Skip to main content

Quality Assurance

Utilizing Static Analysis Testing for Infrastructure as Code

Istock 843015650

For those in the quality assurance (QA) field, one of today’s most complex challenges is testing infrastructure as code  (IaC- iac test). As a result, IaC deployments are not always tested correctly, or sometimes not at all, leading to multiple issues for many organizations.

While software testing has always existed, automation testing related to infrastructure has only been around for a couple of years, so companies need to ensure the security and robustness of their IaC without the need to deploy.

What is infrastructure as code – iac test?

Infrastructure as code (IaC), also known as programmable or software-defined infrastructure, is the practice of codifying and managing IT infrastructure as software rather than hardware. It enables developers and operations teams to manage and monitor resources through automation, eliminating the need to configure hardware devices and operating systems manually.

IaC is similar to script programming in that organizations can use it to automate IT processes. However, its more advanced language allows for greater versatility and flexibility in provisioning and deployment processes. Built on platforms like Terraform, Kubernetes, and Helm, IaC enables software engineers to work with reproducible environments that ease collaboration and allow idempotence and convergence.

With this code-based infrastructure, development teams can easily automate processes, test iterations, apply version control practices, and approve production code, much like software design practices. Along with its close alignment with DevOps practices, these advantages make IaC a fast, efficient, consistent way to control infrastructure.

The Importance of Testing IaC – iac test

The success of an IaC model depends on developers and QA testers that understand the various configuration management and automation tools that it requires. Depending on the number of components, environments, and rollouts that affect infrastructure, testing IaC is a serious consideration for many companies. When errors occur, they can quickly impact an application’s performance, so it is essential to perform comprehensive testing before and after release into production environments.

There are several testing methods for maintaining code quality in IaC.

  • Static analysis tests ensure that the code adheres to industry standards and detects weaknesses in source code that might lead to vulnerabilities. These tests occur before deployment.
  • Dynamic tests are focused on discovering whether deployed infrastructure resources and components work together as expected in production environments.
  • Chaos engineering allows developers to identify failures before they become outages—by proactively testing how a platform responds under stress, we can recognize and fix bugs before it is too late.

For the purposes of this article, we will focus exclusively on static analysis testing.

Static Analysis Testing Methods for IaC – iac test

Static testing allows for IaC testing without deployment, making it cost-effective, time-efficient, and secure while enabling the use of best practices.

Let’s explore the best approaches and tools available to perform these types of tests.

Built-In Commands

Before fully adopting any libraries or external IaC testing tools, it’s best to take advantage of their built-in commands as a means to verify syntax. In Terraform, for example, the commands “fmt” and “validate” help to identify format and syntax issues. And for Helm, we have the “lint” command, which allows us to check if Helm templates are well-formed.

After verifying the syntax, there are several testing paths to choose from.


Several open-source tools are available to improve IaC by analyzing the source code and looking for problems, but each comes with its pros and cons.

  • TFLint allows QA testers to find possible errors—such as illegal instance types—with major cloud providers like AWS, Azure, and GCP. It also enforces best practices and naming conventions while warning developers about deprecated syntax and unused declarations.
  • Yamllint checks for syntax validity and weirdnesses like key repetition, and cosmetic problems such as lines length, trailing spaces, indentation, and more. It also enables testers to ensure syntax best practices for technologies like Kubernetes.
  • KubeLinter takes a path to a chart and runs a series of tests to verify that the chart is well-formed. These linters analyze Kubernetes manifests or helm charts to ensure the code follows best practices, with a special focus on production readiness and security.


QA testers leverage static application security testing (SAST) to secure IaC by reviewing the source code and identifying sources of vulnerabilities. As far as open-source SAST tools go, three contenders immediately spring to mind.

Checkov is an excellent option for SAST, as it includes 131 rules for Azure CIS benchmarks, 172 for AWS, and 7 for Google Cloud Platform. In addition, it allows testers to analyze terraform, terraform plan, cloud formation, K8S, Docker files, and ARM templates. Trivy, on the other hand, uses the tfsec security scanner to analyze Terraform, Kubernetes, and Docker files and supports Azure, AWS, Cloudstack, and Google. Finally, Anchore focuses on finding vulnerabilities in docker files and container registries, although it is mostly a paid tool and not fully open-source.

Policy as Code

Much like Infrastructure as Code, Policy as Code is the concept of writing code to manage and automate policies. By representing policies in this way, developers can adopt proven software development best practices like version control, automated testing, and automated deployment.

Founded on Open Policy Agent (OPA), the Cloud Native Foundation’s standard for Policy As Code, Conftest is a utility that gives QA testers the power to write tests against structured configuration data while analyzing several technologies like Terraform, Kubernetes, Docker, and more. With it, we can create policies not included in SAST scans or develop policies for internal encryption standards, as it supports almost any IaC technology.

So, with Linters, SAST, and Policy as Code at our disposal, we’re able to solve the challenge of testing IaC before deployment, ensuring things go far more smoothly in production.

Stay tuned for our follow-up blogs covering dynamic testing and chaos engineering.

Check our open positions here and #GrowWithUs

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Holmes Salazar

Holmes Giovanny Salazar Osorio is a Software Development Engineer in Test. He has over 7 years of experience in designing and developing testing strategies for international projects, using agile methodologies and best practices. Currently, Holmes works as part of the Quality Engineering team to create a highly-scalable SaaS platform focused on sales performance management and wealth management functions.

More from this Author

Follow Us