Here is where we scan do the IAC scanning When Writing code : Low context, default values can be evaluated When Terraform Plan : Medium context, dynamic values from environment variables and CLI are resolved When Terraform Apply : High context, the plan is resolved, and API interaction with production environment is performed Cloud Runtime : Very high context where the end state of the environment is being laid out as runtime configuration even if there is a drift from the Terraform state that is being created on the apply stage. IAC scanning prevention is from 1 to 2 layer, for 4 cloud runtime mostly use CSPM tool. More comprehensive when can do in every layer Ref: https://bridgecrew.io/blog/terraform-plan-security-scanning-checkov/
SA Bagus is a blog about computer technology, networking, cloud, crypto, and cyber security.