Scan types
Musha runs three independent scanners. Use scan_type=full to run all three simultaneously.
The IaC scanner supports four formats: Terraform, CloudFormation, Kubernetes, and Dockerfile — 683 rules total.
SCA — Software Composition Analysis
SCA scans your dependency manifests and lockfiles against the OSV advisory database (which aggregates NVD, GitHub Advisories, and ecosystem-specific databases).
Supported ecosystems
| Language | Manifest files |
|---|---|
| Go | go.mod |
| Node.js | package-lock.json, yarn.lock, pnpm-lock.yaml |
| Python | requirements.txt, Pipfile, pyproject.toml |
| Rust | Cargo.lock, Cargo.toml |
| Java | pom.xml, build.gradle, build.gradle.kts, gradle.lockfile |
| Ruby | Gemfile.lock |
| PHP | composer.lock |
| .NET / C# | packages.lock.json, packages.config, *.csproj |
What SCA finds
- Known CVEs in direct and transitive dependencies
- The exact fix version (upgrade command included)
- Whether the dependency is direct (you explicitly imported it) or transitive (pulled in by another dep)
- Whether the fix requires a breaking change (major version bump)
What SCA does NOT find
- Logic bugs, XSS, SQL injection, or any code-level vulnerability
- Vulnerabilities with no CVE or advisory yet (zero-days)
IaC — Infrastructure as Code
IaC scans your Terraform and CloudFormation definitions against a library of 628 security rules (320 Terraform · 308 CloudFormation) based on CIS AWS Foundations Benchmark, AWS Foundational Security Best Practices (FSBP), and NIST SP 800-53.
Terraform and CloudFormation rules cover AWS only (35+ services). Azure and GCP coming soon.
Supported formats
| Format | Detection |
|---|---|
| Terraform | All *.tf files |
| CloudFormation | YAML/JSON files detected by content heuristic (requires AWSTemplateFormatVersion or Resources: with AWS resource types) |
AWS services covered (35+)
EC2 · Lambda · ECS · EKS · ECR · Batch · Auto Scaling · Elastic Beanstalk · AppStream · WorkSpaces · S3 · EBS · EFS · FSx · Backup · RDS · DynamoDB · DAX · ElastiCache · MemoryDB · DocumentDB · Neptune · QLDB · Timestream · VPC · ELB/ALB · CloudFront · API Gateway · WAFv2 · Network Firewall · IAM · KMS · Secrets Manager · Cognito · GuardDuty · Security Hub · Access Analyzer · CloudTrail · Config · CloudWatch · SNS · SQS · Kinesis · MSK · OpenSearch · CodeBuild
What IaC finds
Examples of what Musha detects:
- S3 buckets with public access enabled
- RDS instances without encryption at rest
- Security groups with
0.0.0.0/0ingress on sensitive ports - EKS clusters without envelope encryption for secrets
- IAM roles with wildcard
*actions - CloudTrail trails without log file validation
- KMS keys without automatic rotation enabled
Suppressing false positives
Add #musha:skip=INFRA-TF-001 (Terraform) or #musha:skip=INFRA-CF-001 (CloudFormation) to the line of the resource to suppress a specific rule for that resource. Both #musha:skip= (hash) and //musha:skip= (slash) are accepted. No space after the # or //.
Kubernetes
The Kubernetes scanner checks manifest definitions against 50 security rules based on NSA/CISA Kubernetes Hardening Guidance and CIS Kubernetes Benchmark v2.0.0 §5 — covering ~90% of the statically-verifiable controls from manifests.
Supported resource types
Deployment · DaemonSet · StatefulSet · Job · CronJob · Pod
Detection: YAML/JSON files with top-level apiVersion and kind fields matching a known Kubernetes resource type.
