⚠️ Demo report. This is a sample output generated from the iac-security-pipeline against the included sample-repo/ which contains intentional security issues. All findings are real — produced by Trivy, Checkov, ansible-lint, tflint, and Hadolint.

Infrastructure Security Report — sample-infrastructure

IaC Security Pipeline · Executive Summary

Repository

your-username/sample-infrastructure

Branch

origin/main

Commit

6b25cb1263d0

Build

Scan date

2026-05-04 15:50 UTC

IaC types detected

Terraform Ansible Dockerfile Kubernetes Docker Compose

FAILED ❌

Checkov found 23 policy violations. | Hadolint found 4 Dockerfile warnings.

Critical CVEs

High CVEs

Policy violations

Secrets detected

Tool results

Trivy

CRITICAL 0 critical CVEs

HIGH 0 high CVEs

WARNING 7 misconfigurations

SECRET 0 secrets

Scanned: Dockerfile · K8s YAML · Terraform · filesystem

Checkov IaC

FAILED 23 violations

PASSED 154 checks passed

Frameworks: Kubernetes · Dockerfile · Secrets · Ansible

Linters

PASSED ansible-lint: 0 violations

PASSED tflint: 0 issues

WARNING Hadolint: 0 errors · 4 warnings

Trivy — Misconfigurations (7 HIGH/CRITICAL)

ID	Severity	Target	Title
DS-0002	HIGH	Dockerfile	Image user should not be 'root'
DS-0029	MEDIUM	Dockerfile	'apt-get' missing '--no-install-recommends'
DS-0031	HIGH	Dockerfile	Secrets passed via build-args or ENV or copied secret files
KSV-0014	HIGH	deployment.yml	Root file system is not read-only
KSV-0017	CRITICAL	deployment.yml	Privileged container — runs with all Linux capabilities
KSV-0118	MEDIUM	deployment.yml	Default security context configured — explicit settings recommended
KSV-0020	HIGH	deployment.yml	Runs as root user — specify runAsNonRoot: true

Checkov — Policy violations (23 failed · 154 passed)

Kubernetes (19 violations)

Check ID	Resource	Check name
CKV_K8S_16	Deployment.sample-app.sample-app	Container should not be privileged
CKV_K8S_23	Deployment.sample-app.sample-app	Minimize the admission of root containers
CKV_K8S_11	Deployment.sample-app.sample-app	CPU limits should be set
CKV_K8S_13	Deployment.sample-app.sample-app	Memory limits should be set
CKV_K8S_20	Deployment.sample-app.sample-app	Containers should not run with allowPrivilegeEscalation
CKV_K8S_22	Deployment.sample-app.sample-app	Use read-only filesystem for containers where possible
CKV_K8S_28	Deployment.sample-app.sample-app	Minimize the admission of containers with the NET_RAW capability
CKV_K8S_31	Deployment.sample-app.sample-app	Ensure that the seccomp profile is set to docker/default or runtime/default
CKV_K8S_35	Deployment.sample-app.sample-app	Prefer using secrets as files over secrets as environment variables
...and 10 more Kubernetes violations

Dockerfile (2 violations)

Check ID	Resource	Check name
CKV_DOCKER_2	/Dockerfile	Ensure that HEALTHCHECK instructions have been added to container images
CKV_DOCKER_3	/Dockerfile	Ensure that a user for the container has been created

Secrets (2 violations)

Check ID	File	Finding
CKV_SECRET_6	/deployment.yml L36-37	Base64 high entropy string — likely hardcoded credential
CKV_SECRET_6	/site.yml L19-20	Base64 high entropy string — likely hardcoded credential

Linter results

Tool	Status	Summary
ansible-lint	PASSED	0 violations — all Ansible playbooks and roles are compliant
tflint	PASSED	0 issues — Terraform configurations are syntactically valid
Hadolint	WARNING	4 warnings in Dockerfile — DL3008 (unpinned packages), DL3009 (apt lists not cleaned), DL3025 (shell form CMD), SC2086 (unquoted variable)

Scan metadata

Item	Value
Repository	sample-infrastructure
Path	your-username/sample-infrastructure
Commit SHA	6b25cb1263d06c9fea9de931bd55efeeb06b114f
Branch	origin/main
Scan date	2026-05-04 15:50:22 UTC
Build	#3
Pipeline status	FAILED
IaC types detected	Terraform Ansible Dockerfile Kubernetes Docker Compose
Trivy version	0.58.1
Checkov version	3.2.526
ansible-lint version	24.12.2
tflint version	0.54.0
Hadolint version	2.12.0