This skill covers implementing automated security scanning for Infrastructure as Code (IaC) templates using tools like Checkov, tfsec, and KICS. It addresses detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and Helm charts before deployment, establishing policy-based governance, and integrating IaC scanning into CI/CD pipelines to prevent insecure cloud resource provisioning.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-infrastructure-as-code-security-scanningExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-infrastructure-as-code-security-scanning from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-infrastructure-as-code-security-scanning. Access via /implementing-infrastructure-as-code-security-scanning in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Use skill to generate boilerplate code, refactor legacy code, and write tests faster
Example
Generate React component with TypeScript types, styled-components, and comprehensive test suite in minutes
Reduce development time by 40-60% for repetitive coding tasks
Systematically review code for bugs, security issues, and style violations
Example
Analyze pull requests for common anti-patterns, suggest performance improvements, flag security vulnerabilities
Catch 70%+ of code issues before human review, improve code quality
Trace errors through stack traces and identify root causes faster
Example
Analyze error logs, suggest probable causes, recommend fixes with code examples
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-infrastructure-as-code-security-scanning |
| description | 'This skill covers implementing automated security scanning for Infrastructure as Code (IaC) templates using tools like Checkov, tfsec, and KICS. It addresses detecting misconfigurations in Terraform, CloudFormation, Kubernetes manifests, and Helm charts before deployment, establishing policy-based governance, and integrating IaC scanning into CI/CD pipelines to prevent insecure cloud resource provisioning. ' |
| domain | cybersecurity |
| subdomain | devsecops |
| tags | - devsecops - cicd - iac-security - checkov - tfsec - terraform - secure-sdlc |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - GV.SC-07 - ID.IM-04 - PR.PS-04 |
Do not use for scanning application source code (use SAST), for monitoring already-deployed infrastructure drift (use cloud security posture management tools), or for container image vulnerability scanning (use Trivy).
pip install checkov) or tfsec installed# Scan all Terraform files in a directory
checkov -d ./terraform/ --framework terraform --output cli --output json --output-file-path ./results
# Scan specific file
checkov -f main.tf --output json
# Scan Terraform plan (more accurate for dynamic values)
terraform init && terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
checkov -f tfplan.json --framework terraform_plan
# Scan with specific checks only
checkov -d ./terraform/ --check CKV_AWS_18,CKV_AWS_19,CKV_AWS_20
# Skip specific checks
checkov -d ./terraform/ --skip-check CKV_AWS_145,CKV2_AWS_6
# .github/workflows/iac-security.yml
name: IaC Security Scan
on:
pull_request:
paths:
- 'terraform/**'
- 'cloudformation/**'
- 'k8s/**'
jobs:
checkov:
name: Checkov IaC Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: terraform/
framework: terraform
output_format: cli,sarif
output_file_path: console,checkov.sarif
soft_fail: false
skip_check: CKV_AWS_145
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: checkov.sarif
category: checkov-iac
tfsec:
name: tfsec Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run tfsec
uses: aquasecurity/[email protected]
with:
working_directory: terraform/
sarif_file: tfsec.sarif
soft_fail: false
- name: Upload SARIF
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: tfsec.sarif
category: tfsec
# custom_checks/s3_versioning.py
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class S3BucketVersioning(BaseResourceCheck):
def __init__(self):
name = "Ensure S3 bucket has versioning enabled"
id = "CKV_CUSTOM_1"
supported_resources = ["aws_s3_bucket"]
categories = [CheckCategories.GENERAL_SECURITY]
super().__init__(name=name, id=id, categories=categories,
supported_resources=supported_resources)
def scan_resource_conf(self, conf):
versioning = conf.get("versioning", [{}])
if isinstance(versioning, list) and len(versioning) > 0:
if versioning[0].get("enabled", [False])[0]:
return CheckResult.PASSED
return CheckResult.FAILED
check = S3BucketVersioning()
# .checkov.yaml
branch: main
compact: true
directory:
- terraform/
- cloudformation/
framework:
- terraform
- cloudformation
- kubernetes
output:
- cli
- sarif
skip-check:
