Research Article
Free to Read
Multicloud Security Assessment: A Benchmark Study of Infrastructure as Code Scanners
1
School of Computing, Edinburgh Napier University, Edinburgh EH10 5DT, United Kingdom
* Corresponding Author:
Kia Dashtipour,
[email protected]
Volume 2, Issue 2
2026
Received: 13 February 2026
Accepted: 31 March 2026
Published: 29 May 2026
Article Information
Volume/Issue
Volume 2, Issue 2, 2026
Pages
109-118
Abstract
Multicloud environments are becoming more common, often businesses will have workloads across one or more of AWS, Azure and GCP, with each provider slightly differing in security features and capabilities. Furthermore, Infrastructure as Code is increasing in popularity meaning cloud resources are being provisioned as code through automation pipelines as opposed to GUI/Portal deployments. This shift means that security scanning of the resource code is a crucial first step in securing a cloud environment, and the tool(s) being used for this need to be able to perform at a consistent level across all the different cloud providers. Failure to do this could mean the introduction of security vulnerabilities to the environment, possibly vulnerabilities that have been caught for one cloud provider but not another. This study analyses three well-used Infrastructure as Code scanners when used in resource deployments to the three major cloud providers: AWS, Azure and GCP. The experiment was performed in an isolated CI pipeline to mirror a production workload and used intentionally vulnerable code to give the tools a benchmark number of findings. The findings show a difference in performance for the three tools based on the cloud provider, proving emphatically the importance of understanding all default security controls in a cloud environment and how they can differ based on the provider, as well as the rule coverage for the tools being considered. The findings of this project can be used to give professionals a more informed opinion when choosing one or more of these security scanners.
Graphical Abstract
Keywords
multicloud
infrastructure
code scanners
Data Availability Statement
Data will be made available on request.
Funding
This work was supported without any funding.
Conflicts of Interest
The authors declare no conflicts of interest.
AI Use Statement
The authors declare that no generative AI was used in the preparation of this manuscript.
Ethical Approval and Consent to Participate
Not applicable.
References
- Rajapakse, R. N., Zahedi, M., Babar, M. A., & Shen, H. (2022). Challenges and solutions when adopting DevSecOps: A systematic review. Information and software technology, 141, 106700.
[CrossRef] [Google Scholar] - Olowookere, A., Gogate, M., Hussain, A., Asim, M., Babar, M., Hussain, A., & Dashtipour, K. (2026). Evaluation of decision tree-based ensemble learning models in obfuscated malware detection and classification. In Cybersecurity, Cybercrimes, and Smart Emerging Technologies (pp. 65-71). CRC Press.
[Google Scholar] - Rahman, A., Williams, L., Snipes, W., & Slankas, J. (2019). Infrastructure as code: Security challenges and best practices. In 2019 IEEE/ACM International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP) (pp. 271-280). IEEE.
[CrossRef] [Google Scholar] - Verdet, A., Hamdaqa, M., Silva, L. D., & Khomh, F. (2025). Assessing the adoption of security policies by developers in terraform across different cloud providers. Empirical Software Engineering, 30(3), 74.
[CrossRef] [Google Scholar] - Konala, P. R. R., Kumar, V., & Bainbridge, D. (2023, July). SoK: static configuration analysis in infrastructure as code scripts. In 2023 IEEE international conference on cyber security and resilience (CSR) (pp. 281-288). IEEE.
[CrossRef] [Google Scholar] - Chiari, M., De Pascalis, M., & Pradella, M. (2022, March). Static analysis of infrastructure as code: a survey. In 2022 IEEE 19th International Conference on Software Architecture Companion (ICSA-C) (pp. 218-225). IEEE.
[CrossRef] [Google Scholar] - Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., Lee, G., Patterson, D., Rabkin, A., Stoica, I., & Zaharia, M. (2010). A view of cloud computing. Communications of the ACM, 53(4), 50-58.
[CrossRef] [Google Scholar] - Myrbakken, H., & Colomo-Palacios, R. (2017, September). DevSecOps: a multivocal literature review. In International Conference on Software Process Improvement and Capability Determination (pp. 17-29). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Leite, L., Rocha, C., Kon, F., Milojicic, D., & Meirelles, P. (2019). A survey of DevOps concepts and challenges. ACM Computing Surveys, 52(6), 1-35.
[CrossRef] [Google Scholar] - Singer, P. W., & Friedman, A. (2013). Cybersecurity and Cyberwar: What Everyone Needs to Know®. Oxford University Press.
[Google Scholar] - Rahman, A., & Williams, L. (2020). Security smells in infrastructure as code. Empirical Software Engineering, 25(1), 1-44.
[CrossRef] [Google Scholar] - National Institute of Standards and Technology. (2022). Secure Software Development Framework (SSDF). NIST Special Publication 800-218.
[CrossRef] [Google Scholar] - Fernandes, D. A., Soares, L. F., Gomes, J. V., Freire, M. M., & Inácio, P. R. (2014). Security issues in cloud environments: a survey. International journal of information security, 13(2), 113-170.
