IntelliSA：一种基于符号规则与神经推理的IaC安全异味智能静态分析器 (IntelliSA: An Intelligent Static Analyzer for IaC Security Smell Detection Using Symbolic Rules and Neural Inference)

Infrastructure as Code (IaC) enables automated provisioning of large-scale cloud and on-premise environments, reducing the need for repetitive manual setup. However, this automation is a double-edged sword: a single misconfiguration in IaC scripts can propagate widely, leading to severe system downtime and security risks. Prior studies have shown that IaC scripts often contain security smells--bad coding patterns that may introduce vulnerabilities--and have proposed static analyzers based on symbolic rules to detect them. Yet, our preliminary analysis reveals that rule-based detection alone tends to over-approximate, producing excessive false positives and increasing the burden of manual inspection. In this paper, we present IntelliSA, an intelligent static analyzer for IaC security smell detection that integrates symbolic rules with neural inference. IntelliSA applies symbolic rules to over-approximate potential smells for broad coverage, then employs neural inference to filter false positives. While an LLM can effectively perform this filtering, reliance on LLM APIs introduces high cost and latency, raises data governance concerns, and limits reproducibility and offline deployment. To address the challenges, we adopt a knowledge distillation approach: an LLM teacher generates pseudo-labels to train a compact student model--over 500x smaller--that learns from the teacher's knowledge and efficiently classifies false positives. We evaluate IntelliSA against two static analyzers and three LLM baselines (Claude-4, Grok-4, and GPT-5) using a human-labeled dataset including 241 security smells across 11,814 lines of real-world IaC code. Experimental results show that IntelliSA achieves the highest F1 score (83%), outperforming baselines by 7-42%. Moreover, IntelliSA demonstrates the best cost-effectiveness, detecting 60% of security smells while inspecting less than 2% of the codebase.

翻译：基础设施即代码（IaC）能够实现大规模云环境和本地环境的自动化配置，减少重复性手动设置的需求。然而，这种自动化是一把双刃剑：IaC脚本中的单个错误配置可能广泛传播，导致严重的系统停机和安全风险。先前研究表明，IaC脚本常包含安全异味——可能引入漏洞的不良编码模式——并已提出基于符号规则的静态分析器进行检测。然而，我们的初步分析表明，仅依赖基于规则的检测往往会产生过度近似，导致大量误报并增加人工审查负担。本文提出IntelliSA，一种集成符号规则与神经推理的IaC安全异味智能静态分析器。IntelliSA首先应用符号规则对潜在异味进行过度近似以实现广泛覆盖，随后采用神经推理过滤误报。虽然大语言模型（LLM）能有效执行此类过滤，但依赖LLM API会带来高昂成本与延迟、引发数据治理问题，并限制可复现性与离线部署。为应对这些挑战，我们采用知识蒸馏方法：通过LLM教师模型生成伪标签来训练紧凑的学生模型（体积缩小超过500倍），使学生模型能够学习教师知识并高效完成误报分类。我们使用包含11,814行真实IaC代码中241个安全异味的人工标注数据集，将IntelliSA与两种静态分析器及三种LLM基线模型（Claude-4、Grok-4和GPT-5）进行对比评估。实验结果表明，IntelliSA取得了最高的F1分数（83%），较基线模型提升7-42%。此外，IntelliSA展现出最佳成本效益，在仅审查不足2%代码库的情况下，成功检测出60%的安全异味。