Thanks! Exactly — tuning an LLM is another great use case. For instance, our Checkov case study could serve as labeled data to help the model learn to identify Infrastructure as Code anti-patterns.

📄 Paper: programming-group.com/assets/pdf/p...

📦 Dataset: zenodo.org/records/1421...

For example, hundreds of IAM policies grant full administrative access, posing serious risks in real-world deployments. These insights show how TerraDS can serve as a foundation for improving tooling, analysis, and security in the IaC ecosystem.

TerraDS fills this gap, collecting data from over 62,000 repositories, enriched with metadata and original HCL source code. As a case study, we used Checkov, a static analysis tool, to explore security issues in the dataset.

Terraform is among the most established and widely adopted Infrastructure as Code (IaC) tools in use today. Yet, despite its popularity, there has been no comprehensive dataset to study real-world HCL programs at scale.

Approaches to solving this issue vary, but the trend is clear: IaC tools are becoming increasingly complex as they shoulder a growing share of the security burden.

Unlike Terraform, OpenTofu supports encrypting entire state files at rest. This means secrets remain unreadable without a decryption key or passphrase. (But where do we securely store the key or passphrase?)

Terraform 1.11 (just released) expanded on this with write-only arguments, which can be written to but never read—making them suitable for secret values. Meanwhile, OpenTofu, the open-source Terraform fork, introduced built-in state file encryption (April 2024).

For years, Terraform (by HashiCorp) stored secrets in plaintext (!) within its state files. A single misconfigured access control or exposed file could compromise these secrets. Terraform 1.10 (Nov 2024) introduced ephemeral values, preventing secrets from being stored in state and plan files.