[CrossRef] [Google Scholar] - Rahman, A., Mahdavi-Hezaveh, R., & Williams, L. (2019). A systematic mapping study of infrastructure as code research. Information and Software Technology, 108, 65-77.
[CrossRef] [Google Scholar] - Rahman, A., & Williams, L. (2020). Characterizing infrastructure as code security in public repositories. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME) (pp. 362-372). IEEE.
[CrossRef] [Google Scholar] - Ayewah, N., & Pugh, W. (2008). Using static analysis to find bugs. IEEE Software, 25(5), 22-29.
[CrossRef] [Google Scholar]
Cite This Article
APA Style
Roe, H., Gogate, M., & Dashtipour, K. (2026). Multicloud Security Assessment: A Benchmark Study of Infrastructure as Code Scanners. ICCK Transactions on Information Security and Cryptography, 2(2), 109-118. https://doi.org/10.62762/TISC.2026.777114
Export Citation
RIS Format
Compatible with EndNote, Zotero, Mendeley, and other reference managers
TY - JOUR AU - Roe, Harry AU - Gogate, Mandar AU - Dashtipour, Kia PY - 2026 DA - 2026/05/29 TI - Multicloud Security Assessment: A Benchmark Study of Infrastructure as Code Scanners JO - ICCK Transactions on Information Security and Cryptography T2 - ICCK Transactions on Information Security and Cryptography JF - ICCK Transactions on Information Security and Cryptography VL - 2 IS - 2 SP - 109 EP - 118 DO - 10.62762/TISC.2026.777114 UR - https://www.icck.org/article/abs/TISC.2026.777114 KW - multicloud KW - infrastructure KW - code scanners AB - Multicloud environments are becoming more common, often businesses will have workloads across one or more of AWS, Azure and GCP, with each provider slightly differing in security features and capabilities. Furthermore, Infrastructure as Code is increasing in popularity meaning cloud resources are being provisioned as code through automation pipelines as opposed to GUI/Portal deployments. This shift means that security scanning of the resource code is a crucial first step in securing a cloud environment, and the tool(s) being used for this need to be able to perform at a consistent level across all the different cloud providers. Failure to do this could mean the introduction of security vulnerabilities to the environment, possibly vulnerabilities that have been caught for one cloud provider but not another. This study analyses three well-used Infrastructure as Code scanners when used in resource deployments to the three major cloud providers: AWS, Azure and GCP. The experiment was performed in an isolated CI pipeline to mirror a production workload and used intentionally vulnerable code to give the tools a benchmark number of findings. The findings show a difference in performance for the three tools based on the cloud provider, proving emphatically the importance of understanding all default security controls in a cloud environment and how they can differ based on the provider, as well as the rule coverage for the tools being considered. The findings of this project can be used to give professionals a more informed opinion when choosing one or more of these security scanners. SN - 3070-2429 PB - Institute of Central Computation and Knowledge LA - English ER -
BibTeX Format
Compatible with LaTeX, BibTeX, and other reference managers
@article{Roe2026Multicloud,
author = {Harry Roe and Mandar Gogate and Kia Dashtipour},
title = {Multicloud Security Assessment: A Benchmark Study of Infrastructure as Code Scanners},
journal = {ICCK Transactions on Information Security and Cryptography},
year = {2026},
volume = {2},
number = {2},
pages = {109-118},
doi = {10.62762/TISC.2026.777114},
url = {https://www.icck.org/article/abs/TISC.2026.777114},
abstract = {Multicloud environments are becoming more common, often businesses will have workloads across one or more of AWS, Azure and GCP, with each provider slightly differing in security features and capabilities. Furthermore, Infrastructure as Code is increasing in popularity meaning cloud resources are being provisioned as code through automation pipelines as opposed to GUI/Portal deployments. This shift means that security scanning of the resource code is a crucial first step in securing a cloud environment, and the tool(s) being used for this need to be able to perform at a consistent level across all the different cloud providers. Failure to do this could mean the introduction of security vulnerabilities to the environment, possibly vulnerabilities that have been caught for one cloud provider but not another. This study analyses three well-used Infrastructure as Code scanners when used in resource deployments to the three major cloud providers: AWS, Azure and GCP. The experiment was performed in an isolated CI pipeline to mirror a production workload and used intentionally vulnerable code to give the tools a benchmark number of findings. The findings show a difference in performance for the three tools based on the cloud provider, proving emphatically the importance of understanding all default security controls in a cloud environment and how they can differ based on the provider, as well as the rule coverage for the tools being considered. The findings of this project can be used to give professionals a more informed opinion when choosing one or more of these security scanners.},
keywords = {multicloud, infrastructure, code scanners},
issn = {3070-2429},
publisher = {Institute of Central Computation and Knowledge}
}
Article Metrics
Citations
Crossref
0
Scopus
0
Views
66
PDF Downloads
18
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and Permissions
Institute of Central Computation and Knowledge (ICCK) or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
ICCK Transactions on Information Security and Cryptography
ISSN: 3070-2429 (Online)
Preserved at
Portico
Portico
Scan to read this article