Claude-code-plugins-plus-skills checking-infrastructure-compliance
install
source · Clone the upstream repo
git clone https://github.com/jeremylongshore/claude-code-plugins-plus-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/jeremylongshore/claude-code-plugins-plus-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/devops/compliance-checker/skills/checking-infrastructure-compliance" ~/.claude/skills/jeremylongshore-claude-code-plugins-plus-skills-checking-infrastructure-complian-08a09d && rm -rf "$T"
manifest:
plugins/devops/compliance-checker/skills/checking-infrastructure-compliance/SKILL.mdtags
source content
Checking Infrastructure Compliance
Overview
Audit infrastructure configurations against compliance frameworks (CIS Benchmarks, SOC 2, HIPAA, PCI-DSS, GDPR) using policy-as-code tools like Open Policy Agent (OPA), Checkov, and tfsec. Generate compliance reports, identify violations, and produce remediation plans for Terraform, Kubernetes, and cloud provider configurations.
Prerequisites
- Policy-as-code tool installed:
,checkov
,tfsec
, oropakube-bench - Infrastructure-as-code files (Terraform, CloudFormation, Kubernetes manifests) in the project
- Cloud provider CLI authenticated with read access to resources
- Compliance framework requirements documented (CIS, SOC 2, HIPAA, PCI-DSS)
for parsing JSON policy outputsjq
Instructions
- Identify the applicable compliance framework(s) based on industry and data classification
- Scan Terraform files with
orcheckov -d .
to detect misconfigurationstfsec . - Scan Kubernetes manifests for security issues: missing resource limits, privileged containers, missing network policies
- Validate IAM policies for least-privilege violations using cloud-native tools (
)aws iam access-analyzer - Check encryption at rest and in transit: verify S3 bucket encryption, database TLS, and EBS volume encryption
- Audit logging configurations: confirm CloudTrail/Cloud Audit Logs are enabled and sent to immutable storage
- Generate a compliance report mapping each finding to the relevant control (e.g., CIS AWS 2.1.1)
- Produce remediation Terraform/YAML patches for each violation with severity ranking (Critical, High, Medium, Low)
- Set up CI/CD integration so compliance checks block merges on Critical/High violations
Output
- Compliance scan results in JSON/SARIF format for CI integration
- Markdown compliance report with control mappings and pass/fail status
- Remediation code patches (Terraform diffs, Kubernetes manifest updates)
- OPA/Rego policy files for custom organizational rules
- CI/CD pipeline step configuration for automated compliance gating
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Scanner run from wrong directory | Specify path explicitly with |
| Syntax error in Terraform files | Run |
| Rule too broad for the specific use case | Add inline skip comments ( |
| Rego syntax error or missing input data | Test policies with |
| Too many files or complex module references | Use |
Examples
- "Run a CIS Benchmark compliance check against all Terraform files and generate a report with remediation steps for Critical findings."
- "Create OPA policies that enforce: all S3 buckets must have encryption, all EC2 instances must have IMDSv2, and all security groups must not allow 0.0.0.0/0 ingress."
- "Scan Kubernetes manifests for PCI-DSS compliance: verify no privileged containers, all pods have resource limits, and network policies exist for every namespace."
Resources
- Checkov: https://www.checkov.io/
- tfsec: https://aquasecurity.github.io/tfsec/
- Open Policy Agent: https://www.openpolicyagent.org/docs/latest/
- CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
- kube-bench (CIS for Kubernetes): https://github.com/aquasecurity/kube-bench