What Kubernetes finds
- Containers running as root (
runAsUser: 0) or withoutrunAsNonRoot: true - Privileged containers (
privileged: true) allowPrivilegeEscalationnot explicitly disabledreadOnlyRootFilesystemnot set- Missing CPU and memory resource limits
hostNetwork,hostPID, orhostIPCset totrue- Missing
seccompProfileorAppArmorannotations automountServiceAccountToken: trueon workloads that don't need it- Dangerous Linux capabilities not dropped (e.g.
NET_RAW,SYS_ADMIN)
What Kubernetes does NOT find
- Runtime policy violations (enforced by OPA Gatekeeper, Kyverno, etc.)
- Network policy gaps — these require knowledge of your full cluster topology
- RBAC misconfigurations — Kubernetes RBAC resources are not yet in scope
Suppressing false positives
Add #musha:skip=INFRA-K8S-001 to the line of the field to suppress a specific rule for that resource. Accepts #musha:skip= or //musha:skip= — no space after the prefix.
Dockerfile
The Dockerfile scanner checks build file configuration against the 5 statically-verifiable rules from CIS Docker Benchmark v1.8.0 §4.
Detection: files named Dockerfile, Dockerfile.*, or *.dockerfile.
What Dockerfile finds
- Containers with no
USERinstruction, orUSER root/USER 0 - Base images not pinned to a specific version (
FROM ubuntu:latestor no tag) - Missing
HEALTHCHECKinstruction - Package manager updates not combined with an install in the same
RUNlayer ADDused instead ofCOPYfor local files
What Dockerfile does NOT find
- Secrets hardcoded in
ENV/ARG— this is handled by the Secrets scanner, which scans all source files including Dockerfiles. - Runtime misconfigurations (
--privileged, resource limits, capability grants) — these requiredocker runflags and are not in the Dockerfile. - Package authenticity or image signing — require registry-level verification.
Suppressing false positives
Add #musha:skip=INFRA-DOCKER-001 on the relevant instruction line to suppress a specific rule. Accepts #musha:skip= or //musha:skip= — no space after the prefix.
Secrets Detection
The Secrets scanner looks for hardcoded credentials, API keys, and tokens in your source code.
Detection methods
1. Known provider patterns — High-confidence regex patterns for specific providers:
| Provider | Example pattern |
|---|---|
| AWS | AKIA[0-9A-Z]{16} (Access Key ID) |
| GitHub | ghp_, gho_, ghs_ (Personal Access Tokens) |
| Stripe | sk_live_, rk_live_ |
| Slack | xoxb-, xoxp-, xapp- |
| SendGrid | SG. + 69 chars |
| Musha | msk_live_ |
| + 15 more providers | DigitalOcean, HashiCorp Vault, npm, Twilio, Mailgun, Mailchimp, Azure, OpenAI, Anthropic, Cloudflare, Datadog, Supabase, PlanetScale, Google API keys, Private keys |
2. Shannon entropy — High-entropy strings (≥ 4.5 bits/char) in assignment context (e.g. password =, api_key =) that don't match a known variable reference.
False positive suppression
- Secrets in test/spec/example files are downgraded to
Infoseverity automatically. - Add
#musha:skip=SEC-AWS-001inline to suppress a specific rule on that line (use the rule ID from the finding). The wildcard#musha:skip=*suppresses any secrets rule on that line. Both#musha:skip=and//musha:skip=are accepted — no space after the prefix. - Placeholder variables (
YOUR_KEY_HERE,$ENV_VAR,process.env.X) are suppressed.
What Secrets does NOT do
Musha does not verify credentials by calling external APIs. A detected secret is not confirmed as valid — it only means the pattern was found. Rotate any detected secret immediately regardless.
Choosing a scan type
For most teams, scan_type=full is the right default. If you have a specific need:
| Use case | Recommended |
|---|---|
| Full security posture | full |
| Dependency-heavy monorepo, fast feedback | sca |
| Terraform/CloudFormation only | iac |
| Kubernetes manifests only | iac |
| Audit for leaked credentials | secrets |
| SCA + IaC, no secrets | sca,iac |
scan_type=iac covers all four IaC formats: Terraform, CloudFormation, Kubernetes, and Dockerfile.