agent-bom-scan-infra

Scan infrastructure-as-code, cloud configurations, and find secrets. Use when: "check terraform", "scan kubernetes", "IaC", "find secrets", "scan dockerfile", "cloud security", "misconfigurations".

10 stars

Best use case

agent-bom-scan-infra is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Scan infrastructure-as-code, cloud configurations, and find secrets. Use when: "check terraform", "scan kubernetes", "IaC", "find secrets", "scan dockerfile", "cloud security", "misconfigurations".

Teams using agent-bom-scan-infra should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/scan-infra/SKILL.md --create-dirs "https://raw.githubusercontent.com/msaad00/agent-bom/main/integrations/openclaw/scan-infra/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/scan-infra/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How agent-bom-scan-infra Compares

Feature / Agentagent-bom-scan-infraStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Scan infrastructure-as-code, cloud configurations, and find secrets. Use when: "check terraform", "scan kubernetes", "IaC", "find secrets", "scan dockerfile", "cloud security", "misconfigurations".

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# agent-bom-scan-infra — Infrastructure & Cloud Security Scanner

Scans infrastructure-as-code (Terraform, CloudFormation, Kubernetes), finds
secrets in config files, and runs cloud CIS benchmarks against AWS, Azure,
GCP, and Snowflake.

## Install

```bash
pipx install agent-bom
agent-bom iac infra/         # scan Terraform/CloudFormation/K8s
agent-bom cloud aws          # AWS CIS benchmark
agent-bom cloud azure        # Azure CIS benchmark
agent-bom cloud gcp          # GCP CIS benchmark
agent-bom agents --snowflake --snowflake-cis-benchmark
agent-bom secrets .          # find secrets in current directory
```

## When to Use

- "check terraform" / "scan terraform"
- "scan kubernetes" / "K8s security"
- "IaC" / "infrastructure as code"
- "find secrets" / "secret scanning"
- "scan dockerfile"
- "cloud security" / "CIS benchmark"
- "misconfigurations"

## Commands

```bash
# Scan IaC directory
agent-bom iac infra/

# Run cloud CIS benchmark
agent-bom cloud aws
agent-bom cloud azure
agent-bom cloud gcp
agent-bom agents --snowflake --snowflake-cis-benchmark

# Find secrets in files
agent-bom secrets .
```

## Tools

| Tool | Description |
|------|-------------|
| `iac` | Scan Terraform, CloudFormation, Kubernetes YAML for misconfigurations |
| `cloud` | CIS benchmark checks (AWS, Azure v3.0, GCP v3.0, Snowflake) |
| `secrets` | Find secrets and credentials in files and directories |

## Examples

```
# Scan IaC directory for misconfigurations
iac(path="infra/")

# Run AWS CIS benchmark
cloud(provider="aws")

# Find secrets in project
secrets(path=".")
```

## Guardrails

- Confirm with the user before running cloud CIS benchmarks — these make live read-only API calls to AWS/Azure/GCP using the user's locally configured credentials.
- IaC and secrets scanning is purely local — no network calls.
- Do not modify any infrastructure files.
- Ask the user before scanning paths outside their home or project directory.
- Cloud credentials are used only to call the cloud provider's own APIs and are never transmitted elsewhere.

Related Skills

agent-bom-scan

10
from msaad00/agent-bom

Open security scanner for agentic infrastructure — agents, MCP, packages, blast radius, runtime, and trust for package CVEs (OSV, NVD, EPSS, KEV), container images, provenance, filesystems, and SBOMs. Use when: "check package", "scan image", "verify", "is this safe", "scan dependencies", "CVE lookup", "blast radius".

missing-guardrail-fixture

10
from msaad00/agent-bom

Fixture that intentionally omits the capability guardrail contract.

agent-bom-vulnerability-intel

10
from msaad00/agent-bom

Use agent-bom to check package, SBOM, inventory, and agent dependency exposure against OSV, GitHub Security Advisories, NVD, EPSS, and CISA KEV with explicit data-boundary choices. Use when a user asks for CVE lookup, advisory intelligence, exploitability context, fix versions, GHSA/OSV/NVD enrichment, or package vulnerability triage.

agent-bom-troubleshoot

10
from msaad00/agent-bom

Diagnose issues, check prerequisites, and validate configurations. Use when: "doctor", "debug", "why failing", "validate config", "check prerequisites", "something is broken", "db status", "fix my setup".

agent-bom-runtime

10
from msaad00/agent-bom

AI runtime security monitoring — context graph analysis, runtime audit log correlation with CVE findings, and vulnerability analytics queries. Use when the user mentions runtime monitoring, context graphs, lateral movement analysis, audit log correlation, or vulnerability analytics.

agent-bom-registry

10
from msaad00/agent-bom

MCP server security registry and trust assessment — look up servers in the 427+ server security metadata registry, run pre-install marketplace checks, batch fleet risk scoring, assess skill file trust, and run SAST code scans. Use when the user mentions MCP server trust, registry lookup, marketplace check, or skill trust assessment.

agent-bom-monitor

10
from msaad00/agent-bom

Monitor agent fleet, track trust scores, and manage lifecycle states. Use when: "fleet", "watch agents", "runtime status", "trust scores", "fleet sync", "agent lifecycle", "serve dashboard".

agent-bom-ingest

10
from msaad00/agent-bom

Validate and ingest operator-pushed agent-bom inventory JSON from AWS, Azure, GCP, Snowflake, CMDB, or endpoint collectors. Use when a user has canonical inventory JSON and wants local findings, graph, policy, provenance, or auditor-ready exports without giving agent-bom direct cloud credentials.

agent-bom-enforce

10
from msaad00/agent-bom

Enforce security policies on MCP tool calls and block dangerous operations at runtime. Use when: "block risky calls", "apply policy", "proxy", "runtime protection", "policy enforcement", "intercept MCP calls".

agent-bom-discover

10
from msaad00/agent-bom

Discover AI agents, MCP servers, and configurations on this machine or environment. Use when: "find agents", "what's configured", "doctor", "what MCP servers", "show me what's installed", "mcp inventory".

agent-bom-discover-snowflake

10
from msaad00/agent-bom

Discover Snowflake Cortex, Snowpark, notebook, Streamlit, MCP, and AI-observability assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived Snowflake credentials. Use when a user asks to inventory Snowflake AI or Cortex infrastructure as canonical inventory.

agent-bom-discover-gcp

10
from msaad00/agent-bom

Discover GCP-hosted AI agent and MCP-relevant assets from the operator's environment, emit canonical agent-bom inventory JSON, and scan it without giving agent-bom long-lived GCP credentials. Use when a user asks to inventory Vertex AI, Cloud Run, Cloud Functions, GKE, or agentic GCP infrastructure as canonical inventory.