OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry iac-scanner

Scans Infrastructure as Code for security misconfigurations. Wraps tfsec for Terraform and Checkov for multi-cloud IaC. Use when user asks to "scan Terraform", "IaC security", "infrastructure scan", "tfsec", "checkov", "Terraformセキュリティ", "インフラスキャン".

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/iac-scanner" ~/.claude/skills/majiayu000-claude-skill-registry-iac-scanner && rm -rf "$T"
manifest: skills/data/iac-scanner/SKILL.md
tags
#iac#security#terraform#checkov#tfsec#compliance
source content

IaC Scanner

Wrapper for tfsec and Checkov to scan Infrastructure as Code.

Prerequisites

# tfsec (Terraform focused)
brew install tfsec
# or
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest

# Checkov (multi-cloud)
pip install checkov
# or
brew install checkov

Usage

# Scan with auto-detection
npx iac-scanner .

# Force specific scanner
npx iac-scanner . --scanner tfsec
npx iac-scanner . --scanner checkov

# JSON output
npx iac-scanner . --json

# Check available scanners
npx iac-scanner --check

# Scan specific framework
npx iac-scanner . --framework terraform
npx iac-scanner . --framework kubernetes
npx iac-scanner . --framework cloudformation

Supported Frameworks

ScannerFrameworks
tfsecTerraform
CheckovTerraform, CloudFormation, Kubernetes, ARM, Serverless, Helm

Output Format

{
  "tool": "tfsec",
  "scanPath": ".",
  "scanDate": "2024-01-15T10:30:00Z",
  "findings": [
    {
      "id": "aws-s3-enable-bucket-encryption",
      "severity": "high",
      "message": "Bucket does not have encryption enabled",
      "resource": "aws_s3_bucket.data",
      "file": "main.tf",
      "line": 15,
      "resolution": "Enable bucket encryption"
    }
  ],
  "summary": {
    "total": 5,
    "critical": 1,
    "high": 2,
    "medium": 1,
    "low": 1
  }
}

Common Misconfigurations

CategoryExample
EncryptionS3 bucket without encryption
Access ControlPublic S3 bucket, open security groups
LoggingMissing CloudTrail, no access logs
NetworkVPC without flow logs, open CIDR
IAMOverly permissive policies, wildcard actions
SecretsHardcoded credentials in config

Exit Codes

  • 0
    : No issues found
  • 1
    : Issues detected
  • 2
    : Tool not installed or error