Skip to main content

Scan types

Musha runs three independent scanners. Use scan_type=full to run all three simultaneously.

The IaC scanner supports four formats: Terraform, CloudFormation, Kubernetes, and Dockerfile — 683 rules total.


SCA — Software Composition Analysis

SCA scans your dependency manifests and lockfiles against the OSV advisory database (which aggregates NVD, GitHub Advisories, and ecosystem-specific databases).

Supported ecosystems

LanguageManifest files
Gogo.mod
Node.jspackage-lock.json, yarn.lock, pnpm-lock.yaml
Pythonrequirements.txt, Pipfile, pyproject.toml
RustCargo.lock, Cargo.toml
Javapom.xml, build.gradle, build.gradle.kts, gradle.lockfile
RubyGemfile.lock
PHPcomposer.lock
.NET / C#packages.lock.json, packages.config, *.csproj

What SCA finds

  • Known CVEs in direct and transitive dependencies
  • The exact fix version (upgrade command included)
  • Whether the dependency is direct (you explicitly imported it) or transitive (pulled in by another dep)
  • Whether the fix requires a breaking change (major version bump)

What SCA does NOT find

  • Logic bugs, XSS, SQL injection, or any code-level vulnerability
  • Vulnerabilities with no CVE or advisory yet (zero-days)

IaC — Infrastructure as Code

IaC scans your Terraform and CloudFormation definitions against a library of 628 security rules (320 Terraform · 308 CloudFormation) based on CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices (FSBP), and NIST SP 800-53.

Terraform and CloudFormation rules cover AWS only (35+ services). Azure and GCP coming soon.

Supported formats

FormatDetection
TerraformAll *.tf files
CloudFormationYAML/JSON files detected by content heuristic (requires AWSTemplateFormatVersion or Resources: with AWS resource types)

AWS services covered (35+)

EC2 · Lambda · ECS · EKS · ECR · Batch · Auto Scaling · Elastic Beanstalk · AppStream · WorkSpaces · S3 · EBS · EFS · FSx · Backup · RDS · DynamoDB · DAX · ElastiCache · MemoryDB · DocumentDB · Neptune · QLDB · Timestream · VPC · ELB/ALB · CloudFront · API Gateway · WAFv2 · Network Firewall · IAM · KMS · Secrets Manager · Cognito · GuardDuty · Security Hub · Access Analyzer · CloudTrail · Config · CloudWatch · SNS · SQS · Kinesis · MSK · OpenSearch · CodeBuild

What IaC finds

Examples of what Musha detects:

  • S3 buckets with public access enabled
  • RDS instances without encryption at rest
  • Security groups with 0.0.0.0/0 ingress on sensitive ports
  • EKS clusters without envelope encryption for secrets
  • IAM roles with wildcard * actions
  • CloudTrail trails without log file validation
  • KMS keys without automatic rotation enabled

Suppressing false positives

Add #musha:skip=INFRA-TF-001 (Terraform) or #musha:skip=INFRA-CF-001 (CloudFormation) to the line of the resource to suppress a specific rule for that resource. Both #musha:skip= (hash) and //musha:skip= (slash) are accepted. No space after the # or //.


Kubernetes

The Kubernetes scanner checks manifest definitions against 50 security rules based on NSA/CISA Kubernetes Hardening Guidance and CIS Kubernetes Benchmark v2.0.0 §5 — covering ~90% of the statically-verifiable controls from manifests.

Supported resource types

Deployment · DaemonSet · StatefulSet · Job · CronJob · Pod

Detection: YAML/JSON files with top-level apiVersion and kind fields matching a known Kubernetes resource type.

