docs(iac): add documentation for IaC (#8150)

Co-authored-by: Rubén De la Torre Vico <rubendltv22@gmail.com>
2026-01-25 02:08:11 +00:00 · 2025-07-02 17:20:34 +08:00
parent 965111245a
commit fcea3b6570
4 changed files with 142 additions and 0 deletions
--- a/docs/getting-started/requirements.md
+++ b/docs/getting-started/requirements.md
@@ -461,3 +461,54 @@ The provided credentials must have the appropriate permissions to perform all th

 ???+ note
    GitHub App Credentials support less checks than other authentication methods.
+
+## Infrastructure as Code (IaC)
+
+Prowler's Infrastructure as Code (IaC) provider enables you to scan local infrastructure code for security and compliance issues using [Checkov](https://www.checkov.io/). This provider supports a wide range of IaC frameworks and requires no cloud authentication.
+
+### Authentication
+
+The IaC provider does not require any authentication or credentials since it scans local files directly. This makes it ideal for CI/CD pipelines and local development environments.
+
+### Supported Frameworks
+
+The IaC provider leverages Checkov to support multiple frameworks, including:
+
+- Terraform
+- CloudFormation
+- Kubernetes
+- ARM (Azure Resource Manager)
+- Serverless
+- Dockerfile
+- YAML/JSON (generic IaC)
+- Bicep
+- Helm
+- GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure Pipelines, CircleCI, Argo Workflows
+- Ansible
+- Kustomize
+- OpenAPI
+- SAST, SCA (Software Composition Analysis)
+
+### Usage
+
+To run Prowler with the IaC provider, use the `iac` flag. You can specify the directory to scan, frameworks to include, and paths to exclude.
+
+#### Basic Example
+
+```console
+prowler iac --scan-path ./my-iac-directory
+```
+
+#### Specify Frameworks
+
+Scan only Terraform and Kubernetes files:
+
+```console
+prowler iac --scan-path ./my-iac-directory --frameworks terraform kubernetes
+```
+
+#### Exclude Paths
+
+```console
+prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples
+```
--- a/docs/index.md
+++ b/docs/index.md
@@ -612,5 +612,27 @@ prowler github --github-app-id app_id --github-app-key app_key
      2. `OAUTH_APP_TOKEN`
      3. `GITHUB_APP_ID` and `GITHUB_APP_KEY`

+#### Infrastructure as Code (IaC)
+
+Prowler's Infrastructure as Code (IaC) provider enables you to scan local infrastructure code for security and compliance issues using [Checkov](https://www.checkov.io/). This provider supports a wide range of IaC frameworks, allowing you to assess your code before deployment.
+
+```console
+# Scan a directory for IaC files
+prowler iac --scan-path ./my-iac-directory
+
+# Specify frameworks to scan (default: all)
+prowler iac --scan-path ./my-iac-directory --frameworks terraform kubernetes
+
+# Exclude specific paths
+prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples
+```
+
+???+ note
+    - The IaC provider does not require cloud authentication
+    - It is ideal for CI/CD pipelines and local development environments
+    - For more details on supported frameworks and rules, see the [Checkov documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html)
+
+See more details about IaC scanning in the [IaC Tutorial](tutorials/iac/getting-started-iac.md) section.
+
 ## Prowler v2 Documentation
 For **Prowler v2 Documentation**, please check it out [here](https://github.com/prowler-cloud/prowler/blob/8818f47333a0c1c1a457453c87af0ea5b89a385f/README.md).
--- a/docs/tutorials/iac/getting-started-iac.md
+++ b/docs/tutorials/iac/getting-started-iac.md
@@ -0,0 +1,67 @@
+# Getting Started with the IaC Provider
+
+Prowler's Infrastructure as Code (IaC) provider enables you to scan local infrastructure code for security and compliance issues using [Checkov](https://www.checkov.io/). This provider supports a wide range of IaC frameworks, allowing you to assess your code before deployment.
+
+## Supported Frameworks
+
+The IaC provider leverages Checkov to support multiple frameworks, including:
+
+- Terraform
+- CloudFormation
+- Kubernetes
+- ARM (Azure Resource Manager)
+- Serverless
+- Dockerfile
+- YAML/JSON (generic IaC)
+- Bicep
+- Helm
+- GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure Pipelines, CircleCI, Argo Workflows
+- Ansible
+- Kustomize
+- OpenAPI
+- SAST, SCA (Software Composition Analysis)
+
+## How It Works
+
+- The IaC provider scans your local directory (or a specified path) for supported IaC files.
+- No cloud credentials or authentication are required.
+- Mutelist logic is handled by Checkov, not Prowler.
+- Results are output in the same formats as other Prowler providers (CSV, JSON, HTML, etc.).
+
+## Usage
+
+To run Prowler with the IaC provider, use the `iac` argument. You can specify the directory to scan, frameworks to include, and paths to exclude.
+
+### Basic Example
+
+```sh
+prowler iac --scan-path ./my-iac-directory
+```
+
+### Specify Frameworks
+
+Scan only Terraform and Kubernetes files:
+
+```sh
+prowler iac --scan-path ./my-iac-directory --frameworks terraform kubernetes
+```
+
+### Exclude Paths
+
+```sh
+prowler iac --scan-path ./my-iac-directory --exclude-path ./my-iac-directory/test,./my-iac-directory/examples
+```
+
+## Output
+
+You can use the standard Prowler output options, for example:
+
+```sh
+prowler iac --scan-path ./iac --output-formats csv json html
+```
+
+## Notes
+
+- The IaC provider does not require cloud authentication.
+- It is ideal for CI/CD pipelines and local development environments.
+- For more details on supported frameworks and rules, see the [Checkov documentation](https://www.checkov.io/1.Welcome/Quick%20Start.html).