Managed Infrastructure Analysis¶

Managed infrastructure analysis is the lowest-friction path for Terraform graph data.

The customer installs the SecureObs GitHub App, selects a repository and Terraform root, then starts a run. SecureObs launches a short-lived runner that clones the selected repository and performs static analysis without Terraform execution or cloud credentials.

Flow¶

flowchart TD
  Wizard["Dashboard wizard"] --> Install["GitHub App installation"]
  Install --> Root["Select repository and Terraform root"]
  Root --> Queue["Queue analysis run"]
  Queue --> Runner["Ephemeral runner"]
  Runner --> Clone["Clone repository"]
  Clone --> StaticAnalysis["Checkov and static HCL analysis"]
  StaticAnalysis --> Sanitize["Sanitize topology"]
  Sanitize --> Upload["Upload findings and graph"]
  Upload --> View["View infrastructure graph"]

Security Properties¶

No cloud credentials are provided to the managed runner.
The runner does not run terraform init, terraform plan, or terraform apply.
It cannot read remote Terraform state.
The SecureObs API stores orchestration metadata and sanitized analysis output, not raw repository contents.
Short-lived API credentials are revoked when the run finishes.

Limitations¶

Static analysis is intentionally lower fidelity than plan mode:

unresolved variables may be marked unknown;
dynamically generated resources may be represented conservatively;
remote modules are not fetched;
provider-specific resolved IDs may be missing;
Azure graph relationships are richer than other providers today.

Use Terraform plan mode when you need the highest fidelity topology.