iac-securitylisted

IaC misconfig scanning and cloud-aware review for Terraform, CloudFormation, Ansible and Pulumi. Covers tool orchestration (checkov/tfsec/kics/cfn-nag), policy-as-code (OPA/Conftest), CIS benchmark mapping, IAM over-permission detection, drift monitoring.
roodlicht/accans-sec-skills · ★ 4 · DevOps & Infrastructure · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# IaC Security ## When to use This skill reviews Infrastructure-as-Code for misconfig: over-broad IAM, public storage, missing encryption, open security groups, logging off. It leans on the cloud-provider best practices plus CIS benchmarks and orchestrates the common scanners. Activates on: - A request like "scan this Terraform for misconfigs", "checkov on our CloudFormation template", "is this S3 bucket policy OK", "review our Pulumi stack", "write a Conftest policy". - New or modified IaC files: `*.tf`, `*.tfvars`, `*.hcl`, CloudFormation `*.yaml`/`*.json` templates, Ansible `playbook.yml`, `roles/`, Pulumi `Pulumi.yaml` plus `__main__.py`/`index.ts`. - A compliance audit (ISO/SOC2/NIS2) that asks for cloud-control evidence. - A handoff from `security-review` phase 3 where IaC sits in the diff. - A drift suspicion: "is prod drifting from the Terraform state?". ### When NOT to use (handoff) - Kubernetes manifests and Helm charts → `k8s-security`. Even though it's IaC, K8s is its own world with its own tools. - Dockerfile hardening → `container-hardening`. Image content belongs there; image-registry IAM here. - CI pipeline hardening (the workflow that runs `terraform apply`) → `cicd-hardening`. Overlap: which creds via OIDC is mentioned here. - Secrets in IaC files → `secrets-scanner`. Scan IaC with that skill before continuing here. - Per-CVE triage on Terraform providers or modules → `cve-triage`. - Cloud-runtime misconfig that doesn't come from IaC (manual console ch