- CKV_AWS_145 # S3 default encryption with CMK (using SSE-S3 is acceptable)
- CKV2_AWS_6 # S3 bucket request logging (handled at CloudTrail level)
soft-fail: false
# Scan Kubernetes manifests
checkov -d ./k8s/ --framework kubernetes
# Scan Helm charts (renders templates first)
checkov -d ./charts/myapp/ --framework helm
# Scan with KICS (Keeping Infrastructure as Code Secure)
docker run -v $(pwd)/k8s:/path checkmarx/kics:latest scan \
--path /path \
--output-path /path/results \
--type Kubernetes \
--report-formats json,sarif
| Term | Definition |
|---|---|
| IaC Scanning | Automated analysis of infrastructure code templates to detect security misconfigurations before deployment |
| Policy as Code | Security policies defined as executable code that can be version-controlled, tested, and enforced automatically |
| CKV Check ID | Checkov's unique identifier for each security check (e.g., CKV_AWS_18 for S3 public access) |
| Terraform Plan Scanning | Scanning the resolved Terraform plan JSON which includes computed values and module expansions |
| Graph-based Scanning | Checkov's ability to analyze relationships between resources, not just individual resource configs |
| Drift Detection | Identifying differences between IaC definitions and actual deployed infrastructure state |
| Custom Policy | Organization-specific security checks authored in Python or YAML to enforce internal standards |
Context: A development team repeatedly creates S3 buckets without proper access controls. A recent incident exposed customer data through a public bucket.
Approach:
aws_s3_bucket_public_access_block resource for every S3 bucketsoft_fail: false to block PR merges when S3 security checks failPitfalls: Scanning only .tf files misses dynamically computed values. Use Terraform plan scanning for higher accuracy. Checkov's resource-relationship checks (CKV2 prefix) require graph analysis mode.
IaC Security Scan Report
==========================
Framework: Terraform
Directory: terraform/
Scan Date: 2026-02-23
Checkov Results:
Passed: 187
Failed: 12
Skipped: 3
Unknown: 0
FAILED CHECKS:
CKV_AWS_18 [HIGH] S3 Bucket has public read ACL
Resource: aws_s3_bucket.data_lake
File: terraform/storage.tf:15-28
CKV_AWS_24 [HIGH] CloudWatch log group not encrypted
Resource: aws_cloudwatch_log_group.app
File: terraform/monitoring.tf:3-8
CKV_AWS_79 [MEDIUM] Instance metadata service v1 enabled
Resource: aws_instance.web
File: terraform/compute.tf:12-30
QUALITY GATE: FAILED (2 HIGH severity findings)
Cut debugging time by 30-50%, especially for unfamiliar codebases
Get explanations, examples, and best practices for unfamiliar frameworks
Example
Understand Next.js app router, learn Rust ownership, grasp Kubernetes concepts with practical examples
Accelerate learning curve by 2-3x, reduce onboarding time for new tech stacks
Prerequisites
Time Estimate
15-30 minutes to install and see first useful output
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use coding skills for boilerplate generation, code reviews, refactoring legacy code, writing tests, learning new frameworks, and debugging non-critical issues. Best for repetitive tasks where errors are easy to catch.
✗ Avoid when
Avoid for production security features (auth, encryption, payment processing), complex business logic requiring deep domain knowledge, performance-critical algorithms, or when learning fundamentals is more valuable than speed.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-infrastructure-as-code-security-scanning has been reliable in day-to-day use. Documentation quality is above average for community skills.
Useful defaults in implementing-infrastructure-as-code-security-scanning — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Useful defaults in implementing-infrastructure-as-code-security-scanning — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
We added implementing-infrastructure-as-code-security-scanning from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend implementing-infrastructure-as-code-security-scanning for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
implementing-infrastructure-as-code-security-scanning reduced setup friction for our internal harness; good balance of opinion and flexibility.
I recommend implementing-infrastructure-as-code-security-scanning for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
I recommend implementing-infrastructure-as-code-security-scanning for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
implementing-infrastructure-as-code-security-scanning fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in implementing-infrastructure-as-code-security-scanning — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 60