← ClaudeAtlas

iac-container-securitylisted

Audit infrastructure-as-code and container security including Terraform/OpenTofu/Pulumi configurations, Dockerfile hardening, Kubernetes manifests, base image hygiene, container scanning, secrets in IaC, IAM policies, network exposure, and runtime security context. Multi-cloud (AWS, GCP, Azure). Use this skill whenever the user asks about Terraform security, tfsec, Checkov, Trivy, Dockerfile hardening, distroless images, k8s securityContext, network policies, IAM least privilege, IaC secret scanning, or 'audit my infrastructure'. Trigger on phrases like 'scan my Dockerfile', 'review my Terraform', 'audit my k8s manifests', 'harden my containers', 'IaC security', 'base image hygiene', 'container CVEs', 'trivy scan'. Use this even when only one IaC layer is mentioned.
hlsitechio/claude-skills-security · ★ 1 · DevOps & Infrastructure · score 67
Install: claude install-skill hlsitechio/claude-skills-security
# IaC and Container Security Audit Audit infrastructure-as-code repositories and container images for security issues that compromise deployments. Defensive find-and-fix. ## When this skill applies - Reviewing Terraform / OpenTofu / Pulumi / CloudFormation / ARM templates - Hardening Dockerfile or reviewing built container images - Reviewing Kubernetes manifests (Deployments, Services, NetworkPolicies, RBAC) - Auditing IAM policies for least-privilege violations - Interpreting output from tfsec, Checkov, Trivy, kubesec, kube-bench - Reviewing cloud configuration drift (actual cloud state vs IaC) Use other skills for: workflow/CI security (`github-supply-chain`), app-layer concerns (`saas-code-security-review`, `saas-api-security`). ## Workflow Follow `../_shared/audit-workflow.md`. IaC-specific notes below. ### Phase 1: Scope confirmation - Which IaC tools (Terraform, Pulumi, CDK, CloudFormation, Bicep, Helm)? - Which container runtime (Docker, containerd, ECS, k8s, Cloud Run, App Runner)? - Which cloud(s)? - Is the IaC the source of truth, or is config drift expected? ### Phase 2: Inventory ```bash # IaC files find . -name '*.tf' -o -name '*.tfvars' \ -o -name 'Pulumi.yaml' -o -name '*.bicep' \ -o -name 'cloudformation*.yml' -o -name 'cloudformation*.yaml' \ -o -name 'Dockerfile*' -o -name 'docker-compose*.yml' \ -o -path '*/k8s/*.yaml' -o -path '*/manifests/*.yaml' \ | grep -v node_modules # Run security scanners (read-only) trivy fs --severity HIGH,CRI