IaC compliance gates
Checkov/tfsec/Terrascan mapped to frameworks.
The cheapest place to enforce a compliance control is before the infrastructure exists. IaC compliance gates scan Terraform and CloudFormation in CI and fail the build on non-compliant infrastructure, catching violations in the pull request rather than in production or an audit.
Shift compliance all the way left
IaC scanners — Checkov, tfsec, Terrascan, and KICS — evaluate infrastructure code against large libraries of built-in policies already mapped to frameworks like CIS, PCI, and SOC 2, plus any custom policies you add. Run them as a CI gate and a proposed public bucket, an unencrypted database, or an over-permissive security group fails the build in review, where fixing it costs minutes. This is compliance shifted all the way left: instead of discovering a misconfiguration months later in a posture scan or an audit, you catch it before it is ever created, and the developer sees exactly which control they violated.
# Scan Terraform against framework-mapped policies; fail the build on violations.$ checkov -d . --compactFAILED Check: CKV_AWS_18 "Ensure S3 has access logging" [CIS/SOC2]FAILED Check: CKV_AWS_21 "Ensure S3 has versioning enabled"FAILED Check: CKV_AWS_16 "Ensure RDS is encrypted" [PCI 3.4]# Non-zero exit → CI fails → the non-compliant infra never merges.# Same idea: tfsec, terrascan, kics — plus custom Rego via Conftest.
Layer with runtime for full coverage
IaC gates are powerful but cover only what flows through the pipeline, so pair them with the runtime half: post-deploy posture (Config/CSPM) and drift detection catch out-of-band changes an IaC scan never sees, and admission policy backstops the cluster. Running the same control at both points — pre-deploy in CI and post-deploy at runtime — is defense in depth, and each layer produces evidence. Tune the scanners to your context (suppress genuine false positives with a justification and an expiry, never silently), and treat the gate as an ordinary CI check developers fix like a failing test. Cheap, early, mapped-to-frameworks enforcement is what makes compliance sustainable rather than a periodic firefight.