A Comparative Study of Rule-Based and LLM-Based IaC Security Misconfiguration Detection in DevOps
avoin
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
Lataukset8
Pysyvä osoite
Verkkojulkaisu
DOI
Tiivistelmä
Cloud-native environments increasingly rely on IaC tools for provisioning infrastruc ture through DevOps pipelines. Even though this improves agility, it introduces risks that comes from automation at scale, code reuse and insufficient security validation. Existing rule-based security scanners are limited by context-insensitive rules, which can lead to false positives and reduced adaptability in complex and evolving cloud environments.
This thesis aims to test rule-based tools against multiple LLM’s, including Devstral 2, o4 Mini, GPT 5.1 and Sonnet 4.6, for better detection of security misconfig urations in Terraform configurations. The proposed approach involves collecting real-world Infrastructure-as-Code (IaC) configurations, extracting security-relevant information and leveraging Large Language Models (LLMs) to identify common misconfiguration patterns. The solution is evaluated using various LLM’s, with zero-shot and few-shot prompting and comparing its detection accuracy and false positive rates against existing rule-based tools.
The results have shown that LLMs can match or outperform static rule-based tools in identifying misconfigurations. Sonnet 4.6 has achieved higher true-positive count (82) compared to Tfsec (79), while other models showed notable improvements in recall when augmented with retrieval-based context. Although few-shot prompting occasionally increased false positives in certain cases, LLMs consistently exhibited a stronger ability to detect semantically complex and context-dependent security issues.
The study concludes that LLMs are a proper potential replacement for tackling dynamic and expanding cloud environments with adaptability to be integrated into DevOps pipelines for secure misconfiguration scanning.