No Infrastructure Drift Detection
Without running terraform plan in CI or a drift detection tool, manual changes to cloud resources go undetected, creating security gaps between your declared infrastructure and what actually runs in production.
How It Works
Infrastructure as Code (IaC) tools like Terraform maintain a state file that represents the intended infrastructure. But engineers often make manual changes via the cloud console or CLI in emergencies -- opening a security group, changing an IAM policy, or modifying a database configuration. Without drift detection, these manual changes are never reconciled with the IaC state. The next terraform apply may overwrite a critical fix, or worse, a security misconfiguration may persist indefinitely because no one knows it exists. Drift detection runs terraform plan periodically or in CI to compare the actual cloud state against the declared state and flags any differences.
# BAD: CI pipeline only applies changes, never checks for drift
# .github/workflows/deploy.yml
name: Deploy Infrastructure
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform apply -auto-approve
# No scheduled plan to detect manual changes
# No drift detection step# GOOD: scheduled drift detection + plan in CI
# .github/workflows/drift-detection.yml
name: Drift Detection
on:
schedule:
- cron: '0 8 * * *' # daily at 8am UTC
jobs:
detect-drift:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform plan -detailed-exitcode -out=plan.tfplan
# exit code 2 = changes detected (drift)
- name: Alert on drift
if: failure()
run: |
curl -X POST $SLACK_WEBHOOK_URL \
-d '{"text":"Infrastructure drift detected! Review terraform plan."}'Real-World Example
In the 2021 Codecov supply chain attack, the attacker modified a bash uploader script on Codecov's infrastructure. Had Codecov had drift detection comparing their actual deployed scripts against their IaC declarations, the unauthorized modification could have been detected within hours instead of persisting for two months. Drift between declared and actual infrastructure is a root cause in many prolonged security incidents.
How to Prevent It
- Run terraform plan on a daily schedule in CI and alert when drift is detected (exit code 2)
- Use tools like driftctl, Spacelift, or env0 that provide continuous drift detection and reconciliation dashboards
- Restrict cloud console access with IAM policies that make manual changes difficult or require approval workflows
- Implement tagging standards and use cloud provider APIs to identify resources not managed by IaC
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Terraform State Exposed
criticalYour terraform.tfstate file is committed to your repository or stored in an unencrypted, publicly accessible location — it contains every secret and resource ID in your infrastructure.
Terraform Provider Credentials Hardcoded
criticalAWS, GCP, or Azure credentials are hardcoded in your .tf files instead of using environment variables or instance roles, committing cloud access keys to version control.
Kubernetes Privileged Container
highYour Kubernetes pod runs with securityContext.privileged: true, giving the container full access to the host kernel and effectively bypassing container isolation.
Kubernetes Default Service Account
mediumPods running with the default service account inherit cluster-level RBAC permissions that are often far more powerful than the workload needs, enabling lateral movement if the pod is compromised.