Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

a5c-ai/iac-security-scanner

Name: iac-security-scanner
Author: a5c-ai

library/specializations/security-compliance/skills/iac-security-scanner/SKILL.md

npx skillsauth add a5c-ai/babysitter iac-security-scanner

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

IaC Security Scanner Skill

Purpose

Infrastructure as Code security scanning and policy enforcement to identify misconfigurations, security vulnerabilities, and compliance violations in cloud infrastructure definitions before deployment.

Capabilities

Terraform Security Scanning

Scan Terraform configurations for security misconfigurations
Check for exposed resources (public S3 buckets, open security groups)
Validate encryption settings for data at rest and in transit
Detect hardcoded secrets in Terraform files
Analyze Terraform state files for sensitive data exposure

CloudFormation Analysis

Scan CloudFormation templates for security issues
Check IAM policy configurations for least privilege
Validate network configuration security
Detect insecure default configurations

Kubernetes Manifest Scanning

Analyze Kubernetes YAML manifests for security issues
Check pod security standards compliance
Validate resource limits and quotas
Detect privileged containers and host path mounts

Pulumi Code Analysis

Scan Pulumi TypeScript/Python code for security issues
Check cloud resource configurations
Validate security best practices

Policy Enforcement

Define and enforce custom security policies using OPA/Rego
Create guardrails for cloud resource configurations
Block deployments that violate security policies
Generate policy compliance reports

Compliance Mapping

Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
Generate compliance gap analysis reports
Track remediation progress against compliance requirements

Integrations

Checkov: Multi-cloud IaC scanner by Bridgecrew
tfsec: Terraform security scanner
KICS: Keeping Infrastructure as Code Secure
Terrascan: IaC security scanner
OPA/Rego: Policy as code engine
Snyk IaC: Infrastructure as Code security testing

Target Processes

IaC Security Scanning Process
Cloud Security Architecture Review
DevSecOps Pipeline Integration
Infrastructure Deployment Pipeline
Compliance Continuous Monitoring

Input Schema

{
  "type": "object",
  "properties": {
    "iacPath": {
      "type": "string",
      "description": "Path to IaC files or directory"
    },
    "iacType": {
      "type": "string",
      "enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
      "description": "Type of IaC to scan"
    },
    "scanners": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
      },
      "description": "Scanners to use"
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
      }
    },
    "customPolicies": {
      "type": "string",
      "description": "Path to custom OPA/Rego policies"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    },
    "excludePaths": {
      "type": "array",
      "items": { "type": "string" }
    }
  },
  "required": ["iacPath", "iacType"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "iacPath": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalFiles": { "type": "integer" },
        "filesScanned": { "type": "integer" },
        "passedChecks": { "type": "integer" },
        "failedChecks": { "type": "integer" },
        "skippedChecks": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "resourceType": { "type": "string" },
          "resourceName": { "type": "string" },
          "filePath": { "type": "string" },
          "lineNumber": { "type": "integer" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "complianceReport": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example

skill: {
  name: 'iac-security-scanner',
  context: {
    iacPath: './infrastructure/terraform',
    iacType: 'terraform',
    scanners: ['checkov', 'tfsec'],
    complianceFrameworks: ['CIS', 'SOC2'],
    severityThreshold: 'MEDIUM'
  }
}

a5c-ai/iac-security-scanner

library/specializations/security-compliance/skills/iac-security-scanner/SKILL.md

Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi

514 stars

development

Updated Apr 2, 2026

$ install --global

skillsauth

npx skillsauth add a5c-ai/babysitter iac-security-scanner

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 2, 2026, 2:04 PM56.1s2 files scanned

SKILL.md

name:: iac-security-scanner
description:: Infrastructure as Code security scanning and policy enforcement for Terraform, CloudFormation, Kubernetes, and Pulumi

IaC Security Scanner Skill

Purpose

Capabilities

Terraform Security Scanning

Scan Terraform configurations for security misconfigurations
Check for exposed resources (public S3 buckets, open security groups)
Validate encryption settings for data at rest and in transit
Detect hardcoded secrets in Terraform files
Analyze Terraform state files for sensitive data exposure

