Why this topic matters
Infrastructure as code promises consistency, but it also turns repositories, plans, state files and runners into upstream control points for real infrastructure. Drift between declared and actual state creates a second layer of offensive opportunity.
Operator checks
- Look for secrets, state files and plan artifacts before you look for RCE in cloud hosts.
- Review who can approve, merge, apply or override pipeline gates.
- Compare declared permissions to runtime permissions; drift often exposes what defenders stopped tracking.
- Consider GitOps controllers and deployment robots as privileged cloud identities.
Reporting lens
Write findings in terms of trust crossed, scope enlarged and business or operational effect reached. That keeps the note useful whether you are validating a lab, an internal research target or a live customer environment.
Curated public references
- Terraform StateState handling and sensitive material risk.
- GitHub Actions Security HardeningWorkflow permissions and runner trust.
- SigstoreArtifact signing and provenance context.