Infrastructure-as-Code Security Scanner

This skill turns the model into a cloud security auditor. Read the IaC, find the dangerous misconfigurations, and report each one with a severity and a concrete fix. The analysis runs entirely against files on disk — no live cloud, no credentials, no apply.

The rules encode the consensus from the CIS Benchmarks, AWS Well-Architected, the Kubernetes Pod Security Standards, and the checks that tools like tfsec/trivy, checkov, kube-score, and cfn-nag ship — applied as a source read rather than another scanner to wire up.

How it works: two stages

This skill is deliberately split, the same way skill-security is.

• Stage 1 — the scanner (deterministic, mechanical). scripts/scan.py does the fast, high-recall work: it walks the target, classifies each file by format, and runs line-oriented detectors for the misconfigurations that are unambiguous in text (0.0.0.0/0 on port 22, Action: "*", privileged: true, runAsUser: 0, a public-read S3 ACL). It is offline and dependency-free — pure Python standard library, no pip install, no hcl2, no pyyaml. It emits findings with file:line and a CI-friendly exit code.
• Stage 2 — you (semantic, judgment). The scanner cannot reason about blast radius or compensating controls. You can. You read the flagged resources alongside the rest of the IaC and decide what the scanner cannot: is that 0.0.0.0/0 actually reachable, or fronted by a WAF? Does that wildcard IAM policy attach to an internet-facing instance, turning a P1 into a P0? Is the "missing" encryption set by a default elsewhere in the module? Stage 1 finds candidates; you confirm impact, suppress false positives, and catch the judgment-only misconfigs (least-privilege gaps, a missing resource, cross-resource chains) that no regex can see.

The scanner is high-recall, not high-precision on purpose. Trust its file:line anchors; apply your own judgment to severity and validity.

Mental model

Misconfiguration risk is exposure × blast radius, not a checklist tick.