Misconfiguration scanning identifies insecure configurations across container images, Dockerfiles, Kubernetes manifests, Terraform, cloud services, and application environments. Misconfigurations often lead to privilege escalation, data exposure, insecure networking, weak authentication, and unauthorized access. Scanners detect these issues early and enforce secure defaults across DevSecOps pipelines.
Why Misconfigurations Are Dangerous
Misconfigurations are among the most exploited weaknesses. Even when software has no vulnerabilities, insecure settings can expose entire systems. Common misconfigurations include:
• Containers running as root
• Wide-open network ports
• Disabled security controls
• Unencrypted data storage
• Overly permissive IAM roles
• Public-facing buckets
• Missing resource limits
• Insecure secrets storage
Tools such as Trivy, Kubeaudit, Checkov, Kubesec, and Dockle automatically detect these issues across multiple layers of the stack.
Types of Misconfigurations Scanned
Container Image Misconfigurations
Detect insecure Dockerfile instructions, permissions, and runtime settings. These include:
• Running as root
• Using latest tags
• Missing health checks
• Exposing unnecessary ports
• Storing secrets in env vars
• Using large, bloated base images
• Missing non-root user directives
Kubernetes Misconfigurations
Kubernetes misconfigs are common and dangerous. Scanners detect:
• Privileged pods
• Containers running as root
• HostPath mounts
• HostPID and HostNetwork enabled
• Missing resource limits
• Unrestricted ingress or egress
• Insecure RBAC bindings
• Service exposing NodePort unnecessarily
Terraform / IaC Misconfigurations
IaC scanners detect cloud infrastructure issues:
• Public S3 buckets
• Open security groups
• Missing encryption on storage
• Weak KMS configurations
• Excessive IAM privileges
• Disabled logging or monitoring
• Unrestricted public IP access
Cloud Misconfigurations
Cloud-native scanners detect dangerous cloud configurations:
• Publicly exposed VMs
• Weak firewall rules
• Insecure load balancers
• Missing encryption on databases
• Unprotected API endpoints
• Disabled audit logging
Core Misconfiguration Scanners
Dockle
Detects insecure Dockerfile and container settings.
Trivy Config
Scans Kubernetes, Terraform, Dockerfiles, Helm charts.
Kubeaudit
Scans Kubernetes clusters and manifests for unsafe security posture.
Kubesec
Provides security scores for Kubernetes manifests.
Checkov
Scans Terraform, CloudFormation, Kubernetes, Dockerfile, ARM, Helm charts.
Terrascan
Comprehensive IaC misconfiguration scanner.
Conftest
Policy-as-code (Open Policy Agent) for configuration validation.
Using multiple scanners improves coverage and accuracy.
Misconfiguration Scanning With Trivy
Trivy scans for:
• Dockerfile misconfig
• Kubernetes misconfig
• Terraform misconfig
• Helm misconfig
• Secrets
• Vulnerabilities
Scan Dockerfile:
trivy config Dockerfile
Scan Kubernetes directory:
trivy config k8s/
Scan Terraform:
trivy config terraform/
Output includes Common Misconfigurations and recommended fixes.
Misconfiguration Scanning With Dockle
Scan image:
dockle myapp:latest
Detects issues such as:
• No HEALTHCHECK
• Root user
• Insecure file permissions
• Sensitive files left in layers
Misconfiguration Scanning With Checkov
Scan entire IaC directory:
checkov -d .
Detects:
• Public cloud resources
• Missing encryption
• Open ports
• Weak IAM roles
Misconfiguration Scanning With Kubeaudit
Scan manifests:
kubeaudit all -f k8s/
Detects:
• Privileged containers
• RunAsRoot
• Missing security context
• Dangerous capabilities
Misconfiguration Scanning With Kubesec
kubesec scan deployment.yaml
Report includes scoring and recommendations.
How Misconfiguration Scanning Fits Into DevSecOps
Misconfig scanning must run:
• During development (local scanning)
• During pre-commit hooks
• During CI builds
• On PRs before merging
• On deployment pipelines
• Against live clusters regularly
This ensures issues are caught early and never reach production.
Full-Length Practical Section
Extensive practicals for mastering misconfiguration scanning across containers, Kubernetes, and IaC.
