Catch cloud misconfigurations at build time β before they become breaches.
Quick Start Β· Why TerraSecure Β· Architecture Β· Features Β· Benchmarks Β· CI/CD
$4.88M β average cost of a cloud data breach in 2024 (IBM Cost of a Data Breach Report)
82% of cloud breaches trace back to misconfigurations in Infrastructure as Code (Gartner)
Traditional IaC scanners like Checkov and Trivy are rule-based engines that generate hundreds of alerts β with 12β15% being false positives. Security teams burn hours triaging noise while real vulnerabilities slip through.
TerraSecure takes a different approach: a pre-trained XGBoost ML model, trained on real-world breach data (Capital One, Uber, Tesla), combined with AWS Bedrock AI analysis β not just flags, but context, business impact, and remediation code.
TerraSecure is an intelligent, shift-left security scanner for Terraform and HCL Infrastructure as Code. It integrates directly into developer workflows β as a GitHub Action, Docker container, or CLI tool β and surfaces security issues with the context a developer actually needs to fix them.
Traditional Scanner:"Security group allows SSH from 0.0.0.0/0"
TerraSecure: "92% confidence Β· CRITICAL Β· Capital One-style
attack vector Β· GDPR exposure Β· 3-step fix"
Three layers of intelligence:
- Rule Engine β 50+ hardened security patterns across AWS resources
- ML Model β XGBoost classifier with 50 engineered features, 92.45% accuracy
- AI Analysis β AWS Bedrock (Claude 3 Haiku) explains impact, attack paths, and fixes
| Checkov | Trivy | TerraSecure | |
|---|---|---|---|
| Detection Method | Rules only | Rules only | ML + Rules + AI |
| Accuracy | ~85% | ~88% | 92.45% |
| False Positive Rate | ~15% | ~12% | 10.71% |
| Business Impact Context | β | β | β AI-generated |
| Real Breach Examples | β | β | β Capital One, Uber, Tesla |
| Attack Scenario | β | β | β Step-by-step |
| ML Risk Score | β | β | β 50-feature scoring |
| Code Fix Examples | Generic | Generic | β Resource-specific |
| SARIF / GitHub Security | β | β | β |
| Offline Mode | β | β | β |
| GitHub Marketplace | β | β | β |
Best practice: Use TerraSecure alongside Checkov/Trivy for complementary coverage. TerraSecure's ML layer catches contextual risk that rule-based tools miss; established scanners provide breadth.
Add to .github/workflows/security.yml:
name: TerraSecure IaC Scan
on: [push, pull_request]
permissions:
security-events: write
jobs:
terrasecure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: JashwanthMU/TerraSecure@v2.0.0
with:
path: 'infrastructure'
format: 'sarif'
fail-on: 'high'
upload-sarif: 'true'Results surface automatically in the GitHub Security tab as code scanning alerts.
# Scan current directory
docker run --rm -v $(pwd):/scan \
ghcr.io/jashwanthmu/terrasecure:latest /scan
# Generate SARIF report
docker run --rm \
-v $(pwd):/scan:ro \
-v $(pwd)/reports:/output \
ghcr.io/jashwanthmu/terrasecure:latest \
/scan --format sarif --output /output/results.sarif
# Block pipeline on critical findings
docker run --rm -v $(pwd):/scan \
ghcr.io/jashwanthmu/terrasecure:latest \
/scan --fail-on criticalgit clone https://github.com/JashwanthMU/TerraSecure.git
cd TerraSecure
pip install -r requirements.txt
# Scan a directory
python src/cli.py examples/vulnerable/
# Output formats
python src/cli.py infra/ --format json --output report.json
python src/cli.py infra/ --format sarif --output results.sarif
# Policy enforcement
python src/cli.py infra/ --fail-on criticalTerraSecure uses a three-layer detection pipeline:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INPUT LAYER β
β Terraform Files (.tf) Β· HCL Configs Β· Terraform Modules β
βββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DETECTION ENGINE β
β β
β βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ β
β β Rule Engine β β Feature Extractorβ β ML Model β β
β β 50+ Patterns ββββΆβ 50 Security ββββΆβ XGBoost β β
β β Network/IAM/ β β Features from β β 92.45% Acc. β β
β β Storage/Secretsβ β HCL Resources β β <100ms Infer. β β
β βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ β
βββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI ENHANCEMENT β
β β
β ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββ β
β β AWS Bedrock β β Expert Templates β β Response Cache β β
β β Claude 3 Haiku ββββΆβ Real Breach DB ββββΆβ 90% Cost Save β β
β β Business Impact β β (C1/Uber/Tesla) β β Offline Fallbk β β
β ββββββββββββββββββββ ββββββββββββββββββββ ββββββββββββββββββ β
βββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OUTPUT LAYER β
β Text (Human) Β· JSON (Automation) Β· SARIF 2.1.0 (GitHub) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Training Data: Real-World Breach Corpus
| Incident | Year | Vector | Outcome |
|---|---|---|---|
| Capital One | 2019 | S3 misconfiguration via SSRF | 100M records exposed, $190M settlement |
| Uber | 2016 | Hardcoded AWS credentials in GitHub | 57M users and drivers exposed |
| Tesla | 2018 | Public S3 bucket, no MFA | Kubernetes console open to internet |
| MongoDB | 2017 | Exposed database, no auth | 26,000+ DBs held for ransom |
Model Architecture:
265 labeled samples β 50 engineered security features β XGBoost (5-fold CV)
β
βΌ
177 KB model file
<100ms inference
Feature categories: encryption state, network exposure, IAM permissiveness, logging configuration, naming patterns (data sensitivity signals), cross-service dependency risks.
π Network Security (12 patterns)
- Security groups open to
0.0.0.0/0 - SSH (port 22) and RDP (port 3389) exposed to internet
- Unrestricted egress rules
- Default VPC security groups in use
- Missing network segmentation / subnet isolation
- VPC without Flow Logs enabled
- Missing NACLs on sensitive subnets
- Load balancer without access logging
- Direct EC2 internet exposure (no NAT)
- CloudFront without WAF association
- API Gateway without throttling
- Direct database port exposure
ποΈ Storage Security (15 patterns)
- Public S3 ACL or bucket policy
- S3 Block Public Access not enforced
- Unencrypted S3, EBS, RDS, and DynamoDB
- S3 versioning disabled on critical buckets
- No lifecycle policies (data retention risk)
- Public RDS snapshots
- EBS snapshots shared publicly
- Backup retention period insufficient
- Cross-region replication disabled
- S3 access logging disabled
- MFA Delete not enabled on S3
- Database deletion protection disabled
- S3 without Object Lock (ransomware exposure)
- Glacier vault without lock
- Unencrypted SSM parameters
π Identity & Access Management (10 patterns)
- Wildcard (
*) actions in IAM policies - Root account API key usage
- IAM roles with
*resources - Missing MFA enforcement
- Overly permissive trust relationships
- Inline user policies (non-auditable)
- IAM password policy not enforced
- Cross-account access without conditions
- Unused IAM roles with high privilege
- Service accounts with admin rights
π Secrets Management (8 patterns)
- Hardcoded credentials in Terraform variables
- Plaintext database passwords in resource blocks
- API keys exposed in environment variables
- SSH private keys embedded in configs
- Unencrypted Secrets Manager secrets
- Lambda environment variables with secrets
- ECS task definitions with plaintext secrets
- User data scripts with embedded credentials
π Monitoring & Compliance (5 patterns)
- CloudTrail not enabled or not multi-region
- VPC Flow Logs disabled
- CloudWatch alarms missing for critical metrics
- S3 server access logging disabled
- AWS Config rules not enabled
Every detected issue includes four AI-generated sections:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EXPLANATION What is misconfigured and why it's risky β
β BUSINESS IMPACT Financial, regulatory (GDPR/SOC2), and β
β reputational consequences β
β ATTACK SCENARIO How attackers exploit this β with real β
β breach examples (Capital One, etc.) β
β DETAILED FIX Step-by-step remediation with Terraform β
β code snippets β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Graceful degradation: When AWS Bedrock is unavailable, TerraSecure falls back to expert-crafted breach-informed templates β no silent failures, full offline support.