What Kubernetes finds

  • Containers running as root (runAsUser: 0) or without runAsNonRoot: true
  • Privileged containers (privileged: true)
  • allowPrivilegeEscalation not explicitly disabled
  • readOnlyRootFilesystem not set
  • Missing CPU and memory resource limits
  • hostNetwork, hostPID, or hostIPC set to true
  • Missing seccompProfile or AppArmor annotations
  • automountServiceAccountToken: true on workloads that don't need it
  • Dangerous Linux capabilities not dropped (e.g. NET_RAW, SYS_ADMIN)

What Kubernetes does NOT find

  • Runtime policy violations (enforced by OPA Gatekeeper, Kyverno, etc.)
  • Network policy gaps — these require knowledge of your full cluster topology
  • RBAC misconfigurations — Kubernetes RBAC resources are not yet in scope

Suppressing false positives

Add #musha:skip=INFRA-K8S-001 to the line of the field to suppress a specific rule for that resource. Accepts #musha:skip= or //musha:skip= — no space after the prefix.


Dockerfile

The Dockerfile scanner checks build file configuration against the 5 statically-verifiable rules from CIS Docker Benchmark v1.8.0 §4.

Detection: files named Dockerfile, Dockerfile.*, or *.dockerfile.

What Dockerfile finds

  • Containers with no USER instruction, or USER root / USER 0
  • Base images not pinned to a specific version (FROM ubuntu:latest or no tag)
  • Missing HEALTHCHECK instruction
  • Package manager updates not combined with an install in the same RUN layer
  • ADD used instead of COPY for local files

What Dockerfile does NOT find

  • Secrets hardcoded in ENV/ARG — this is handled by the Secrets scanner, which scans all source files including Dockerfiles.
  • Runtime misconfigurations (--privileged, resource limits, capability grants) — these require docker run flags and are not in the Dockerfile.
  • Package authenticity or image signing — require registry-level verification.

Suppressing false positives

Add #musha:skip=INFRA-DOCKER-001 on the relevant instruction line to suppress a specific rule. Accepts #musha:skip= or //musha:skip= — no space after the prefix.


Secrets Detection

The Secrets scanner looks for hardcoded credentials, API keys, and tokens in your source code.

Detection methods

1. Known provider patterns — High-confidence regex patterns for specific providers:

ProviderExample pattern
AWSAKIA[0-9A-Z]{16} (Access Key ID)
GitHubghp_, gho_, ghs_ (Personal Access Tokens)
Stripesk_live_, rk_live_
Slackxoxb-, xoxp-, xapp-
SendGridSG. + 69 chars
Mushamsk_live_
+ 15 more providersDigitalOcean, HashiCorp Vault, npm, Twilio, Mailgun, Mailchimp, Azure, OpenAI, Anthropic, Cloudflare, Datadog, Supabase, PlanetScale, Google API keys, Private keys

2. Shannon entropy — High-entropy strings (≥ 4.5 bits/char) in assignment context (e.g. password =, api_key =) that don't match a known variable reference.

False positive suppression

  • Secrets in test/spec/example files are downgraded to Info severity automatically.
  • Add #musha:skip=SEC-AWS-001 inline to suppress a specific rule on that line (use the rule ID from the finding). The wildcard #musha:skip=* suppresses any secrets rule on that line. Both #musha:skip= and //musha:skip= are accepted — no space after the prefix.
  • Placeholder variables (YOUR_KEY_HERE, $ENV_VAR, process.env.X) are suppressed.

What Secrets does NOT do

Musha does not verify credentials by calling external APIs. A detected secret is not confirmed as valid — it only means the pattern was found. Rotate any detected secret immediately regardless.


Choosing a scan type

For most teams, scan_type=full is the right default. If you have a specific need:

Use caseRecommended
Full security posturefull
Dependency-heavy monorepo, fast feedbacksca
Terraform/CloudFormation onlyiac
Kubernetes manifests onlyiac
Audit for leaked credentialssecrets
SCA + IaC, no secretssca,iac
info

scan_type=iac covers all four IaC formats: Terraform, CloudFormation, Kubernetes, and Dockerfile.