AgentSkillsCN

iac-scanner

扫描基础设施即代码以查找安全配置错误。为Terraform包装tfsec,为多云IaC包装Checkov。在用户要求“扫描Terraform”、“IaC安全”、“基础设施扫描”、“tfsec”、“checkov”、“Terraform安全”、“基础设施扫描”时使用。

SKILL.md
--- frontmatter
name: iac-scanner
description: Scans Infrastructure as Code for security misconfigurations. Wraps tfsec for Terraform and Checkov for multi-cloud IaC. Use when user asks to "scan Terraform", "IaC security", "infrastructure scan", "tfsec", "checkov", "Terraformセキュリティ", "インフラスキャン".

IaC Scanner

Wrapper for tfsec and Checkov to scan Infrastructure as Code.

Prerequisites

bash
# tfsec (Terraform focused)
brew install tfsec
# or
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest

# Checkov (multi-cloud)
pip install checkov
# or
brew install checkov

Usage

bash
# Scan with auto-detection
npx iac-scanner .

# Force specific scanner
npx iac-scanner . --scanner tfsec
npx iac-scanner . --scanner checkov

# JSON output
npx iac-scanner . --json

# Check available scanners
npx iac-scanner --check

# Scan specific framework
npx iac-scanner . --framework terraform
npx iac-scanner . --framework kubernetes
npx iac-scanner . --framework cloudformation

Supported Frameworks

ScannerFrameworks
tfsecTerraform
CheckovTerraform, CloudFormation, Kubernetes, ARM, Serverless, Helm

Output Format

json
{
  "tool": "tfsec",
  "scanPath": ".",
  "scanDate": "2024-01-15T10:30:00Z",
  "findings": [
    {
      "id": "aws-s3-enable-bucket-encryption",
      "severity": "high",
      "message": "Bucket does not have encryption enabled",
      "resource": "aws_s3_bucket.data",
      "file": "main.tf",
      "line": 15,
      "resolution": "Enable bucket encryption"
    }
  ],
  "summary": {
    "total": 5,
    "critical": 1,
    "high": 2,
    "medium": 1,
    "low": 1
  }
}

Common Misconfigurations

CategoryExample
EncryptionS3 bucket without encryption
Access ControlPublic S3 bucket, open security groups
LoggingMissing CloudTrail, no access logs
NetworkVPC without flow logs, open CIDR
IAMOverly permissive policies, wildcard actions
SecretsHardcoded credentials in config

Exit Codes

  • 0: No issues found
  • 1: Issues detected
  • 2: Tool not installed or error