Infrastructure as Code (IaC) is not as simple as some other security risks because IaC is not automatically right or wrong. Vulnerabilities are easy, if you have a vulnerability, it is bad and you want to remediate it, no questions asked. IaC may not follow a best practice, but it may still be appropriate or required. This makes auto-remediation a challenge because it may break things.

Developers use a standard way of automating their resources: infrastructure (IaC e.g. Terraform), configuration (CaC e.g. chef, puppet), containerization (e.g. Kube) and pipeline (PaC, e.g. drone). This is accomplished by using structured code that defines various parameters. This is independent of the actual underlying resources, making it portable and reusable.

When building IaC there are best practices, defined as coded parameters based on principles such as least privilege. The challenge is that some applications or pods in your Kube cluster may require escalated privilege. This creates a gray area for auto-remediation. A standard remediation tool will recommend lowering the privilege, but that could break the app. If you were to auto-remediate it, it could assume that a lower privilege is better and make that change, resulting in a broken app.

For this reason, IaC auto-remediation is a bit challenging. You can use a tool to scan your IaC and identify security risks or deviations from best practices. That tool might also recommend code to make these misconfigurations conform to best practices. The developer can step through the list of proposed remediations and make decisions one at a time. With over a thousand possible parameters, this process can be tedious and time-consuming. Yes, it's better than committing code with risks, but there has to be a faster and better way..

You can leverage auto-remediation for the obvious misconfigurations, but what about those in the gray area? This is where machine learning can build models based on user response and correlate that to various other configurations and other variables. With this level of intelligence in the form of models, tools can organize configuration remediation based upon confidence level and enable group actions that reduce user input by more than 80%. And of course balancing developer efficiency against security demands is the ultimate goal of any developer-centric security tool.