes

Run your first scan free

See a client’s real posture in minutes — then unlock all 1,692 checks.