CoursesCompliance as codeDrift & IaC gates

IaC compliance gates

Checkov/tfsec/Terrascan mapped to frameworks.

Advanced30 min · lesson 11 of 15

The cheapest place to enforce a compliance control is before the infrastructure exists. IaC compliance gates scan Terraform and CloudFormation in CI and fail the build on non-compliant infrastructure, catching violations in the pull request rather than in production or an audit.

Shift compliance all the way left

IaC scanners — Checkov, tfsec, Terrascan, and KICS — evaluate infrastructure code against large libraries of built-in policies already mapped to frameworks like CIS, PCI, and SOC 2, plus any custom policies you add. Run them as a CI gate and a proposed public bucket, an unencrypted database, or an over-permissive security group fails the build in review, where fixing it costs minutes. This is compliance shifted all the way left: instead of discovering a misconfiguration months later in a posture scan or an audit, you catch it before it is ever created, and the developer sees exactly which control they violated.

an IaC compliance gate in CI
# Scan Terraform against framework-mapped policies; fail the build on violations.
$ checkov -d . --compact
FAILED Check: CKV_AWS_18 "Ensure S3 has access logging" [CIS/SOC2]
FAILED Check: CKV_AWS_21 "Ensure S3 has versioning enabled"
FAILED Check: CKV_AWS_16 "Ensure RDS is encrypted" [PCI 3.4]
# Non-zero exit → CI fails → the non-compliant infra never merges.
# Same idea: tfsec, terrascan, kics — plus custom Rego via Conftest.

Layer with runtime for full coverage

IaC gates are powerful but cover only what flows through the pipeline, so pair them with the runtime half: post-deploy posture (Config/CSPM) and drift detection catch out-of-band changes an IaC scan never sees, and admission policy backstops the cluster. Running the same control at both points — pre-deploy in CI and post-deploy at runtime — is defense in depth, and each layer produces evidence. Tune the scanners to your context (suppress genuine false positives with a justification and an expiry, never silently), and treat the gate as an ordinary CI check developers fix like a failing test. Cheap, early, mapped-to-frameworks enforcement is what makes compliance sustainable rather than a periodic firefight.

IaC gates + runtime coverage
pre-deploy (CI)
Checkov / tfsec / KICS
framework-mapped policies
fail the build
block before it exists
post-deploy
Config / CSPM
live posture
drift detection
catch out-of-band change
Gate infra in CI (cheap, early), and evaluate it at runtime (catches drift). Same controls, both sides, each producing evidence.
A silent scanner suppression rots the gate
Ignoring an IaC finding with no justification and no expiry means it is never revisited — and enough silent suppressions turn the gate into a rubber stamp. Require a reason and an expiry on every exception so compliance suppressions are deliberate, reviewed, and temporary, not a quiet way to make the build pass.