CloudFormation Analysis

Scan CloudFormation templates for security issues
Check IAM policy configurations for least privilege
Validate network configuration security
Detect insecure default configurations

Kubernetes Manifest Scanning

Analyze Kubernetes YAML manifests for security issues
Check pod security standards compliance
Validate resource limits and quotas
Detect privileged containers and host path mounts

Pulumi Code Analysis

Scan Pulumi TypeScript/Python code for security issues
Check cloud resource configurations
Validate security best practices

Policy Enforcement

Define and enforce custom security policies using OPA/Rego
Create guardrails for cloud resource configurations
Block deployments that violate security policies
Generate policy compliance reports

Compliance Mapping

Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
Generate compliance gap analysis reports
Track remediation progress against compliance requirements

Integrations

Checkov: Multi-cloud IaC scanner by Bridgecrew
tfsec: Terraform security scanner
KICS: Keeping Infrastructure as Code Secure
Terrascan: IaC security scanner
OPA/Rego: Policy as code engine
Snyk IaC: Infrastructure as Code security testing

Target Processes

IaC Security Scanning Process
Cloud Security Architecture Review
DevSecOps Pipeline Integration
Infrastructure Deployment Pipeline
Compliance Continuous Monitoring

Input Schema

{
  "type": "object",
  "properties": {
    "iacPath": {
      "type": "string",
      "description": "Path to IaC files or directory"
    },
    "iacType": {
      "type": "string",
      "enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
      "description": "Type of IaC to scan"
    },
    "scanners": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
      },
      "description": "Scanners to use"
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
      }
    },
    "customPolicies": {
      "type": "string",
      "description": "Path to custom OPA/Rego policies"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    },
    "excludePaths": {
      "type": "array",
      "items": { "type": "string" }
    }
  },
  "required": ["iacPath", "iacType"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "iacPath": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalFiles": { "type": "integer" },
        "filesScanned": { "type": "integer" },
        "passedChecks": { "type": "integer" },
        "failedChecks": { "type": "integer" },
        "skippedChecks": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "resourceType": { "type": "string" },
          "resourceName": { "type": "string" },
          "filePath": { "type": "string" },
          "lineNumber": { "type": "integer" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "complianceReport": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example

skill: {
  name: 'iac-security-scanner',
  context: {
    iacPath: './infrastructure/terraform',
    iacType: 'terraform',
    scanners: ['checkov', 'tfsec'],
    complianceFrameworks: ['CIS', 'SOC2'],
    severityThreshold: 'MEDIUM'
  }
}

Related Skills

a5c-ai/model-card-generator

development

VerifiedTrustedCommunity

Model documentation skill for generating model cards following Google's model card framework.

680SKILL.mdUpdated Apr 28, 2026

a5c-ai/model-card-generator

a5c-ai/mlflow-experiment-tracker

development

VerifiedTrustedCommunity

MLflow integration skill for experiment tracking, model registry, and artifact management. Enables LLMs to log experiments, compare runs, manage model lifecycle, and retrieve artifacts through the MLflow API.

680SKILL.mdUpdated Apr 28, 2026

a5c-ai/mlflow-experiment-tracker

a5c-ai/lime-explainer

data-ai

VerifiedTrustedCommunity

LIME-based local explanation skill for individual predictions across tabular, text, and image data.

680SKILL.mdUpdated Apr 28, 2026

a5c-ai/lime-explainer

a5c-ai/kubeflow-pipeline-executor

devops

VerifiedTrustedCommunity

Kubeflow Pipelines skill for ML workflow orchestration, component management, and Kubernetes-native ML.

680SKILL.mdUpdated Apr 28, 2026

a5c-ai/kubeflow-pipeline-executor

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/a5c-ai/babysitter.git

# Copy into Claude Code skills folder (global)
cp -r babysitter/library/specializations/security-compliance/skills/iac-security-scanner ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

a5c-ai/babysitter

514 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT