SoK: Static Configuration Analysis in Infrastructure as Code Scripts
Peer-Reviewed Research PaperAbstract
In this paper, we examine the tools available for analysing Infrastructure as Code (IaC) scripts. We define the term "static configuration analysis" to differentiate it from traditional static analysis approaches. To identify IaC analysis tools, we reviewed literature from 2015 to 2022 and utilised search engines to find tools that were not included in existing literature. We present a comprehensive summary of all the tools, their features, and detection capabilities. We also provide insights into the common techniques and methodologies used for analysing IaC scripts. Our review concludes that regular expressions are widely used for matching patterns in IaC scripts, which may not be an optimal long-term solution for automated analysis.
Keywords
DevOps, DevSecOps, Infrastructure as Code, Static analysis, Security smells, Defect detection