whatisgithub

What is iac-security-scan-skills?

senaykt/iac-security-scan-skills — explained in plain English

Analysis updated 2026-06-24

16Audience · ops devopsComplexity · 2/5Setup · easy

In one sentence

A set of AI agent skill files you drop into a Terraform or CloudFormation project to audit infrastructure code for security problems, producing a prioritized report with cross-domain attack paths and recommended fixes.

Mindmap

mindmap
  root((iac-security-scan-skills))
    What it does
      Security audit
      Attack path analysis
      HTML and CSV report
    Scan domains
      IAM permissions
      Network exposure
      Storage encryption
      Secrets detection
      Logging gaps
      Serverless config
    Works with
      Terraform
      CloudFormation
      Cursor
      Claude Code
    Use cases
      Pre-deploy review
      Compliance audit
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Audit a Terraform project for misconfigured IAM permissions, open network ports, and unencrypted storage buckets.

USE CASE 2

Find cross-domain attack paths that chain a public network entry through overprivileged roles to an exposed database.

USE CASE 3

Generate an HTML security report for a CloudFormation stack before a production deployment.

USE CASE 4

Run a fast single-pass scan to surface only critical and high-severity findings quickly.

What is it built with?

TerraformCloudFormationCursorClaude CodeWindsurf

How does it compare?

senaykt/iac-security-scan-skillsadya84/ha-world-cup-2026afk-surf/safeclipper
Stars161616
LanguagePythonPython
Setup difficultyeasyeasymoderate
Complexity2/52/53/5
Audienceops devopsgeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 30min

No API keys, plugins, or external services needed, copy the skill files into your project and invoke the scan through your AI editor.

No license is mentioned in the project description.

So what is it?

IaC Security Scanner is a collection of skill files you drop into a Terraform or CloudFormation project to give an AI coding agent the ability to audit the infrastructure code for security problems. Terraform and CloudFormation are tools developers use to describe cloud infrastructure (servers, databases, permissions, networking) as code files rather than clicking through a web console. This scanner works with several AI-powered editors including Cursor, Claude Code, and Windsurf. You copy a few files into your project, tell the agent to run a scan, and it produces a prioritized report with findings and recommended fixes. No plugins, API keys, or external services are required. The scan runs in four steps. First, the agent maps the entire project: what technologies are in use, which files define which resources, and where internet-facing entry points exist. Second, six domain-specific analysis skills run in parallel, each focused on a different security category. IAM checks for permission problems and privilege escalation paths. Network looks for public exposure and segmentation gaps. Storage checks for unencrypted or publicly accessible data stores. Secrets looks for hardcoded credentials and API keys. Logging checks for gaps in monitoring that would leave attacks undetected. Serverless checks for misconfigured cloud functions. After the domain scans finish, a cross-domain step reads all findings together and constructs attack paths that span multiple categories, for example a chain that goes from an open network port to overprivileged permissions to a database. It identifies the smallest set of fixes that would break the most attack chains, described as a minimum-cut analysis. The final step generates an HTML report and a CSV file. Output is also printed to the terminal. Scan modes include a full pipeline, a fast single-pass mode that covers all domains in one step and outputs only high and critical findings, and scoped modes that run only the specific domains you care about. The tool is designed for teams that want deeper reasoning than a standard linter provides, particularly for cross-domain attack paths and findings tied to specific blast radius and exploitability assessments rather than just flagging risky patterns in isolation.

Copy-paste prompts

Prompt 1
I copied the IaC Security Scanner skills into my Terraform project in Cursor. How do I trigger a full scan and where does the HTML report get saved?
Prompt 2
Run the IaC security scan on my Terraform files and list only critical and high findings with specific fix recommendations.
Prompt 3
The scan found an attack path combining an open S3 bucket and an overprivileged Lambda role. What is the minimum set of changes to break this attack chain?
Prompt 4
Run only the IAM and Serverless scan modules on my CloudFormation stack and show all privilege escalation paths found.
Prompt 5
How do I configure the IaC Security Scanner to run in fast single-pass mode and output results to a CSV file?

Frequently asked questions

What is iac-security-scan-skills?

A set of AI agent skill files you drop into a Terraform or CloudFormation project to audit infrastructure code for security problems, producing a prioritized report with cross-domain attack paths and recommended fixes.

What license does iac-security-scan-skills use?

No license is mentioned in the project description.

How hard is iac-security-scan-skills to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is iac-security-scan-skills for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.