PolicyGuard GUIDE · PUBLIC

What PolicyGuard does

A transparent, measured IaC misconfiguration scanner.

PolicyGuard analyzes Terraform and OpenTofu and evaluates each resource against security policies written in Rego (Open Policy Agent). Every finding traces to a policy you can open and read, carries a concrete remediation, and maps to a standard weakness (CWE). On its committed benchmark corpus the core policy set measures precision 1.00 / recall 0.95 (F1 0.98) — a reproducible number, not a claim.

This page is the GUI. Paste or upload configuration on the scanner and the findings render as an interactive dashboard.

What it scans

Formats

  • Terraform — .tf, .tf.json
  • OpenTofu — .tofu
  • Raw HCL — .hcl or pasted

Clouds

  • AWS — deep coverage (S3, EC2/EBS, IAM, RDS, KMS, SQS, SNS, DynamoDB, Lambda, …)
  • Azure — storage accounts, network security groups, SQL servers

The HCL parser resolves variables, ${...} interpolation, and module inputs heuristically — so it sees through common indirection without needing a terraform plan, credentials, or network access.

What it detects

Misconfigurations a security reviewer would flag — public exposure, missing encryption, over-broad access, disabled logging, weak transport, and more. A few examples:

  • S3 buckets that are public, unencrypted, or have logging disabled (including the modern split-resource pattern)
  • Security groups opening SSH/RDP to 0.0.0.0/0
  • EC2 without IMDSv2; unencrypted EBS volumes
  • IAM policies with wildcard actions/resources
  • RDS that is public, unencrypted, or without backups
  • Azure storage without HTTPS-only / minimum TLS; NSGs exposing admin ports; SQL with public access

Each finding includes the offending source line as evidence, a CWE mapping, and a diff-style remediation.

Severity & status

Color is earned by severity, never decorative. Failing findings use a diagonal-hatch treatment; passing checks are solid.

CRITICAL HIGH MEDIUM LOW PASS

Severities are tunable per policy via a JSON config on the CLI (--severity-config), so you can align them with your organization's risk model.

Using the GUI

1. Import

Drag .tf/.tofu/.tf.json files onto the upload zone (or click to choose), or paste HCL into the box. Select several files to scan them together — cross-resource policies can then see related resources.

2. Scan

Press Scan. The configuration is analyzed on the machine running this server; the dashboard renders below.

3. Explore

Filter by severity, search by resource/policy/file, and click any finding to see its evidence and remediation. Press / to jump to search.

Safety model

PolicyGuard parses untrusted IaC, so the server treats its own attack surface as first-class.

Local mode (default)

Binds to 127.0.0.1 — reachable only from your machine. Generous limits. Run with policyguard serve.

Public mode

Upload/paste only — no filesystem path scanning, module sources confined to the upload, tighter size/rate limits. Run with policyguard serve --public. This hosted instance is in public mode.

Uploaded content is written to a temporary directory and deleted after each scan; only PolicyGuard's trusted built-in policies are loaded; all rendered content is escaped. Full threat model: docs/SECURITY.md.

CLI & CI

The GUI is one front-end; the same engine runs in your terminal and pipelines.

# scan a directory policyguard scan ./infra # fail a CI build on violations (exit 1 = violations, 2 = scan error) policyguard scan ./infra --fail-on-error # start this GUI policyguard serve

Drop-in integrations exist for GitHub Actions, GitLab CI, Jenkins, and pre-commit. See the repository.

Output formats

Beyond this dashboard, the CLI emits:

human json junit sarif (CWE + fingerprints) compliance CSV html (this dashboard, static)

SARIF loads in GitHub code scanning; the HTML report is a single self-contained file you can attach as a CI artifact.