iac-security-scanner
Audit Terraform, CloudFormation, and Pulumi files for security risks, cost leaks, and compliance gaps.
- Fix public S3 buckets and open SSH ports before they are deployed
- Identify wildcard IAM permissions that violate the principle of least privilege
- Generate HCL/YAML patches to enable encryption for RDS and EBS volumes
$12
One-time purchase
Included in download
- Fix public S3 buckets and open SSH ports before they are deployed
- Identify wildcard IAM permissions that violate the principle of least privilege
- file_read automation included
- Includes example output and usage patterns
See it in action
# IaC Audit Report - Files in scope: 3 - Total findings: 2 (Critical: 1, High: 1) - Finding #1: Critical (Public Exposure) - Location: main.tf:22 (aws_db_instance.main) - Issue: publicly_accessible = true - Patch: - publicly_accessible = true + publicly_accessible = false
iac-security-scanner
Audit Terraform, CloudFormation, and Pulumi files for security risks, cost leaks, and compliance gaps.
$12
One-time purchase
⚡ Also available via Agensi MCP — your AI agent can load this skill on demand via MCP. Learn more →
Included in download
- Fix public S3 buckets and open SSH ports before they are deployed
- Identify wildcard IAM permissions that violate the principle of least privilege
- file_read automation included
- Includes example output and usage patterns
- Instant install
See it in action
# IaC Audit Report - Files in scope: 3 - Total findings: 2 (Critical: 1, High: 1) - Finding #1: Critical (Public Exposure) - Location: main.tf:22 (aws_db_instance.main) - Issue: publicly_accessible = true - Patch: - publicly_accessible = true + publicly_accessible = false
About This Skill
Pre-Deployment Cloud Infrastructure Auditing
The iac-security-scanner skill is a specialized tool for developers and DevOps engineers to audit Infrastructure-as-Code (IaC) files before deployment. It identifies critical misconfigurations, security vulnerabilities, and cost inefficiencies across AWS, GCP, and Azure providers.
What it does
The skill performs deep static analysis on your source files to detect risks in six key areas:
- Network Exposure: Open ports (SSH/RDP) and overly broad ingress/egress rules.
- Identity & Access: Hardcoded keys, wildcard IAM permissions, and overly permissive trust relationships.
- Encryption: Missing at-rest or in-transit encryption for storage, databases, and load balancers.
- Public Exposure: S3 buckets or RDS instances accidentally exposed to the public internet.
- Cost Management: Over-provisioned instance types and missing lifecycle policies.
- Governance: Missing mandatory tags for environment, owner, and cost center.
Why use this skill
Unlike simple linting or generic prompting, this skill understands the complex relationships between resources in frameworks like Terraform, CloudFormation, Pulumi, and AWS CDK. It doesn't just find problems; it provides severity-rated reports and concrete code patches (diffs) that you can apply immediately to secure your infrastructure.
Supported Ecosystems
Works with Terraform (.tf), CloudFormation (YAML/JSON), Pulumi (TypeScript/Python/Go), and AWS CDK. It targets AWS, GCP, and Azure resources to ensure multi-cloud posture management.
📖 Learn more: Best DevOps & Deployment Skills for Claude Code →
Use Cases
- Fix public S3 buckets and open SSH ports before they are deployed
- Identify wildcard IAM permissions that violate the principle of least privilege
- Generate HCL/YAML patches to enable encryption for RDS and EBS volumes
- Estimate monthly cost savings by identifying over-provisioned instance types
How to Install
mkdir -p ~/.claude/skills && curl -sL https://www.agensi.io/api/install/iac-security-scanner | tar xz -C ~/.claude/skills/Free skills install directly. Paid skills require purchase - use the download button above after buying.
Reviews
No reviews yet - be the first to share your experience.
Only users who have downloaded or purchased this skill can leave a review.
Early access skill
Be the first to review this skill.
Only users who have downloaded or purchased this skill can leave a review.
Security Scanned
Passed automated security review
Permissions
Reads IaC source files and produces an audit report with severity-rated findings and patched code. Does not access cloud accounts, does not query deployed resources, does not run plan/synth/preview. The user reviews patches and applies them through their normal IaC workflow.
Creator
Frequently Asked Questions
Learn More About AI Agent Skills
Similar Skills
git-commit-writer
Writes conventional commit messages by analyzing your staged git changes. Detects commit type, scope, and breaking changes automatically.
env-doctor
Diagnoses why your project will not start. Checks runtime versions, dependencies, environment variables, databases, ports, and build artifacts systematically.
code-reviewer
Reviews your code for bugs, security vulnerabilities, logic errors, performance issues, and style violations. Organizes findings by severity and suggests fixes with code examples.
readme-generator
Generates a complete, polished README.md by scanning your actual project structure, dependencies, and code.