What PolicyGuard does
A transparent, measured IaC misconfiguration scanner.
PolicyGuard analyzes Terraform and OpenTofu and evaluates each resource against security policies written in Rego (Open Policy Agent). Every finding traces to a policy you can open and read, carries a concrete remediation, and maps to a standard weakness (CWE). On its committed benchmark corpus the core policy set measures precision 1.00 / recall 0.95 (F1 0.98) — a reproducible number, not a claim.
This page is the GUI. Paste or upload configuration on the scanner and the findings render as an interactive dashboard.
What it scans
Formats
- Terraform —
.tf,.tf.json - OpenTofu —
.tofu - Raw HCL —
.hclor pasted
Clouds
- AWS — deep coverage (S3, EC2/EBS, IAM, RDS, KMS, SQS, SNS, DynamoDB, Lambda, …)
- Azure — storage accounts, network security groups, SQL servers
The HCL parser resolves variables, ${...} interpolation, and module inputs
heuristically — so it sees through common indirection without needing a terraform plan,
credentials, or network access.
What it detects
Misconfigurations a security reviewer would flag — public exposure, missing encryption, over-broad access, disabled logging, weak transport, and more. A few examples:
- S3 buckets that are public, unencrypted, or have logging disabled (including the modern split-resource pattern)
- Security groups opening SSH/RDP to
0.0.0.0/0 - EC2 without IMDSv2; unencrypted EBS volumes
- IAM policies with wildcard actions/resources
- RDS that is public, unencrypted, or without backups
- Azure storage without HTTPS-only / minimum TLS; NSGs exposing admin ports; SQL with public access
Each finding includes the offending source line as evidence, a CWE mapping, and a diff-style remediation.
Severity & status
Color is earned by severity, never decorative. Failing findings use a diagonal-hatch treatment; passing checks are solid.
Severities are tunable per policy via a JSON config on the CLI (--severity-config),
so you can align them with your organization's risk model.
Using the GUI
1. Import
Drag .tf/.tofu/.tf.json files onto the upload zone (or click to choose), or paste HCL into the box. Select several files to scan them together — cross-resource policies can then see related resources.
2. Scan
Press Scan. The configuration is analyzed on the machine running this server; the dashboard renders below.
3. Explore
Filter by severity, search by resource/policy/file, and click any finding to see its evidence and remediation. Press / to jump to search.
Safety model
PolicyGuard parses untrusted IaC, so the server treats its own attack surface as first-class.
Local mode (default)
Binds to 127.0.0.1 — reachable only from your machine. Generous limits. Run with policyguard serve.
Public mode
Upload/paste only — no filesystem path scanning, module sources confined to the upload, tighter size/rate limits. Run with policyguard serve --public. This hosted instance is in public mode.
Uploaded content is written to a temporary directory and deleted after each scan; only PolicyGuard's trusted built-in policies are loaded; all rendered content is escaped. Full threat model: docs/SECURITY.md.
CLI & CI
The GUI is one front-end; the same engine runs in your terminal and pipelines.
Drop-in integrations exist for GitHub Actions, GitLab CI, Jenkins, and pre-commit. See the repository.
Output formats
Beyond this dashboard, the CLI emits:
SARIF loads in GitHub code scanning; the HTML report is a single self-contained file you can attach as a CI artifact.