iac-security-scanner
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
Best use case
iac-security-scanner is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
Teams using iac-security-scanner should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/iac-security-scanner/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How iac-security-scanner Compares
| Feature / Agent | iac-security-scanner | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# IaC Security Scanner Skill
## Purpose
Infrastructure as Code security scanning and policy enforcement to identify misconfigurations, security vulnerabilities, and compliance violations in cloud infrastructure definitions before deployment.
## Capabilities
### Terraform Security Scanning
- Scan Terraform configurations for security misconfigurations
- Check for exposed resources (public S3 buckets, open security groups)
- Validate encryption settings for data at rest and in transit
- Detect hardcoded secrets in Terraform files
- Analyze Terraform state files for sensitive data exposure
### CloudFormation Analysis
- Scan CloudFormation templates for security issues
- Check IAM policy configurations for least privilege
- Validate network configuration security
- Detect insecure default configurations
### Kubernetes Manifest Scanning
- Analyze Kubernetes YAML manifests for security issues
- Check pod security standards compliance
- Validate resource limits and quotas
- Detect privileged containers and host path mounts
### Pulumi Code Analysis
- Scan Pulumi TypeScript/Python code for security issues
- Check cloud resource configurations
- Validate security best practices
### Policy Enforcement
- Define and enforce custom security policies using OPA/Rego
- Create guardrails for cloud resource configurations
- Block deployments that violate security policies
- Generate policy compliance reports
### Compliance Mapping
- Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
- Generate compliance gap analysis reports
- Track remediation progress against compliance requirements
## Integrations
- **Checkov**: Multi-cloud IaC scanner by Bridgecrew
- **tfsec**: Terraform security scanner
- **KICS**: Keeping Infrastructure as Code Secure
- **Terrascan**: IaC security scanner
- **OPA/Rego**: Policy as code engine
- **Snyk IaC**: Infrastructure as Code security testing
## Target Processes
- IaC Security Scanning Process
- Cloud Security Architecture Review
- DevSecOps Pipeline Integration
- Infrastructure Deployment Pipeline
- Compliance Continuous Monitoring
## Input Schema
```json
{
"type": "object",
"properties": {
"iacPath": {
"type": "string",
"description": "Path to IaC files or directory"
},
"iacType": {
"type": "string",
"enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
"description": "Type of IaC to scan"
},
"scanners": {
"type": "array",
"items": {
"type": "string",
"enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
},
"description": "Scanners to use"
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
}
},
"customPolicies": {
"type": "string",
"description": "Path to custom OPA/Rego policies"
},
"severityThreshold": {
"type": "string",
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
},
"excludePaths": {
"type": "array",
"items": { "type": "string" }
}
},
"required": ["iacPath", "iacType"]
}
```
## Output Schema
```json
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"iacPath": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"summary": {
"type": "object",
"properties": {
"totalFiles": { "type": "integer" },
"filesScanned": { "type": "integer" },
"passedChecks": { "type": "integer" },
"failedChecks": { "type": "integer" },
"skippedChecks": { "type": "integer" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"checkId": { "type": "string" },
"severity": { "type": "string" },
"resourceType": { "type": "string" },
"resourceName": { "type": "string" },
"filePath": { "type": "string" },
"lineNumber": { "type": "integer" },
"description": { "type": "string" },
"remediation": { "type": "string" },
"complianceMapping": { "type": "array" }
}
}
},
"complianceReport": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
```
## Usage Example
```javascript
skill: {
name: 'iac-security-scanner',
context: {
iacPath: './infrastructure/terraform',
iacType: 'terraform',
scanners: ['checkov', 'tfsec'],
complianceFrameworks: ['CIS', 'SOC2'],
severityThreshold: 'MEDIUM'
}
}
```Related Skills
web-security
OWASP Top 10, security headers, CSP, XSS prevention, and vulnerability prevention.
security-scanner
Run security scans including SAST, dependency scanning, and secret detection
security-sandbox
Isolated analysis environment management for malware and exploit testing. Create and manage isolated VMs, configure Cuckoo Sandbox, set up REMnux/FlareVM environments, manage Docker-based analysis containers, and capture filesystem and process changes.
Offensive Security Skill
Offensive security tools and techniques integration
hardware-security
Hardware and embedded security research capabilities. Interface with JTAG debuggers, analyze SPI/I2C communications, dump and analyze firmware, support fault injection, side-channel analysis, and hardware exploitation research.
cloud-security-testing
Multi-cloud security assessment and penetration testing capabilities. Execute Prowler/ScoutSuite assessments, analyze IAM policies, identify cloud misconfigurations, test permissions, and enumerate cloud resources across AWS/GCP/Azure.
Burp Suite/Web Security Skill
Web application security testing with Burp Suite integration
aiml-security
AI/ML model security testing and adversarial research capabilities. Generate adversarial examples, test model robustness, perform model extraction attacks, test for data poisoning, analyze model fairness, and support ART framework integration.
vendor-security-questionnaire
Automated vendor security assessment through questionnaire generation, response parsing, and risk scoring
secret-detection-scanner
Detect secrets, credentials, and sensitive data in code and configurations. Scan git history for secrets, detect API keys, tokens, passwords, check environment files, monitor CI/CD logs for exposure, generate remediation steps, and track secret rotation status.
owasp-security-scanner
Automated OWASP Top 10 vulnerability detection and assessment. Run OWASP ZAP automated scans, detect injection vulnerabilities, identify broken authentication patterns, check for sensitive data exposure, analyze security misconfigurations, and generate OWASP-compliant reports.
multi-cloud-security-posture
Unified cloud security posture management across AWS, Azure, and GCP with normalized metrics and CIS benchmark comparison