ReddRadar
Agent skill
iac-security-scanner
Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi
Install this agent skill to your Project
npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/iac-security-scanner
SKILL.md
IaC Security Scanner Skill
Purpose
Infrastructure as Code security scanning and policy enforcement to identify misconfigurations, security vulnerabilities, and compliance violations in cloud infrastructure definitions before deployment.
Capabilities
Terraform Security Scanning
- Scan Terraform configurations for security misconfigurations
- Check for exposed resources (public S3 buckets, open security groups)
- Validate encryption settings for data at rest and in transit
- Detect hardcoded secrets in Terraform files
- Analyze Terraform state files for sensitive data exposure
CloudFormation Analysis
- Scan CloudFormation templates for security issues
- Check IAM policy configurations for least privilege
- Validate network configuration security
- Detect insecure default configurations
Kubernetes Manifest Scanning
- Analyze Kubernetes YAML manifests for security issues
- Check pod security standards compliance
- Validate resource limits and quotas
- Detect privileged containers and host path mounts
Pulumi Code Analysis
- Scan Pulumi TypeScript/Python code for security issues
- Check cloud resource configurations
- Validate security best practices
Policy Enforcement
- Define and enforce custom security policies using OPA/Rego
- Create guardrails for cloud resource configurations
- Block deployments that violate security policies
- Generate policy compliance reports
Compliance Mapping
- Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
- Generate compliance gap analysis reports
- Track remediation progress against compliance requirements
Integrations
- Checkov: Multi-cloud IaC scanner by Bridgecrew
- tfsec: Terraform security scanner
- KICS: Keeping Infrastructure as Code Secure
- Terrascan: IaC security scanner
- OPA/Rego: Policy as code engine
- Snyk IaC: Infrastructure as Code security testing
Target Processes
- IaC Security Scanning Process
- Cloud Security Architecture Review
- DevSecOps Pipeline Integration
- Infrastructure Deployment Pipeline
- Compliance Continuous Monitoring
Input Schema
{
"type": "object",
"properties": {
"iacPath": {
"type": "string",
"description": "Path to IaC files or directory"
},
"iacType": {
"type": "string",
"enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
"description": "Type of IaC to scan"
},
"scanners": {
"type": "array",
"items": {
"type": "string",
"enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
},
"description": "Scanners to use"
},
"complianceFrameworks": {
"type": "array",
"items": {
"type": "string",
"enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
}
},
"customPolicies": {
"type": "string",
"description": "Path to custom OPA/Rego policies"
},
"severityThreshold": {
"type": "string",
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
},
"excludePaths": {
"type": "array",
"items": { "type": "string" }
}
},
"required": ["iacPath", "iacType"]
}
Output Schema
{
"type": "object",
"properties": {
"scanId": {
"type": "string"
},
"iacPath": {
"type": "string"
},
"scanTimestamp": {
"type": "string",
"format": "date-time"
},
"summary": {
"type": "object",
"properties": {
"totalFiles": { "type": "integer" },
"filesScanned": { "type": "integer" },
"passedChecks": { "type": "integer" },
"failedChecks": { "type": "integer" },
"skippedChecks": { "type": "integer" }
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"checkId": { "type": "string" },
"severity": { "type": "string" },
"resourceType": { "type": "string" },
"resourceName": { "type": "string" },
"filePath": { "type": "string" },
"lineNumber": { "type": "integer" },
"description": { "type": "string" },
"remediation": { "type": "string" },
"complianceMapping": { "type": "array" }
}
}
},
"complianceReport": {
"type": "object"
},
"recommendations": {
"type": "array",
"items": { "type": "string" }
}
}
}
Usage Example
skill: {
name: 'iac-security-scanner',
context: {
iacPath: './infrastructure/terraform',
iacType: 'terraform',
scanners: ['checkov', 'tfsec'],
complianceFrameworks: ['CIS', 'SOC2'],
severityThreshold: 'MEDIUM'
}
}
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
a5c-ai/babysitter
gsd-tools
Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).
a5c-ai/babysitter
model-profile-resolution
Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.
a5c-ai/babysitter
verification-suite
Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.
a5c-ai/babysitter
state-management
STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.
a5c-ai/babysitter
git-integration
Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.
a5c-ai/babysitter
frontmatter-parsing
YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.
Didn't find tool you were looking for?