implementing-infrastructure-as-code-security-scanning

Featured

This skill covers implementing automated security scanning for Infrastructure as Code (IaC) templates using tools like Checkov, tfsec, and KICS. It addresses detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and Helm charts before deployment, establishing policy-based governance, and integrating IaC scanning into CI/CD pipelines to prevent insecure cloud resource provisioning.

DevOps & Infrastructure 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing Infrastructure as Code Security Scanning ## When to Use - When provisioning cloud infrastructure with Terraform, CloudFormation, or Pulumi and needing automated security validation - When compliance frameworks require evidence of infrastructure configuration review before deployment - When preventing common cloud misconfigurations like public S3 buckets, open security groups, or unencrypted storage - When establishing guardrails that block insecure infrastructure changes in pull requests - When managing multi-cloud environments requiring consistent security policies across AWS, Azure, and GCP **Do not use** for scanning application source code (use SAST), for monitoring already-deployed infrastructure drift (use cloud security posture management tools), or for container image vulnerability scanning (use Trivy). ## Prerequisites - Checkov v3.x installed (`pip install checkov`) or tfsec installed - Terraform, CloudFormation, or Kubernetes IaC files in the repository - CI/CD pipeline with access to IaC directories - Bridgecrew API key (optional, for Checkov platform integration) ## Workflow ### Step 1: Run Checkov Against Terraform Files ```bash # Scan all Terraform files in a directory checkov -d ./terraform/ --framework terraform --output cli --output json --output-file-path ./results # Scan specific file checkov -f main.tf --output json # Scan Terraform plan (more accurate for dynamic values) terraform init && terraform plan -out=tfplan terraform show...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

GitHub · DevTools Kubernetes · Infrastructure Terraform · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

DevOps & Infrastructure Solid

iac-checkov

Infrastructure as Code (IaC) security scanning using Checkov with 750+ built-in policies for Terraform, CloudFormation, Kubernetes, Dockerfile, and ARM templates. Use when: (1) Scanning IaC files for security misconfigurations and compliance violations, (2) Validating cloud infrastructure against CIS, PCI-DSS, HIPAA, and SOC2 benchmarks, (3) Detecting secrets and hardcoded credentials in IaC, (4) Implementing policy-as-code in CI/CD pipelines, (5) Generating compliance reports with remediation guidance for cloud security posture management.

335 Updated today
aiskillstore
DevOps & Infrastructure Featured

auditing-terraform-infrastructure-for-security

Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive IAM policies, public resource exposure, missing encryption, and insecure defaults before cloud deployment.

13,115 Updated today
mukul975
DevOps & Infrastructure Listed

iac-security

IaC misconfig scanning and cloud-aware review for Terraform, CloudFormation, Ansible and Pulumi. Covers tool orchestration (checkov/tfsec/kics/cfn-nag), policy-as-code (OPA/Conftest), CIS benchmark mapping, IAM over-permission detection, drift monitoring.

4 Updated 1 weeks ago
roodlicht
DevOps & Infrastructure Listed

iac-container-security

Audit infrastructure-as-code and container security including Terraform/OpenTofu/Pulumi configurations, Dockerfile hardening, Kubernetes manifests, base image hygiene, container scanning, secrets in IaC, IAM policies, network exposure, and runtime security context. Multi-cloud (AWS, GCP, Azure). Use this skill whenever the user asks about Terraform security, tfsec, Checkov, Trivy, Dockerfile hardening, distroless images, k8s securityContext, network policies, IAM least privilege, IaC secret scanning, or 'audit my infrastructure'. Trigger on phrases like 'scan my Dockerfile', 'review my Terraform', 'audit my k8s manifests', 'harden my containers', 'IaC security', 'base image hygiene', 'container CVEs', 'trivy scan'. Use this even when only one IaC layer is mentioned.

1 Updated 1 weeks ago
hlsitechio
DevOps & Infrastructure Solid

iac-security-scanner

Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi

1,160 Updated today
a5c-ai