iac-security-scan-skills
iac security scan skills for your AI workflows
A set of AI agent skill files you drop into a Terraform or CloudFormation project to audit infrastructure code for security problems, producing a prioritized report with cross-domain attack paths and recommended fixes.
IaC Security Scanner is a collection of skill files you drop into a Terraform or CloudFormation project to give an AI coding agent the ability to audit the infrastructure code for security problems. Terraform and CloudFormation are tools developers use to describe cloud infrastructure (servers, databases, permissions, networking) as code files rather than clicking through a web console. This scanner works with several AI-powered editors including Cursor, Claude Code, and Windsurf. You copy a few files into your project, tell the agent to run a scan, and it produces a prioritized report with findings and recommended fixes. No plugins, API keys, or external services are required.
The scan runs in four steps. First, the agent maps the entire project: what technologies are in use, which files define which resources, and where internet-facing entry points exist. Second, six domain-specific analysis skills run in parallel, each focused on a different security category. IAM checks for permission problems and privilege escalation paths. Network looks for public exposure and segmentation gaps. Storage checks for unencrypted or publicly accessible data stores. Secrets looks for hardcoded credentials and API keys. Logging checks for gaps in monitoring that would leave attacks undetected. Serverless checks for misconfigured cloud functions.
After the domain scans finish, a cross-domain step reads all findings together and constructs attack paths that span multiple categories, for example a chain that goes from an open network port to overprivileged permissions to a database. It identifies the smallest set of fixes that would break the most attack chains, described as a minimum-cut analysis.
The final step generates an HTML report and a CSV file. Output is also printed to the terminal. Scan modes include a full pipeline, a fast single-pass mode that covers all domains in one step and outputs only high and critical findings, and scoped modes that run only the specific domains you care about.
The tool is designed for teams that want deeper reasoning than a standard linter provides, particularly for cross-domain attack paths and findings tied to specific blast radius and exploitability assessments rather than just flagging risky patterns in isolation.
Where it fits
- Audit a Terraform project for misconfigured IAM permissions, open network ports, and unencrypted storage buckets.
- Find cross-domain attack paths that chain a public network entry through overprivileged roles to an exposed database.
- Generate an HTML security report for a CloudFormation stack before a production deployment.
- Run a fast single-pass scan to surface only critical and high-severity findings quickly.