@techreport{TR-IC-PFG-23-40,
   number = {IC-PFG-23-40},
   author = {Antonio Gabriel da Silva {Fernandes} and Charles Opps and
                   Breno Bernard Nicolau de {França}},
   title  = {{SLiTer: A Static Analysis Tool to Detect Security Smells
                   in Terraform Configurations}},
   month = {November},
   year = {2023},
   institution = {Institute of Computing, University of Campinas},
   note = {In English, 22 pages.
    \par\selectlanguage{english}\textbf{Abstract}
       Infrastructure as Code (IaC) is widely embraced for its ability
       to  facilitate  system infrastructure management, ensuring ease
       of  modification  and  reproducibility.  However,  the inherent
       susceptibility    of    IaC    configurations    to    security   
       vulnerabilities   necessitates   specialized   tools  for  code 
       analysis.  Building  upon the work of Rahman \emph{et al.}, who
       identified  7  security  smells  present  in  IaC  scripts  and 
       introduced   SLIC,  a  static  analysis  tool  for  identifying 
       security smells in Puppet scripts, this paper presents SLiTer —
       a tool designed to detect the same security smells in Terraform
       files.  By  doing  so,  we  developed two Rule Engines to serve
       distinct  purposes:  the first faithfully translated SLIC rules
       to   establish   a  baseline,  while  the  second  incorporated 
       modifications  to  enhance  accuracy  when applied to Terraform
       configurations.  Evaluating  SLiTer on 105 Terraform files from
       15  directories  revealed  the most prevalent security smell as
       "Hard-coded  secret,"  aligning  with  findings in the original
       work.  SLiTer  may  prove valuable for practitioners seeking to
       identify  general  security smells in Terraform configurations,
       complementing  other  tools  like  Sonar  or \emph{tfparse} for
       provider-specific issues.
  }
}