Practical 1: Scan a Dockerfile With Trivy
Create Dockerfile with insecure settings:
FROM ubuntu:latest
USER root
ENV PASSWORD=1234
Scan:
trivy config Dockerfile
Fix issues by:
• Setting non-root user
• Removing secrets
• Using pinned versions
Practical 2: Check Dockerfile With Dockle
dockle myapp:latest
Fix:
• Add HEALTHCHECK
• Remove root user
• Reduce number of layers
Practical 3: Scan Kubernetes YAML With Trivy
Create vulnerable manifest:
apiVersion: v1
kind: Pod
spec:
containers:
- image: nginx
securityContext:
privileged: true
Scan:
trivy config k8s/
Fix privileged mode.
Practical 4: Scan Kubernetes YAML With Kubeaudit
kubeaudit all -f k8s/
Fix flagged issues such as:
• Missing readOnlyRootFilesystem
• Extra capabilities
• Unrestricted network
Practical 5: Scan Terraform Code With Checkov
checkov -d terraform/
Fix common issues:
• AWS S3 bucket must not be public
• Security group should not allow 0.0.0.0/0
• RDS should have storage encryption
Practical 6: Scan Helm Chart With Trivy
trivy config charts/mychart
Fix recommended changes based on security context.
Practical 7: Apply Policy-as-Code Using Conftest
Create OPA policy requiring non-root user:
package docker
deny[msg] {
input.Config.User == ""
msg = "User must not be root"
}
Run:
conftest test Dockerfile
Practical 8: Scan Kubernetes Cluster With Trivy
If cluster access available:
trivy k8s all
Find insecure runtime settings.
Practical 9: Scan Docker Images for Misconfigs
Use Trivy:
trivy image --scanners config myapp:latest
Fix insecure layer patterns.
Practical 10: Add Misconfig Scanning to GitHub Actions
Create:
.github/workflows/config-scan.yml
Add:
- name: Trivy Config Scan
uses: aquasecurity/trivy-action@master
with:
scan-type: config
scan-ref: .
PRs now block on misconfig issues.
Practical 11: Add Misconfig Scanning to GitLab CI
config_scan:
script:
- trivy config .
Pipeline fails on high-severity misconfigs.
Practical 12: Detect Insecure Dockerfile Secrets
Add secret:
ENV AWS_KEY=abcd
Detect:
trivy config Dockerfile
Fix by removing secrets from Dockerfile.
Practical 13: Scan Cloud Infrastructure With Checkov
checkov -d aws_infra/
Fix:
• S3 bucket public
• Security group open
• Encryption disabled
Practical 14: Detect Kubernetes Privilege Escalation
Create pod with:
allowPrivilegeEscalation: true
Scan with Kubeaudit.
Fix by setting false.
Practical 15: Audit Role-Based Access Control
Scan RBAC manifests:
checkov -d rbac/
Fix over-permissive roles:
• Replace wildcard * operations
• Limit namespace access
• Restrict cluster-admin coverage
Practical 16: Enforce Security Context Baseline
Use Conftest with OPA policy:
• require readOnlyRootFilesystem
• require runAsNonRoot
• disallow privileged mode
Run:
conftest test k8s/
Practical 17: Scan All IaC Before Deployment
Add to CI:
checkov -d .
trivy config .
Block applies on misconfigurations.
Practical 18: Auto-Fix Terraform Misconfigurations
Checkov sometimes suggests safe defaults.
Apply fixes manually and re-scan.
Practical 19: Scan Helm Chart Releases
helm template mychart | trivy config -
Detect insecure templates.
Practical 20: Build Full Misconfig Scanning Architecture
Include:
• Trivy (Docker, K8s, Terraform)
• Dockle (Dockerfiles)
• Checkov (IaC governance)
• Kubeaudit (K8s Hardening)
• Conftest + OPA (policy enforcement)
• GitHub/GitLab CI pipelines
• Scheduled cluster scans
• Baseline tracking
• Alerts and dashboards
This architecture enforces secure configurations across every environment.
Intel Dump
• Misconfiguration scanning prevents privilege escalation, data leaks, and container compromise
• Tools include Trivy, Checkov, Dockle, Kubeaudit, Kubesec, Terrascan, and Conftest
• Scans cover Dockerfiles, images, Kubernetes manifests, Terraform, Helm charts, and cloud services
• Must run scans locally, in CI, on PRs, and against live clusters
• Practicals include Dockerfile scanning, Kubernetes scans, Terraform checks, OPA policies, CI integration, cloud audits, and complete misconfiguration security architecture