home / skills / a5c-ai / babysitter / iac-security-scanner

iac-security-scanner skill

safe

/plugins/babysitter/skills/babysit/process/specializations/security-compliance/skills/iac-security-scanner

This skill scans IaC definitions across Terraform, CloudFormation, Kubernetes, and Pulumi to detect misconfigurations and enforce security policies.

npx playbooks add skill a5c-ai/babysitter --skill iac-security-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

4.9 KB

---
name: iac-security-scanner
description: Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
allowed-tools:
  - Bash
  - Read
  - Write
  - Glob
  - Grep
  - WebFetch
---

# IaC Security Scanner Skill

## Purpose

Infrastructure as Code security scanning and policy enforcement to identify misconfigurations, security vulnerabilities, and compliance violations in cloud infrastructure definitions before deployment.

## Capabilities

### Terraform Security Scanning
- Scan Terraform configurations for security misconfigurations
- Check for exposed resources (public S3 buckets, open security groups)
- Validate encryption settings for data at rest and in transit
- Detect hardcoded secrets in Terraform files
- Analyze Terraform state files for sensitive data exposure

### CloudFormation Analysis
- Scan CloudFormation templates for security issues
- Check IAM policy configurations for least privilege
- Validate network configuration security
- Detect insecure default configurations

### Kubernetes Manifest Scanning
- Analyze Kubernetes YAML manifests for security issues
- Check pod security standards compliance
- Validate resource limits and quotas
- Detect privileged containers and host path mounts

### Pulumi Code Analysis
- Scan Pulumi TypeScript/Python code for security issues
- Check cloud resource configurations
- Validate security best practices

### Policy Enforcement
- Define and enforce custom security policies using OPA/Rego
- Create guardrails for cloud resource configurations
- Block deployments that violate security policies
- Generate policy compliance reports

### Compliance Mapping
- Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
- Generate compliance gap analysis reports
- Track remediation progress against compliance requirements

## Integrations

- **Checkov**: Multi-cloud IaC scanner by Bridgecrew
- **tfsec**: Terraform security scanner
- **KICS**: Keeping Infrastructure as Code Secure
- **Terrascan**: IaC security scanner
- **OPA/Rego**: Policy as code engine
- **Snyk IaC**: Infrastructure as Code security testing

## Target Processes

- IaC Security Scanning Process
- Cloud Security Architecture Review
- DevSecOps Pipeline Integration
- Infrastructure Deployment Pipeline
- Compliance Continuous Monitoring

## Input Schema

```json
{
  "type": "object",
  "properties": {
    "iacPath": {
      "type": "string",
      "description": "Path to IaC files or directory"
    },
    "iacType": {
      "type": "string",
      "enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
      "description": "Type of IaC to scan"
    },
    "scanners": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
      },
      "description": "Scanners to use"
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
      }
    },
    "customPolicies": {
      "type": "string",
      "description": "Path to custom OPA/Rego policies"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    },
    "excludePaths": {
      "type": "array",
      "items": { "type": "string" }
    }
  },
  "required": ["iacPath", "iacType"]
}
```

## Output Schema

```json
{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "iacPath": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalFiles": { "type": "integer" },
        "filesScanned": { "type": "integer" },
        "passedChecks": { "type": "integer" },
        "failedChecks": { "type": "integer" },
        "skippedChecks": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "resourceType": { "type": "string" },
          "resourceName": { "type": "string" },
          "filePath": { "type": "string" },
          "lineNumber": { "type": "integer" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "complianceReport": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}
```

## Usage Example

```javascript
skill: {
  name: 'iac-security-scanner',
  context: {
    iacPath: './infrastructure/terraform',
    iacType: 'terraform',
    scanners: ['checkov', 'tfsec'],
    complianceFrameworks: ['CIS', 'SOC2'],
    severityThreshold: 'MEDIUM'
  }
}
```

Overview

This skill provides Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi. It finds misconfigurations, exposed resources, hardcoded secrets, and compliance gaps before deployment. The skill integrates multiple scanners and OPA/Rego policies to block or report unsafe deployments.

How this skill works

Point the skill at an IaC directory and select the IaC type and scanners. It runs selected analyzers (Checkov, tfsec, KICS, Terrascan, Snyk) and applies custom OPA/Rego policies to evaluate findings. Results include a structured report with findings, severity, compliance mappings, remediation steps, and optional enforcement to fail deployments that violate thresholds.

When to use it

Before merging or deploying IaC changes to catch security issues early
As a gate in CI/CD pipelines to enforce security and compliance guardrails
During cloud security architecture reviews or audits to map gaps to frameworks
When integrating multiple IaC technologies across teams to standardize checks
To validate custom security policies and ensure least-privilege configurations

Best practices

Run scans early and often in local dev, CI, and pre-deploy stages
Use multiple scanners to increase coverage and reduce false negatives
Define a clear severity threshold and treat CRITICAL/HIGH findings as blocking
Maintain custom OPA/Rego policies for organization-specific guardrails
Exclude generated or third-party modules explicitly to avoid noise

Example use cases

CI job that scans Terraform directories with Checkov and tfsec and fails on HIGH+ findings
Pre-deployment check that inspects Kubernetes manifests for privileged containers and missing resource limits
Automated compliance report generation mapping findings to CIS and SOC 2 controls
Scanning Pulumi TypeScript code for misconfigured cloud resources and hardcoded secrets
Policy enforcement that blocks CloudFormation stacks with overly permissive IAM policies

FAQ

Which IaC types are supported?

Terraform, CloudFormation, Kubernetes manifests, Pulumi (TypeScript/Python), and common formats like ARM/Ansible when configured.

Can I add custom policies?

Yes. Provide OPA/Rego policy files to enforce organization-specific rules and integrate them into the scan workflow.