Overview
Code Optimizer scans your HCL code using industry-standard tools (for example, TFLint and Checkov). Scans are triggered manually and provide comprehensive coverage of quality, security, and best-practice issues.How Scanning Works
When you trigger a scan:- Code Retrieval - env zero fetches the latest code from your repository using default branch
- Parallel Analysis - Scanners (such as TFLint and Checkov) analyze your files simultaneously
- Issue Detection - Each scanner identifies violations based on its own rules
- Results Aggregation - Issues are combined, deduplicated, and categorized by severity
- Results Display - Issues appear in Code Optimizer with full context
Scans analyze the current state of your repository. They don’t automatically run on every commit. You trigger them manually when needed.
The Scanners
TFLint
TFLint is a Terraform-focused linter that checks for:- Syntax errors and deprecated syntax
- Provider-specific issues (AWS, Azure, GCP)
- Best practice violations (e.g., missing required variables)
- Module usage patterns
- Deprecated Terraform syntax (e.g.,
v0.11style interpolations) - Invalid resource attribute references
- Provider version constraints not specified
- Missing required variables in modules
Checkov
Checkov is a static code analysis tool that scans for:- Security vulnerabilities (e.g., open security groups, unencrypted storage)
- Compliance violations (CIS, HIPAA, PCI-DSS benchmarks)
- Cloud best practices across AWS, Azure, GCP, and more
- Supply chain security (suspicious modules, insecure sources)
- S3 buckets without encryption
- Security groups allowing unrestricted ingress
- EC2 instances without IMDSv2 enforcement
- Missing tags required for compliance
Triggering a Scan
1
Navigate to Code Optimizer
From the main navigation, click Code Optimizer.
2
Trigger Scan
Click “Scan Now” to start the analysis. The scan runs against all authenticated repositories from your VCS integration.
3
Wait for Results
Scan completion time varies based on the number and size of your repositories.
For Self-Hosted Customers:
- Agent Version Requirement: Code Optimizer is supported on self-hosted agents from version v4.0.29 and up. Ensure your agent is running at least this version.
- Batch Size Configuration: You can configure the repository batch size for scanning by setting the
CODE_OPTIMIZER_REPOSITORY_BATCH_SIZEenvironment variable using thepodAdditionalEnvVarsHelm value. Default batch size is 10.
Viewing Scan Results
Issue Details
Click any issue to view:- Description - What the issue is and why it matters
- File - File path
- Severity - Risk level (High, Medium, Low)
- Labels - Best Practice or Security Misconfiguration
- Affected Environments - Relevant environments impacted by this issue
- Generate Code Fix - Create Pull Request with fix
Understanding Severity Levels
| Severity | Description | Typical Examples |
|---|---|---|
| High | Significant security or compliance violations | Unencrypted secrets, public S3 buckets, overly permissive IAM |
| Medium | Best practice violations with moderate impact | Missing encryption, non-optimal configurations, missing tags |
| Low | Minor quality issues or style violations | Deprecated syntax, missing descriptions |
Issue States
Issues progress through three states:Ongoing
- Meaning: Issue detected and not yet addressed
- Available Actions: Generate fix, ignore, view details
- When it appears: After initial scan or when reappearing in subsequent scans
Resolved
- Meaning: Issue no longer detected in latest scan
- How it happens: After merging a fix and triggering a new scan
- Note: Will reappear as “Ongoing” if detected again in future scans
Ignored
- Meaning: Marked as false positive or intentional pattern
- Available Actions: Un-ignore