Security defects in Infrastructure-as-Code (IaC) scripts are prevalent, yet existing classification schemes—such as the “Seven Sins”—suffer from incomplete coverage, coarse granularity, and poor alignment with practical IaC tooling, hindering robust detection method development. Method: We propose the first fine-grained, cross-tool IaC security smell taxonomy, comprising 62 distinct defect categories. It is grounded in a diverse, extended dataset spanning seven mainstream IaC tools and synthesized via large language model–assisted pattern mining coupled with systematic human validation—including alignment with established security standards. Contribution/Results: Leveraging this taxonomy, we design high-precision static detection rules (some achieving F1 = 1.00), integrated into an open-source linter. Empirical evaluation on real-world GitHub projects uncovers previously undetected, long-standing security vulnerabilities. Our work establishes a reusable, standardized classification benchmark and delivers practical, deployable detection capabilities—advancing IaC security analysis and DevSecOps integration.

Infrastructure as Code (IaC) has become essential for modern software management, yet security flaws in IaC scripts can have severe consequences, as exemplified by the recurring exploits of Cloud Web Services. Prior work has recognized the need to build a precise taxonomy of security smells in IaC scripts as a first step towards developing approaches to improve IaC security. This first effort led to the unveiling of seven sins, limited by the focus on a single IaC tool as well as by the extensive, and potentially biased, manual effort that was required. We propose, in our work, to revisit this taxonomy: first, we extend the study of IaC security smells to a more diverse dataset with scripts associated with seven popular IaC tools, including Terraform, Ansible, Chef, Puppet, Pulumi, Saltstack, and Vagrant; second, we bring in some automation for the analysis by relying on an LLM. While we leverage LLMs for initial pattern processing, all taxonomic decisions underwent systematic human validation and reconciliation with established security standards. Our study yields a comprehensive taxonomy of 62 security smell categories, significantly expanding beyond the previously known seven. We demonstrate actionability by implementing new security checking rules within linters for seven popular IaC tools, often achieving 1.00 precision score. Our evolution study of security smells in GitHub projects reveals that these issues persist for extended periods, likely due to inadequate detection and mitigation tools. This work provides IaC practitioners with insights for addressing common security smells and systematically adopting DevSecOps practices to build safer infrastructure code.