Faculty of Science, Technology and Medicine
Faculty of Law, Economics and Finance
Faculty of Humanities, Education and Social Sciences
Interdisciplinary Centre for Security, Reliability and Trust
Luxembourg Centre for Systems Biomedicine
Luxembourg Centre for Contemporary and Digital History
Luxembourg Centre for European Law
Luxembourg Centre for Socio-Environmental Systems
The Doctoral School in Science and Engineering is happy to invite you to Aicha WAR’s defence entitled
Towards Mitigating Infrastructure-as-Code Security Smells
Supervisor: Prof Tegawendé BISSYANDE
Infrastructure as Code (IaC) allows software teams to provision and manage cloud and on-premise environments through machine-readable scripts rather than manual configuration. While this paradigm brings scalability, reproducibility, and operational efficiency, it also creates a new attack surface: security flaws embedded in IaC artifacts propagate automatically across every environment they configure, turning a single misconfiguration into a large-scale vulnerability. Existing research has addressed fragments of this problem, but studies remain narrowly scoped to individual tools, rely on coarse-grained taxonomies, or depend on shallow rule-based detection that misses deeper code patterns.
This thesis investigates three interrelated questions about IaC security. What vulnerabilities affect IaC ecosystems and how prevalent are they? How should security smells in IaC scripts be characterized? How can detection and remediation move beyond static rules to capture the semantic intent of configuration code?
We first carry out a large-scale empirical study spanning more than 1,600 repositories and covering IaC scripts, their associated tools, and plugins. Using widely adopted static security testing tools, we uncover severe and recurrent vulnerabilities that span all ten categories of the OWASP Top 10 (2021). The analysis reveals that security tools are rarely integrated into DevOps automation workflows, underscoring the gap between current practice and the DevSecOps ideal.
We then revisit the taxonomy of IaC security smells. Where prior work identified a handful of smell categories for one or two scripting languages, we analyze scripts from seven major IaC tools (Terraform, Ansible, Chef, Puppet, Pulumi, SaltStack, and Vagrant) and derive 62 fine-grained security smell categories through an LLM-assisted categorization process validated by human experts and aligned with established security standards. To demonstrate the practical value of this taxonomy, we implement new detection rules in linters for multiple IaC tools, frequently achieving perfect precision. An evolutionary analysis on GitHub projects further shows that many of these smells persist over long periods, pointing to shortcomings in existing remediation practices.
Finally, we address the limitations of traditional static analysis by proposing a hybrid detection approach that combines code and text processing. The approach leverages transformer-based models, specifically CodeBERT and Longformer, to build richer contextual representations of IaC scripts and their documentation. Evaluation against prior work, four state-of-the-art LLMs, and a rule-based static analyzer shows substantial gains in both precision and recall on Ansible and Puppet datasets. We complement detection with an LLM-assisted pipeline for describing and localizing security misconfigurations, confirming that enriched semantic modeling improves the identification of security issues in IaC. Taken together, these contributions advance IaC security on three fronts: (1) a broad empirical characterization of the vulnerability landscape across IaC ecosystems, (2) an expanded and actionable taxonomy of security smells, and (3) a learning-based detection framework that outperforms existing rule-based and standalone LLM approaches. The thesis establishes practical pathways for integrating security into DevOps workflows and supports the transition toward mature DevSecOps practices.