tenet-infra-cloudlisted

# Tenet Infrastructure & Cloud Audits source-controlled infrastructure configuration for cloud and platform risks. This complements `tenet-security` by focusing on deployed infrastructure boundaries rather than application code. ## Language Support Matrix ```yaml support: native: [terraform, yaml, json, dockerfile] heuristic: [shell, markdown] skip: [typescript, javascript, python, go, rust, java] ``` ## Toolchain Inputs Prefer deterministic/static tool output when present: - `.healthcheck/toolchain/tflint.json` - `.healthcheck/toolchain/checkov.json` - `.healthcheck/toolchain/tfsec.json` - `.healthcheck/toolchain/kube_linter.json` - `.healthcheck/toolchain/conftest.json` ## Procedure ### Step 0: Detect Applicability Applicable when the repo contains Terraform, Pulumi, CloudFormation, Kubernetes manifests, Helm charts, Docker Compose, ECS/task definitions, or cloud deployment YAML. If none exist, write `score: null`, `applicable: false`. ### Step 1: Public Exposure Check for: - `0.0.0.0/0`, `::/0`, public load balancers, public S3/storage buckets - Kubernetes services of type `LoadBalancer` or ingress without host/TLS constraints - Docker Compose `ports` exposing databases/cache publicly Severity: - `critical`: databases, admin panels, object storage, or internal services exposed publicly - `major`: broad public ingress on app services without TLS/auth evidence - `minor`: overly broad egress or management ports in dev-only configs ### Step 2: IAM and Secret