references/static-analysis-tools.md | Choosing or configuring scanners | Trivy, Checkov, KICS, TFLint, Infracost setup; comparison matrix; finding normalization |
references/workflow-and-gates.md | Designing gate strategy or pre-commit setup | Pre-commit hooks, PR gate logic, plan-time flow, secret incident response, exception management |
references/ci-cd-integration.md | Building platform-specific pipelines | GitHub Actions, GitLab CI, Azure DevOps workflows; OIDC/WIF auth; SARIF upload patterns |
references/oidc-hardening.md | Securing CI/CD cloud credentials | GitHub/GitLab/Azure DevOps OIDC subject claim restrictions; AWS/Azure/GCP trust policies; common misconfigurations |
references/policy-as-code.md | Writing or reviewing custom governance rules | OPA/Rego policies, Conftest, Sentinel, plan-time evaluation, unknown-value handling, policy testing |
references/native-validation.md | Using Terraform's built-in security features | Variable validation, preconditions/postconditions, check blocks; no external tools needed |
references/secrets-and-drift.md | Detecting secrets or infrastructure drift | Gitleaks, TruffleHog, Terraform-specific secret patterns, drift detection, OpenTofu compatibility |
references/supply-chain-and-state.md | Hardening modules, providers, state, or cloud posture | Provider pinning, module verification, lock files, state encryption, cloud-specific controls, dependency automation |
references/atlantis-and-terragrunt.md | Using Atlantis or Terragrunt securely | Atlantis PR automation with security gates; Terragrunt security risks (run_cmd, generate); OpenTofu support |
references/sources-and-confidence.md | Verifying claims or uncertain areas | Source links, evidence notes, and explicitly flagged low-confidence items |