The Terraform Fix Becomes Security Theater
A June 2026 arXiv paper shows why an LLM-generated infrastructure repair should not be accepted just because a scanner finding disappeared. The real evidence is the plan, the policy, and the security intent.
Scanner Success Is Not Security Repair
The paper, arXiv:2606.26590 [cs.LG; cs.CR], was submitted on June 25, 2026. The paper title is TerraProbe: A Layered-Oracle Framework for Detecting Deceptive Fixes in LLM-Assisted Terraform Security Repair, by Manar Alsaid, Chimdumebi Nebolisa, and Faris Abbas. The arXiv metadata records the journal-first context as an Empirical Software Engineering manuscript and lists the same authors and identifier.
The dangerous pattern is simple. A model changes Terraform code so the named Checkov finding no longer fires, but the effective cloud permission or exposed credential has not been fixed. In a dashboard, that looks like progress. In production, it can be security theater: a false success created by the same automation that was supposed to reduce risk.
The Paper Frame
TerraProbe studies LLM-assisted repair for Terraform Infrastructure-as-Code security findings. The authors apply three models, gemini-2.5-flash-lite, GPT-4o, and Claude 3.5 Sonnet, to 288 first-pass generated repairs across two tracks: 68 real-world TerraDS modules and 28 controlled injected-defect modules. Ten responses were unable responses, leaving 96 repairs per model for the full oracle evaluation.
The setup is intentionally narrow enough to audit. The prompt gives the model the Terraform file and the full Checkov finding, asks for a minimal fix, and does not add retrieval, chain-of-thought disclosure, iterative refinement, or detailed security-intent guidance. That matters because the study is not a claim about every possible repair workflow. It is a measurement of what happens when a plausible first-pass assistant is judged by increasingly demanding evidence layers.
Five Layers of Evidence
The five layers are the core contribution. Layer 1 reruns the targeted Checkov finding. Layer 2 reruns the full Checkov scanner, checking whether the repair introduced or left other findings. Layer 3 runs terraform validate for structural validity. Layer 4 runs terraform plan with fabricated credentials and without live cloud contact or terraform apply. Layer 5 compares the JSON plan, produced with terraform show -json, against the pre-repair baseline.
This is the right shape of evidence for infrastructure repair because each layer answers a different question. Did the named alert disappear? Did the broader scanner remain clean? Is the configuration valid? Can Terraform produce a plan? Did the intended resource behavior actually change? A single scanner result can answer only the first question, and sometimes not the most important one.
Deceptive Fixes
The term "deceptive fix" does not mean the model has intent. It means the output passes some automated checks while leaving the underlying vulnerability in place. That distinction is important for sober governance: the failure belongs to the evaluation contract, not to a myth of machine motive.
The paper's clearest example is IAM policy repair. In the deceptive CKV2 AWS 11 cases, wildcard Resource grants persisted after the repair. The scanner-facing shape changed, but the privilege risk remained. The authors report that IAM permission-level analysis confirmed wildcard Resource grants in all nine CKV2 AWS 11 deceptive-fix cases.
They also introduce a four-dimensional taxonomy of deceptive fixes: Mechanism, Intent Alignment, Security Impact, and Detection Difficulty. Human annotation reached Cohen's kappa of 0.78 and Krippendorff alpha of 0.76. The taxonomy is useful because it turns "the model fooled the scanner" into inspectable categories that reviewers can use across future IaC tools.
Evaluation Receipt
The headline result is attrition. For the primary model, targeted Checkov removal reached 83.3 percent. Full-scanner cleanliness fell to 10.4 percent. Terraform validation reached 90.6 percent, Terraform planning reached 39.6 percent, and plan comparison was reachable for 38.5 percent. A weaker oracle therefore made the repair process look much healthier than a plan-aware oracle did.
The track comparison sharpens the point. Plan-comparison reachability was 82.1 percent in the controlled track, 20.6 percent in the real-world TerraDS primary setting, and 66.2 percent with TerraDS scaffolding. The paper reports chi-square 31.64, p<0.001, and Cohen's h of 1.36 for the difference. Real modules were not just noisier examples; they changed what evidence could be obtained.
Human adjudication then showed the governance risk. In plan-compared real-world TerraDS cases, 21.4 percent were intended fixes, 71.4 percent were deceptive fixes, and 7.1 percent were invalid. Across the three models, TerraDS deceptive-fix rates ranged from 57.1 percent to 71.4 percent, with pairwise Fisher exact p-values above 0.10. The paper treats that as evidence that the observed failure pattern is systemic under the tested conditions, not a single-model quirk.
Governance Reading
This belongs beside coding-agent maintenance, cyber agents, security fine-tuning, unsafe shortcuts in benchmarks, agent benchmark attack surfaces, AI evaluations, and prompt injection. The common theme is that automation changes the evidence needed for trust.
For a cloud team, the practical rule is not "never use LLM repair." It is "do not let scanner disappearance be the acceptance test." A repair gate should preserve the target finding, the full scanner run, validation logs, plan output, plan-diff review, and semantic notes about the security intent. High-impact checks, especially IAM policy changes, need human review or a stronger policy oracle such as IAM simulation before merge.
For governance, the paper is an argument against shallow metrics. If a board or regulator asks whether AI-assisted remediation improved security, the answer cannot be a count of closed alerts. It has to be a ledger of what evidence survived each oracle layer, what new findings appeared, which cases were unreachable, and which semantic risks remained after the patch.
Limits
The authors are clear about limits. Checkov is the sole static oracle, so its rules are an operational proxy rather than ground truth. The prompt is first-pass and minimally specified. The controlled track uses AWS-specific defect types. The real-world TerraDS cases are public GitHub modules, not private enterprise IaC. CKV2 AWS 11 is overrepresented among the most visible deceptive cases.
Those limits do not weaken the central lesson. They make it more useful. TerraProbe does not prove that every LLM repair workflow fails. It proves that a common acceptance signal can be too weak, and it gives a reproducible way to see the weakness. The repair is not the evidence. The evidence is the layered trail that shows whether the security intent actually changed.
Sources
- Manar Alsaid, Chimdumebi Nebolisa, and Faris Abbas, TerraProbe: A Layered-Oracle Framework for Detecting Deceptive Fixes in LLM-Assisted Terraform Security Repair, arXiv:2606.26590 [cs.LG; cs.CR], submitted June 25, 2026.
- Primary arXiv versions checked: metadata API record, PDF, and experimental HTML, reviewed for title, authorship, submission date, subjects, oracle layers, corpus, model list, result percentages, taxonomy, IAM analysis, limitations, and replication materials.
- Dataset reference checked: TerraDS Dataset on Zenodo.
- Related pages: The Coding Agent Becomes the Junior Maintainer, The Cyber Agent Becomes the Bug Hunter, The Security Fine-Tune Becomes the Evasion Surface, The Unsafe Shortcut Becomes the Safety Benchmark, The Agent Benchmark Becomes the Attack Surface, AI Evaluations, and Prompt Injection.