Назад към всички

iac-security-scanner

// Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi

$ git log --oneline --stat
stars:384
forks:73
updated:March 4, 2026
SKILL.mdreadonly
SKILL.md Frontmatter
nameiac-security-scanner
descriptionInfrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
allowed-toolsBash,Read,Write,Glob,Grep,WebFetch

IaC Security Scanner Skill

Purpose

Infrastructure as Code security scanning and policy enforcement to identify misconfigurations, security vulnerabilities, and compliance violations in cloud infrastructure definitions before deployment.

Capabilities

Terraform Security Scanning

  • Scan Terraform configurations for security misconfigurations
  • Check for exposed resources (public S3 buckets, open security groups)
  • Validate encryption settings for data at rest and in transit
  • Detect hardcoded secrets in Terraform files
  • Analyze Terraform state files for sensitive data exposure

CloudFormation Analysis

  • Scan CloudFormation templates for security issues
  • Check IAM policy configurations for least privilege
  • Validate network configuration security
  • Detect insecure default configurations

Kubernetes Manifest Scanning

  • Analyze Kubernetes YAML manifests for security issues
  • Check pod security standards compliance
  • Validate resource limits and quotas
  • Detect privileged containers and host path mounts

Pulumi Code Analysis

  • Scan Pulumi TypeScript/Python code for security issues
  • Check cloud resource configurations
  • Validate security best practices

Policy Enforcement

  • Define and enforce custom security policies using OPA/Rego
  • Create guardrails for cloud resource configurations
  • Block deployments that violate security policies
  • Generate policy compliance reports

Compliance Mapping

  • Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
  • Generate compliance gap analysis reports
  • Track remediation progress against compliance requirements

Integrations

  • Checkov: Multi-cloud IaC scanner by Bridgecrew
  • tfsec: Terraform security scanner
  • KICS: Keeping Infrastructure as Code Secure
  • Terrascan: IaC security scanner
  • OPA/Rego: Policy as code engine
  • Snyk IaC: Infrastructure as Code security testing

Target Processes

  • IaC Security Scanning Process
  • Cloud Security Architecture Review
  • DevSecOps Pipeline Integration
  • Infrastructure Deployment Pipeline
  • Compliance Continuous Monitoring

Input Schema

{
  "type": "object",
  "properties": {
    "iacPath": {
      "type": "string",
      "description": "Path to IaC files or directory"
    },
    "iacType": {
      "type": "string",
      "enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
      "description": "Type of IaC to scan"
    },
    "scanners": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
      },
      "description": "Scanners to use"
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
      }
    },
    "customPolicies": {
      "type": "string",
      "description": "Path to custom OPA/Rego policies"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    },
    "excludePaths": {
      "type": "array",
      "items": { "type": "string" }
    }
  },
  "required": ["iacPath", "iacType"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "iacPath": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalFiles": { "type": "integer" },
        "filesScanned": { "type": "integer" },
        "passedChecks": { "type": "integer" },
        "failedChecks": { "type": "integer" },
        "skippedChecks": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "resourceType": { "type": "string" },
          "resourceName": { "type": "string" },
          "filePath": { "type": "string" },
          "lineNumber": { "type": "integer" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "complianceReport": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example

skill: {
  name: 'iac-security-scanner',
  context: {
    iacPath: './infrastructure/terraform',
    iacType: 'terraform',
    scanners: ['checkov', 'tfsec'],
    complianceFrameworks: ['CIS', 'SOC2'],
    severityThreshold: 'MEDIUM'
  }
}