| Format | Use Case | Integration |
|---|---|---|
| Text | Human review / developer feedback | Terminal, CI logs |
| JSON | Automation, SIEM ingestion, custom dashboards | Scripts, APIs |
| SARIF 2.1.0 | GitHub Security tab, PR annotations | GitHub Advanced Security |
| Metric | Value | Industry Target | Status |
|---|---|---|---|
| Accuracy | 92.45% | >85% | β Exceeds |
| Precision | 89.29% | >80% | β Exceeds |
| Recall | 96.00% | >90% | β Exceeds |
| F1 Score | 92.54% | >85% | β Exceeds |
| False Positive Rate | 10.71% | <15% | β Excellent |
| False Negative Rate | 4.00% | <5% | β Excellent |
| Inference Speed | <100ms/resource | <200ms | β Fast |
| Model Size | 177 KB | <1MB | β Lightweight |
| Memory Usage | <512 MB RAM | β | β Container-friendly |
Tested at scale: 10,000+ Terraform resources, nested module configurations, multi-file workspaces.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TerraSecure v2.0.0 β
β AI-Powered Terraform Security Scanner β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Scan Summary ββββββββββββββββββββββββββββββββββββββββββββββ
Resources Scanned : 15
Passed : 7
Issues Found : 8 (CRITICAL: 2 Β· HIGH: 4 Β· MEDIUM: 2)
[CRITICAL] S3 bucket is publicly accessible
Resource : aws_s3_bucket.customer_data
File : infrastructure/storage.tf:12
ML Risk : 95% | Confidence: 92%
ββ AI Analysis ββββββββββββββββββββββββββββββββββββββββββββ
Explanation:
This S3 bucket is configured with ACL "public-read", exposing
all objects to unauthenticated internet access. The bucket name
signals the presence of sensitive customer data.
Business Impact:
Regulatory: GDPR fines up to β¬20M / 4% global revenue
Financial: Data breach avg. cost $4.88M (IBM 2024)
Legal: Breach notification obligations in 50+ jurisdictions
Attack Scenario:
Automated scanners (bucket-stream, S3Scanner) continuously probe
for public buckets. Upon discovery, full object enumeration and
exfiltration can occur within minutes β no authentication required.
β Capital One (2019): 100M records exposed, $190M settlement.
Fix:
Step 1: Set ACL to private
acl = "private"
Step 2: Enforce Block Public Access
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
Step 3: Enable server-side encryption
sse_algorithm = "AES256"
{
"scan_metadata": {
"version": "2.0.0",
"timestamp": "2025-03-22T10:00:00Z",
"total_resources": 15,
"passed": 7
},
"summary": { "CRITICAL": 2, "HIGH": 4, "MEDIUM": 2 },
"issues": [
{
"severity": "CRITICAL",
"resource_type": "aws_s3_bucket",
"resource_name": "customer_data",
"file": "infrastructure/storage.tf",
"line": 12,
"ml_risk_score": 0.95,
"ml_confidence": 0.92,
"triggered_features": ["s3_public_acl", "s3_encryption_disabled"],
"llm_explanation": "...",
"llm_business_impact": "...",
"llm_attack_scenario": "...",
"llm_detailed_fix": "..."
