explaingit

senaykt/iac-security-scan-skills

16Audience · ops devopsComplexity · 2/5Setup · easy

TLDR

A set of AI agent skill files you drop into a Terraform or CloudFormation project to audit infrastructure code for security problems, producing a prioritized report with cross-domain attack paths and recommended fixes.

Mindmap

mindmap
  root((iac-security-scan-skills))
    What it does
      Security audit
      Attack path analysis
      HTML and CSV report
    Scan domains
      IAM permissions
      Network exposure
      Storage encryption
      Secrets detection
      Logging gaps
      Serverless config
    Works with
      Terraform
      CloudFormation
      Cursor
      Claude Code
    Use cases
      Pre-deploy review
      Compliance audit
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Audit a Terraform project for misconfigured IAM permissions, open network ports, and unencrypted storage buckets.

USE CASE 2

Find cross-domain attack paths that chain a public network entry through overprivileged roles to an exposed database.

USE CASE 3

Generate an HTML security report for a CloudFormation stack before a production deployment.

USE CASE 4

Run a fast single-pass scan to surface only critical and high-severity findings quickly.

Tech stack

TerraformCloudFormationCursorClaude CodeWindsurf

Getting it running

Difficulty · easy Time to first run · 30min

No API keys, plugins, or external services needed, copy the skill files into your project and invoke the scan through your AI editor.

No license is mentioned in the project description.

In plain English

IaC Security Scanner is a collection of skill files you drop into a Terraform or CloudFormation project to give an AI coding agent the ability to audit the infrastructure code for security problems. Terraform and CloudFormation are tools developers use to describe cloud infrastructure (servers, databases, permissions, networking) as code files rather than clicking through a web console. This scanner works with several AI-powered editors including Cursor, Claude Code, and Windsurf. You copy a few files into your project, tell the agent to run a scan, and it produces a prioritized report with findings and recommended fixes. No plugins, API keys, or external services are required. The scan runs in four steps. First, the agent maps the entire project: what technologies are in use, which files define which resources, and where internet-facing entry points exist. Second, six domain-specific analysis skills run in parallel, each focused on a different security category. IAM checks for permission problems and privilege escalation paths. Network looks for public exposure and segmentation gaps. Storage checks for unencrypted or publicly accessible data stores. Secrets looks for hardcoded credentials and API keys. Logging checks for gaps in monitoring that would leave attacks undetected. Serverless checks for misconfigured cloud functions. After the domain scans finish, a cross-domain step reads all findings together and constructs attack paths that span multiple categories, for example a chain that goes from an open network port to overprivileged permissions to a database. It identifies the smallest set of fixes that would break the most attack chains, described as a minimum-cut analysis. The final step generates an HTML report and a CSV file. Output is also printed to the terminal. Scan modes include a full pipeline, a fast single-pass mode that covers all domains in one step and outputs only high and critical findings, and scoped modes that run only the specific domains you care about. The tool is designed for teams that want deeper reasoning than a standard linter provides, particularly for cross-domain attack paths and findings tied to specific blast radius and exploitability assessments rather than just flagging risky patterns in isolation.

Copy-paste prompts

Prompt 1
I copied the IaC Security Scanner skills into my Terraform project in Cursor. How do I trigger a full scan and where does the HTML report get saved?
Prompt 2
Run the IaC security scan on my Terraform files and list only critical and high findings with specific fix recommendations.
Prompt 3
The scan found an attack path combining an open S3 bucket and an overprivileged Lambda role. What is the minimum set of changes to break this attack chain?
Prompt 4
Run only the IAM and Serverless scan modules on my CloudFormation stack and show all privilege escalation paths found.
Prompt 5
How do I configure the IaC Security Scanner to run in fast single-pass mode and output results to a CSV file?
Open on GitHub → Explain another repo

← senaykt on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.