Codacy Terraform Analysis Sample

This repository is a deliberately vulnerable Terraform project for demonstrating Codacy analysis with Trivy, Checkov, and Opengrep.

Do not apply this infrastructure. The resources are intentionally configured with security issues so static analyzers have useful findings to report.

What This Project Demonstrates

• Publicly exposed cloud resources
• Missing encryption and logging controls
• Overly permissive IAM policies
• Hardcoded credentials and secrets
• Risky Terraform provisioner usage
• Insecure Kubernetes workload settings

Expected Analyzer Coverage

The exact rule identifiers can vary by analyzer version and policy bundle, but these files should produce representative findings:

• storage.tf: public S3 access, disabled bucket controls, unencrypted data
• network.tf: security groups open to the internet
• compute.tf: public EC2 instance, weak metadata settings, shell provisioner
• database.tf: public database, weak backup/encryption protections
• iam.tf: wildcard IAM permissions
• kubernetes.tf: privileged container and hardcoded secret material
• variables.tf: hardcoded sensitive defaults

Verified Locally

The local environment did not have Terraform or Checkov installed, so those commands were not run here.

Trivy was available and reported 25 Terraform misconfiguration findings:

• compute.tf: 3 findings
• database.tf: 6 findings
• iam.tf: 1 finding
• network.tf: 4 findings
• storage.tf: 11 findings

Opengrep was available and reported 10 code findings using --config auto, including public EC2/subnet exposure, local provisioner usage, public RDS, wildcard IAM permissions, public S3 access, and unencrypted EBS storage.

Local Syntax Check

terraform fmt -check -recursive
terraform validate

terraform validate may require terraform init first so Terraform can install the AWS and Kubernetes providers.