Policy Checks
Automated security scanning with Trivy for your infrastructure code
What Are Policy Checks?
Every piece of infrastructure code generated by infra.new is automatically scanned by Trivy, an industry-standard security scanner. This catches common misconfigurations before they reach production.
ā Automatic scanning - No setup required, runs on every generation
What Trivy Checks
Trivy scans for security issues across your infrastructure code:
š Security Misconfigurations
- Unencrypted storage buckets
- Overly permissive IAM policies
- Public database instances
- Missing security groups
š”ļø Compliance Violations
- CIS Benchmark violations
- PCI-DSS requirements
- HIPAA compliance issues
- SOC 2 controls
ā ļø Best Practice Violations
- Deprecated API versions
- Missing backup configurations
- Inadequate logging
- Resource tagging issues
Understanding Severity Levels
Trivy categorizes issues by severity to help you prioritize fixes:
Must fix immediately - exposes sensitive data or allows unauthorized access
Fix before production - significant security risk
Address soon - potential security issue
Best practice improvement - low risk
Example Findings
Here's what a typical Trivy scan looks like:
ā CRITICAL: S3 bucket encryption disabled File: main.tf:15 Resource: aws_s3_bucket.data Fix: Add server_side_encryption_configuration block ā ļø HIGH: RDS instance publicly accessible File: database.tf:8 Resource: aws_db_instance.main Fix: Set publicly_accessible = false ā¹ļø MEDIUM: Missing CloudWatch logging File: lambda.tf:22 Resource: aws_lambda_function.api Fix: Add cloudwatch_logs_role_arn
Fixing Issues
When Trivy finds issues, you have two options:
1. Ask the AI to fix it
Simply tell the agent about the issue:
"Fix the S3 bucket encryption issue Trivy found"
2. Fix it manually
Edit the generated code directly. Trivy's output shows you exactly where and what to change.
Continuous Scanning
Policy checks aren't just a one-time thing:
- Every code generation - Trivy scans all new code automatically
- Drift detection integration - Scans infrastructure changes detected by drift monitoring
- CI/CD integration - Run Trivy in your GitHub Actions or GitLab CI pipelines
š” Pro tip: Integrate Trivy into your CI/CD pipeline to catch issues before they reach production. See our GitHub integration guide.
Custom Policies
Need organization-specific checks? You can add custom Trivy policies:
# custom-policy.rego
package custom
deny[msg] {
resource := input.aws_s3_bucket[_]
not resource.tags.Environment
msg := "All S3 buckets must have Environment tag"
}Contact support to enable custom policies for your team.
Policy Checks
Automated security scanning with Trivy for your infrastructure code
What Are Policy Checks?
Every piece of infrastructure code generated by infra.new is automatically scanned by Trivy, an industry-standard security scanner. This catches common misconfigurations before they reach production.
ā Automatic scanning - No setup required, runs on every generation
What Trivy Checks
Trivy scans for security issues across your infrastructure code:
š Security Misconfigurations
- Unencrypted storage buckets
- Overly permissive IAM policies
- Public database instances
- Missing security groups
š”ļø Compliance Violations
- CIS Benchmark violations
- PCI-DSS requirements
- HIPAA compliance issues
- SOC 2 controls
ā ļø Best Practice Violations
- Deprecated API versions
- Missing backup configurations
- Inadequate logging
- Resource tagging issues
Understanding Severity Levels
Trivy categorizes issues by severity to help you prioritize fixes:
Must fix immediately - exposes sensitive data or allows unauthorized access
Fix before production - significant security risk
Address soon - potential security issue
Best practice improvement - low risk
Example Findings
Here's what a typical Trivy scan looks like:
ā CRITICAL: S3 bucket encryption disabled File: main.tf:15 Resource: aws_s3_bucket.data Fix: Add server_side_encryption_configuration block ā ļø HIGH: RDS instance publicly accessible File: database.tf:8 Resource: aws_db_instance.main Fix: Set publicly_accessible = false ā¹ļø MEDIUM: Missing CloudWatch logging File: lambda.tf:22 Resource: aws_lambda_function.api Fix: Add cloudwatch_logs_role_arn
Fixing Issues
When Trivy finds issues, you have two options:
1. Ask the AI to fix it
Simply tell the agent about the issue:
"Fix the S3 bucket encryption issue Trivy found"
2. Fix it manually
Edit the generated code directly. Trivy's output shows you exactly where and what to change.
Continuous Scanning
Policy checks aren't just a one-time thing:
- Every code generation - Trivy scans all new code automatically
- Drift detection integration - Scans infrastructure changes detected by drift monitoring
- CI/CD integration - Run Trivy in your GitHub Actions or GitLab CI pipelines
š” Pro tip: Integrate Trivy into your CI/CD pipeline to catch issues before they reach production. See our GitHub integration guide.
Custom Policies
Need organization-specific checks? You can add custom Trivy policies:
# custom-policy.rego
package custom
deny[msg] {
resource := input.aws_s3_bucket[_]
not resource.tags.Environment
msg := "All S3 buckets must have Environment tag"
}Contact support to enable custom policies for your team.