Infrastructure-as-Code (IaC) assets provide a governed inventory of cloud templates, enabling teams to detect misconfigurations and map code-to-cloud lineage.
Cortex Cloud Application Security discovers and inventories every Infrastructure-as-code (IaC) resource defined within your onboarded repositories. Each discovered resource appears in the unified asset inventory as a governed entity, allowing security teams to manage the security posture of cloud infrastructure before it is deployed to production
The IaC asset enables security teams to answer three questions about every cloud template: What is the resource? Where is it defined? What is its security health?
Scope: The IaC asset represents individual infrastructure resources defined in Terraform, CloudFormation, or Kubernetes manifests. The IaC asset does not represent the physical cloud resource in the runtime environment; those are managed under the Cloud asset class.
What IaC assets deliver
The IaC asset is a critical component of shift-left security, providing the visibility needed to identify and remediate misconfigurations at the source code level
Core achievements and use cases
Resource discovery and identity: Every IaC resource defined in supported templates is automatically discovered and registered in the unified asset inventory with a unique asset identifier, resource type, and source file path
Configuration enrichment: The IaC asset is enriched with metadata from the source code including resource attributes, provider types, and the specific line ranges where the resource is defined
Code-to-cloud lineage: The IaC asset serves as the bridge in the Code-to-Cloud graph, establishing a traceable lineage from the source repository through the IaC definition to the deployed cloud resource
Proactive health monitoring: The IaC asset provides a continuous health profile by detecting security misconfigurations against organizational policies before the infrastructure is provisioned
Functional responsibilities
The IaC asset model facilitates a structured delegation between governance and operations:
AppSec managers (Governance): Define the IaC security policies and benchmarks that every resource must meet, and review the inventory to identify high-risk resource types across the organization
AppSec practitioners (Operations): Review IaC misconfigurations detected in the asset inventory and apply the provided remediation guidance directly to the source templates to ensure secure deployments
Relationship model
The Cortex Cloud platform models the following relationships between the IaC asset and other asset categories to provide full supply chain visibility.
Related asset category | Inherited metadata and description |
|---|---|
Repository (Parent) | The VCS repository that contains the IaC definition, propagating business criticality and application context to the resource |
Cloud resource (Downstream) | The physical cloud infrastructure provisioned from the IaC definition, traced via the Code-to-Cloud graph |
CI/CD pipeline (Downstream) | The pipeline responsible for deploying the IaC template to the cloud environment |