Run web, API, code, dependency, cloud, AI, and internal-network assessments from one queue with unified findings, evidence, remediation, and audit output.
Infrastructure and assets
IaC and containers
Terraform, Kubernetes, Helm, Dockerfiles, Checkov, Trivy, tfsec, Kubesec, and registry gates.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does IaC and containers test?
- Terraform, Kubernetes, Helm, Dockerfiles, Checkov, Trivy, tfsec, Kubesec, and registry gates.
- This page is part of Platform under Security Surfaces.
- It links back into the broader a complete adversarial security platform experience.
- Terraform, Kubernetes YAML, Helm, Dockerfiles, CloudFormation, Trivy config, Checkov, tfsec, Kubesec, and Hadolint-style checks.
- Container image vulnerability and misconfiguration scanning with registry and admission-control workflows.
- Attack surface management for subdomains, exposed hosts, cloud edges, certificates, services, and drift.
- Network VA for host CVEs, service misconfiguration, TLS, headers, and authenticated host checks.
- Active Directory, internal network, Android/iOS static analysis, exported component checks, and mobile secret sweeps.
Execution
How does Pencheff run this?
- Register assets directly or discover them through ASM, repository manifests, or infrastructure files.
- Run IaC and container checks before deployment, then pair results with runtime surface discovery.
- Use network and internal checks to identify exposed services, certificate issues, AD paths, or host CVEs.
- Normalize infra findings with source, asset, environment, severity, remediation, and compliance mappings.
- Gate releases, schedule recurring checks, or produce audit bundles for platform and cloud teams.
Evidence
What evidence does this produce?
- Affected resource, manifest path, image reference, package, host, service, port, certificate, or mobile artifact.
- Rule id, scanner provenance, misconfiguration description, exploitability notes, and remediation.
- Cloud, Kubernetes, container, or network context needed by platform owners.
- Compliance mapping for configuration management, technical vulnerability, and supplier controls.
Controls
How is this kept safe to run?
- Registry and admission policies can prevent risky images or manifests from progressing.
- ASM and network checks are scoped to authorized assets and known workspace boundaries.
- Infrastructure findings can be tied back to repos and deployment pipelines for ownership.
- Mobile and internal findings remain in the same evidence and reporting workflow as web findings.
Documentation
Read the full reference.
References
Authoritative sources
FAQ
Common questions
- What does Infrastructure-as-Code (IaC) security scanning find?
- IaC scanning detects misconfigurations in Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Dockerfiles — including overly permissive IAM roles, public S3 buckets, missing encryption, insecure network policies, and CIS Benchmark violations before they reach production.
- Does Pencheff scan container images for vulnerabilities?
- Yes. Pencheff scans Docker and OCI images for OS-level CVEs, package vulnerabilities, and Dockerfile misconfigurations using Trivy. Findings are mapped to CVE IDs, CVSS scores, and EPSS data.
- Can Pencheff enforce IaC policies in a CI/CD pipeline?
- Yes. Pencheff integrates with GitHub Actions and other CI/CD systems via CLI. You can configure severity thresholds that fail a pull request build when critical IaC misconfigurations are introduced.
- What is a Kubernetes admission webhook and how does Pencheff use it?
- An admission webhook intercepts pod creation and update requests in Kubernetes before they are committed. Pencheff's admission webhook rejects workloads that violate your configured security policies — blocking insecure deployments at the cluster level.
Related