Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
SHIPIaC Scanning

Insecure infrastructure starts as insecure config.

O3 scans Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Pulumi before they're applied. Catches open S3 buckets, over-permissive IAM roles, and unencrypted resources at the config stage — not after a breach.

SHIFT-LEFT INFRA SECURITY

Catch insecure infra before apply. Not after a breach.

O3 scans Terraform, CloudFormation, and Pulumi before they're applied — catching open S3 buckets, over-permissive IAM roles, and unencrypted resources at the config stage.

Open S3 buckets caught before creation
Unencrypted RDS blocked at plan stage
Over-permissive security groups flagged
600+ rules across AWS, GCP, and Azure
O3 IaC Scanner — Terraform Plan
3 findings
infra/s3.tf · line 13
8resource "aws_s3_bucket" "data_lake" {
9 bucket = "acme-prod-data-lake"
10 tags = local.common_tags
11}
12
13resource "aws_s3_bucket_acl" "data_lake_acl" {
14 bucket = aws_s3_bucket.data_lake.id
15 acl = "public-read"
16}
S3 bucket is publicly readable
CRITICAL

acl = "public-read" makes the bucket and all its objects publicly accessible. Anyone on the internet can list and download contents.

Also found in this plan
IAM policy uses wildcard Action: "*"
iam.tf:34
HIGH
RDS instance has no storage encryption
rds.tf:18
HIGH
Remediation

Remove aws_s3_bucket_acl block or set acl = "private". Add aws_s3_bucket_public_access_block with all flags true.

IAM LEAST PRIVILEGE

Wildcard permissions are a breach waiting to happen. We find them first.

O3 identifies IAM roles, policies, and service accounts that grant more permissions than required — wildcards, admin access, and overly broad resource scopes that violate least-privilege.

Wildcard Action and Resource patterns detected
Admin-equivalent policies flagged
Unused permissions identified via access analysis
Service account over-permission in GKE and EKS
O3 IAM Analyzer
Overprivileged
Current policy
Role: "prod-app-role"
Policy: "AllAccess"
Effect: Allow
Action: "*"
Resource: "*"
Effective permissions: admin-equivalent access

S3 Full · RDS Full · Lambda Full · IAM Full — this role can do anything in your account.

Recommended policy
Action: [
"s3:GetObject",
"s3:PutObject"
]
Resource: [
"arn:aws:s3:::app-bucket/*"
]
847 allowed actions2 required
99.8% reduction
KUBERNETES SECURITY

Privileged pods. Root containers. No resource limits.

O3 checks Kubernetes manifests for privileged containers, missing resource limits, hostNetwork access, and missing Pod Security Standards — catching misconfigs before kubectl apply.

Privileged containers blocked before deploy
hostNetwork and hostPID access flagged
Missing resource limits surfaced
Pod Security Standards enforced at PR
O3 K8s Scanner — deployment.yaml
3 issues
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- name: api
securityContext:
privileged: trueCRITICAL
runAsRoot: trueHIGH
resources:
# not setMEDIUM
Container runs as root
CRITICAL
Privileged mode enabled
CRITICAL
No resource limits set
MEDIUM
Remediation

Set privileged: false, runAsNonRoot: true, add resources.limits block with memory and CPU constraints.

DRIFT DETECTION

Your IaC says one thing. Your cloud says another.

O3 compares your IaC configuration against what is actually deployed — surfacing resources created manually outside Terraform or modified post-deploy that now diverge from your security baseline.

Manual console changes caught immediately
Drift alerts with who made the change and when
Resources created outside IaC highlighted
Re-import suggestions for unmanaged resources
O3 Drift Detector
2 drifted
Drifted resources
aws_security_group.apiDrifted
IaC ✓
port 443 only
Deployed ✗
port 443 + port 22 open to 0.0.0.0/0
Changed: 2024-03-15 via AWS Console by unknown
aws_s3_bucket.logsDrifted
IaC ✓
versioning: enabled
Deployed ✗
versioning: disabled
Changed: 2024-03-12 via CLI

2 resources have drifted from IaC state. Run terraform apply to reconcile, or update IaC to match if intentional.

Fix infra misconfigs before they reach production.

Book a demo and see O3 catch open S3 buckets, wildcard IAM, and privileged pods at the PR stage.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • O3 supports Terraform (HCL, including .tfvars and plan files), AWS CloudFormation (YAML and JSON), Kubernetes manifests (YAML and JSON), Helm charts (with values file expansion so rendered manifests are what is analyzed, not raw templates), Pulumi (TypeScript, Python, Go, and .NET), and AWS CDK output CloudFormation templates. Support for additional formats is added on a rolling basis.
  • O3 checks over 600 rules across AWS, GCP, and Azure resources. Common findings include: S3 buckets with public ACLs or disabled block public access, RDS instances without encryption at rest or automated backups, security groups with 0.0.0.0/0 ingress on sensitive ports, IAM policies with wildcard actions or resources, Lambda functions with overly permissive execution roles, CloudTrail logging disabled, and EKS clusters without private API server endpoints. Rules are mapped to CIS Benchmarks, NIST 800-53, and SOC 2 controls.
  • O3 renders Helm charts using your actual values files, production values, staging values, or all of them, before scanning. This means O3 analyzes the manifests that will actually be applied, not the raw templates. A chart that looks safe in isolation but becomes insecure with production values (for example, a variable that enables host networking in prod) is caught correctly.
  • Drift is the gap between what your IaC configuration says should exist and what is actually deployed in your cloud account. Drift occurs when engineers create resources manually via the AWS console, when automation modifies resources outside Terraform, or when someone runs a one-off CLI command to fix an incident and never updates the Terraform. Drifted resources are invisible to IaC scanning and often less secure. O3 compares your declared state against live cloud APIs and surfaces resources that were never in IaC or that have been modified post-deploy.
  • O3 provides native integrations for GitHub Actions, GitLab CI, Jenkins, CircleCI, and Bitbucket Pipelines. For Terraform, O3 can analyze the plan file produced by terraform plan, catching misconfigs that are only visible after variable substitution and module resolution. Findings are posted as pull request comments with exact line numbers and severity. Builds can be configured to fail on critical findings, warn on high, and pass on medium and below, thresholds are fully configurable.