Misconfiguration and vulnerable dependencies, before deploy
Point the scanner at a Terraform or CloudFormation template or a container image and it runs on demand — 32 IaC misconfiguration rules plus a full SBOM CVE match, so risky infrastructure and vulnerable packages surface before they reach production.
Terraform misconfiguration
Public resources, security groups open to the internet, unencrypted storage and over-broad IAM caught straight from the .tf before an apply ever runs.
CloudFormation misconfiguration
The same rule pack runs against CloudFormation templates and stacks — public buckets, wide-open ingress, disabled logging and missing encryption flagged before the stack is created.
32-rule policy pack
A curated set of 32 high-impact rules covering encryption, public exposure, logging and IAM — the misconfigurations that actually turn into incidents, not a noisy 500-rule dump.
Container SBOM
Every container image is inventoried into a software bill of materials — OS packages and application dependencies — so you know exactly what is inside each image you ship.
CVE matching, KEV/EPSS-ranked
Every SBOM package is matched to published CVEs and ranked by CISA KEV listing and EPSS exploit probability — so a vulnerable image is prioritized by real-world risk, not raw CVSS.
One findings queue
Container and IaC results fold into the same workflow as every other source — assigned, SLA-tracked, paired with AI remediation guidance and mapped to your compliance frameworks.