IaC security scans infrastructure code (Terraform, CloudFormation, Ansible) for misconfigurations before deployment — finding open S3 buckets, overly permissive security groups, and disabled encryption in code.
Shift security left to the IaC stage. Tools: Checkov, tfsec, KICS. Git pre-commit hooks can block misconfigured IaC. Immutable infrastructure means IaC IS your infrastructure — secure the code, secure the deployment.