← 返回 Skills 市场
49
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install auditing-terraform-security
功能描述
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive I...
使用说明 (SKILL.md)
Auditing Terraform Infrastructure for Security
When to Use
- When integrating security scanning into CI/CD pipelines for Terraform deployments
- When reviewing Terraform plans and modules for security best practices before applying
- When building policy-as-code guardrails for cloud infrastructure provisioning
- When auditing existing Terraform state files to identify deployed misconfigurations
- When enforcing organizational security standards across multiple Terraform projects
Do not use for runtime security monitoring (use CSPM tools), for application security testing (use SAST/DAST tools), or for cloud configuration drift detection (use AWS Config or Azure Policy after deployment).
Prerequisites
- Checkov installed (
pip install checkov) - tfsec installed (
brew install tfsecor binary from GitHub) - Terrascan installed (
brew install terrascan) - Terraform v1.0+ for plan generation
- OPA (Open Policy Agent) for custom policy enforcement
- Git repository with Terraform code to audit
Workflow
Step 1: Scan Terraform Code with Checkov
Run Checkov for comprehensive IaC security scanning with built-in and custom policies.
# Scan a Terraform directory
checkov -d ./terraform/ --framework terraform
# Scan with specific check categories
checkov -d ./terraform/ --check CKV_AWS_18,CKV_AWS_19,CKV_AWS_20,CKV_AWS_21
# Scan and output results in JSON
checkov -d ./terraform/ --output json > checkov-results.json
# Scan a Terraform plan file for more accurate analysis
terraform init && terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
checkov -f tfplan.json --framework terraform_plan
# Skip specific checks with justification
checkov -d ./terraform/ --skip-check CKV_AWS_145 \
--bc-api-key $BRIDGECREW_API_KEY
# Scan Terraform modules
checkov -d ./modules/ --framework terraform --compact
# List all available checks
checkov --list --framework terraform | grep CKV_AWS
Step 2: Scan with tfsec for Terraform-Specific Issues
Use tfsec for Terraform-native security analysis with detailed remediation guidance.
# Scan a Terraform directory
tfsec ./terraform/
# Scan with minimum severity threshold
tfsec ./terraform/ --minimum-severity HIGH
# Output in JSON for CI/CD processing
tfsec ./terraform/ --format json > tfsec-results.json
# Scan with custom checks
tfsec ./terraform/ --custom-check-dir ./custom-checks/
# Exclude specific rules
tfsec ./terraform/ --exclude-downloaded-modules \
--exclude aws-s3-enable-bucket-logging
# Scan and fail on specific severity
tfsec ./terraform/ --minimum-severity CRITICAL --soft-fail
# Generate SARIF output for GitHub Security tab
tfsec ./terraform/ --format sarif > tfsec.sarif
Step 3: Run Terrascan for Multi-Framework Compliance
Execute Terrascan for compliance checking against CIS, NIST, and SOC 2 frameworks.
# Scan Terraform against CIS AWS benchmark
terrascan scan -t aws -i terraform -d ./terraform/ \
--policy-type aws --verbose
# Scan against specific compliance frameworks
terrascan scan -t aws -i terraform -d ./terraform/ \
--policy-type aws \
--categories "Compliance Validation"
# Output in JSON
terrascan scan -t aws -i terraform -d ./terraform/ \
--output json > terrascan-results.json
# Scan a Terraform plan
terrascan scan -t aws -i terraform \
--iac-file tfplan.json \
--iac-type tfplan
# List available policies
terrascan scan --list-policies -t aws
Step 4: Create Custom OPA Policies for Organization Standards
Write Rego policies for organization-specific security requirements.
