Thanks! Exactly — tuning an LLM is another great use case. For instance, our Checkov case study could serve as labeled data to help the model learn to identify Infrastructure as Code anti-patterns.

📄 Paper: programming-group.com/assets/pdf/p...

📦 Dataset: zenodo.org/records/1421...

For example, hundreds of IAM policies grant full administrative access, posing serious risks in real-world deployments. These insights show how TerraDS can serve as a foundation for improving tooling, analysis, and security in the IaC ecosystem.

TerraDS fills this gap, collecting data from over 62,000 repositories, enriched with metadata and original HCL source code. As a case study, we used Checkov, a static analysis tool, to explore security issues in the dataset.

Terraform is among the most established and widely adopted Infrastructure as Code (IaC) tools in use today. Yet, despite its popularity, there has been no comprehensive dataset to study real-world HCL programs at scale.

Excited to introduce TerraDS, the first large-scale dataset of Terraform (by @hashicorp.com) configurations written in HCL, sourced exclusively from open-source repositories with permissive licenses to support reproducible research and tool development.

Approaches to solving this issue vary, but the trend is clear: IaC tools are becoming increasingly complex as they shoulder a growing share of the security burden.

Unlike Terraform, OpenTofu supports encrypting entire state files at rest. This means secrets remain unreadable without a decryption key or passphrase. (But where do we securely store the key or passphrase?)

Terraform 1.11 (just released) expanded on this with write-only arguments, which can be written to but never read—making them suitable for secret values. Meanwhile, OpenTofu, the open-source Terraform fork, introduced built-in state file encryption (April 2024).

For years, Terraform (by HashiCorp) stored secrets in plaintext (!) within its state files. A single misconfigured access control or exposed file could compromise these secrets. Terraform 1.10 (Nov 2024) introduced ephemeral values, preventing secrets from being stored in state and plan files.

Managing secrets such as private keys, API tokens, and database credentials has always been one of the most challenging aspects of security. Despite improvements, secret leakage remains a major cause of breaches, and Infrastructure as Code (IaC) is no exception.

Today was the OpenDay at HSG!

Our group focused on increasing awareness for cybersecurity, privacy, and cloud services, and introducing people to programming using robots. It was great!

Ah, I did also embarrass myself in an interview... Thanks @spdavid.bsky.social for the heavy lifting there!

New Horizon project! We will work on Infrastructure as Code, contributing to European Digital Sovereignty for a European, green cloud-computing infrastructure.