Behaviour-aware Security Smell Detection for Infrastructure as Code

Research output: Unpublished contribution to conferenceUnpublished abstract

14 Downloads (Pure)


Infrastructure as Code (IaC) is a vital part of modern DevOps workflows, and the security of deployed infrastructures is of the upmost importance. In this presentation, we will highlight the importance of taking into account IaC script behaviour when detecting security smells. Specifically, we present gasel, a security smell detector based on program dependence graphs, which takes into account the control and data flow of Ansible IaC scripts. gasel supports 7 distinct security weaknesses, such as hardcoded passwords and missing integrity checks. Using an oracle of 243 real-world weaknesses, we show that gasel outperforms the state-of-the-art detectors. Moreover, we perform an empirical study on more than 15.000 Ansible scripts to show that the inclusion of control and data flow information is vital to detect security smells in real-world code.
Original languageEnglish
Number of pages2
Publication statusUnpublished - 27 Nov 2023
Event22nd Belgium-Netherlands Software Evolution Workshop - Nijmegen, Netherlands
Duration: 27 Nov 202328 Nov 2023
Conference number: 22


Workshop22nd Belgium-Netherlands Software Evolution Workshop
Abbreviated titleBENEVOL 2023
Internet address


Dive into the research topics of 'Behaviour-aware Security Smell Detection for Infrastructure as Code'. Together they form a unique fingerprint.

Cite this