}
]
}SARIF output enables native GitHub code scanning integration:
- Findings appear as alerts in the Security β Code Scanning tab
- Annotations on specific lines in pull requests
- Severity-based dashboard and triage workflow
- Exportable compliance evidence
name: Security Scan
on: [push, pull_request]
permissions:
security-events: write
jobs:
terrasecure:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: JashwanthMU/TerraSecure@v2.0.0
with:
path: 'infrastructure'
format: 'sarif'
fail-on: 'high'
upload-sarif: 'true'terrasecure:
image: ghcr.io/jashwanthmu/terrasecure:latest
script:
- terrasecure . --format json --output report.json
artifacts:
reports:
codequality: report.jsonpipeline {
agent any
stages {
stage('IaC Security Scan') {
steps {
script {
docker.image('ghcr.io/jashwanthmu/terrasecure:latest').inside {
sh 'terrasecure . --format json --fail-on high'
}
}
}
}
}
}- task: Docker@2
displayName: 'TerraSecure IaC Scan'
inputs:
command: run
arguments: >
-v $(Build.SourcesDirectory):/scan
ghcr.io/jashwanthmu/terrasecure:latest
/scan --format sarif --fail-on highversion: 2.1
jobs:
security-scan:
docker:
- image: ghcr.io/jashwanthmu/terrasecure:latest
steps:
- checkout
- run:
name: Run TerraSecure
command: terrasecure . --fail-on high --format sarifTerraSecure/
βββ src/ # Core scanner engine
β βββ cli.py # CLI entry point
βββ models/ # Pre-trained XGBoost model (177 KB)
βββ data/ # Training data (265 samples, breach corpus)
βββ scripts/ # Model training and evaluation scripts
β βββ build_production_model.py
βββ tests/ # 27 pytest test cases
βββ examples/ # Sample vulnerable Terraform configs
βββ docs/ # Architecture, ML model, AI enhancement docs
βββ assets/ # Banner and visual assets
βββ .github/workflows/ # CI/CD pipeline definitions
βββ action.yml # GitHub Marketplace action definition
βββ Dockerfile # Multi-stage container build
βββ docker-compose.yml # Local development setup
βββ requirements.txt # Python dependencies
| Layer | Technology | Purpose |
|---|---|---|
| Language | Python 3.11 | Core scanner and CLI |
| ML Framework | XGBoost + scikit-learn | Risk classification |
| AI Layer | AWS Bedrock (Claude 3 Haiku) | Finding enrichment |
| IaC Parsing | python-hcl2 | Terraform file parsing |
| Output | SARIF 2.1.0, JSON, Text | Multi-format reporting |
| Containerization | Docker + GHCR | Portable deployment |
| CI/CD | GitHub Actions | Automation & marketplace |
| Testing | pytest (27 tests) | Quality assurance |
- Python 3.11+
- pip
- 512 MB RAM minimum
- uses: JashwanthMU/TerraSecure@v2.0.0docker pull ghcr.io/jashwanthmu/terrasecure:latestgit clone https://github.com/JashwanthMU/TerraSecure.git
cd TerraSecure
pip install -r requirements.txt
python src/cli.py --help# Run all tests
pytest
# With coverage report
pytest --cov=src --cov-report=html
# Rebuild ML model
python scripts/build_production_model.py| Guide | Description |
|---|---|
| Quick Start | Get scanning in under 5 minutes |
| Architecture | System design and data flow |
| ML Model | XGBoost training pipeline and feature engineering |
| AI Enhancement | AWS Bedrock integration and fallback design |
| SARIF Output | GitHub Security tab integration |
| Custom Rules | Extending detection patterns |
| Docker Guide | Container usage and deployment |
| GitHub Action | Full action configuration reference |
Contributions are welcome β bug reports, new security patterns, documentation improvements, or ML enhancements.
# Fork and clone
git clone https://github.com/YOUR_USERNAME/TerraSecure.git
cd TerraSecure
# Install dependencies
pip install -r requirements.txt
# Run tests
pytest
# Submit a pull requestAreas where contributions make the most impact:
- Additional cloud provider support (Azure, GCP Terraform resources)
- New breach-informed training samples
- Performance optimizations for large codebases
- Integration guides for additional CI/CD platforms
Security Standards
- OASIS SARIF 2.1.0 β Reporting format
- CIS AWS Benchmarks β Security baselines
- NIST SP 800-190 β Container security
- AWS Well-Architected Security Pillar β Architecture guidance
Breach Data Sources
- CVE Database (MITRE)
- NIST National Vulnerability Database
- Capital One, Uber, Tesla, MongoDB public post-mortems
Inspired By
- Checkov β IaC scanning pioneer
- Trivy β Comprehensive security scanner
- tfsec β Terraform static analysis
MIT License Β© 2026 Jashwanth M U
TerraSecure Β· Shift security left. Scan at build time. Stop breaches before they start.