# policy/aws_s3_encryption.rego
package terraform.aws.s3
deny[msg] {
resource := input.resource.aws_s3_bucket[name]
not resource.server_side_encryption_configuration
msg := sprintf("S3 bucket '%s' must have server-side encryption enabled", [name])
}
# policy/aws_iam_no_wildcards.rego
package terraform.aws.iam
deny[msg] {
resource := input.resource.aws_iam_policy[name]
statement := resource.policy.Statement[_]
statement.Action == "*"
statement.Effect == "Allow"
msg := sprintf("IAM policy '%s' must not use wildcard (*) actions", [name])
}
deny[msg] {
resource := input.resource.aws_iam_policy[name]
statement := resource.policy.Statement[_]
statement.Resource == "*"
statement.Effect == "Allow"
contains(statement.Action[_], "*")
msg := sprintf("IAM policy '%s' has overly permissive actions on wildcard resources", [name])
}
# policy/aws_no_public_ingress.rego
package terraform.aws.security_group
deny[msg] {
resource := input.resource.aws_security_group_rule[name]
resource.type == "ingress"
resource.cidr_blocks[_] == "0.0.0.0/0"
resource.from_port \x3C= 22
resource.to_port >= 22
msg := sprintf("Security group rule '%s' allows SSH from 0.0.0.0/0", [name])
}
# Evaluate Terraform plan against OPA policies
terraform show -json tfplan | opa eval \
--data ./policy/ \
--input /dev/stdin \
"data.terraform.aws" \
--format pretty
# Run Conftest for easier OPA policy testing
conftest test tfplan.json --policy ./policy/ --output json
Step 5: Integrate Security Scanning into CI/CD Pipeline
Add IaC security scanning as a mandatory CI/CD gate.
# GitHub Actions: Terraform security pipeline
name: Terraform Security Scan
on:
pull_request:
paths: ['terraform/**']
jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
- name: Terraform Init & Plan
run: |
cd terraform/
terraform init
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
- name: Checkov Scan
uses: bridgecrewio/checkov-action@master
with:
directory: terraform/
framework: terraform
output_format: sarif
output_file_path: checkov.sarif
soft_fail: false
- name: tfsec Scan
uses: aquasecurity/[email protected]
with:
working_directory: terraform/
soft_fail: false
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: checkov.sarif
- name: OPA Policy Check
run: |
conftest test terraform/tfplan.json \
--policy ./policy/ \
--output json
Step 6: Scan Terraform State for Deployed Misconfigurations
Audit the current Terraform state to identify already-deployed security issues.
# Export current state as JSON
terraform show -json > terraform-state.json
# Scan the state with Checkov
checkov -f terraform-state.json --framework terraform_plan
# Query state for specific security issues
terraform state list | while read resource; do
terraform state show "$resource" 2>/dev/null | grep -i "public\|0.0.0.0\|encrypt.*false\|password"
done
# Find resources without required tags
terraform state list | grep aws_instance | while read resource; do
tags=$(terraform state show "$resource" | grep -A20 "tags")
if ! echo "$tags" | grep -q "Environment"; then
echo "MISSING TAG: $resource lacks 'Environment' tag"
fi
done
Key Concepts
| Term | Definition |
|---|---|
| Infrastructure as Code | Practice of managing cloud infrastructure through declarative configuration files (Terraform, CloudFormation) rather than manual console operations |
| Policy as Code | Expressing security and compliance policies as executable code (Rego, Python) that can be automatically evaluated against infrastructure definitions |
| Shift Left Security | Moving security checks earlier in the development lifecycle by scanning IaC before deployment rather than auditing after provisioning |
| Terraform Plan | Preview of changes Terraform will make, which can be exported as JSON for security scanning before applying changes |
| Checkov | Open-source static analysis tool for IaC supporting Terraform, CloudFormation, Kubernetes, and Docker with 1000+ built-in policies |
| OPA/Rego | Open Policy Agent and its policy language Rego for defining custom security rules that evaluate against structured data inputs |
Tools & Systems
- Checkov: Comprehensive IaC scanner with 1000+ policies for Terraform, CloudFormation, Kubernetes, ARM, and Dockerfile
- tfsec: Terraform-specific static analysis tool with detailed remediation guidance and SARIF output
- Terrascan: Multi-IaC scanner supporting compliance frameworks (CIS, NIST, SOC 2) with policy-as-code
- OPA/Conftest: Custom policy engine for defining organization-specific security rules using Rego language
- Bridgecrew: Commercial platform built on Checkov providing drift detection and supply chain security
Common Scenarios
Scenario: Adding Security Gates to an Existing Terraform CI/CD Pipeline
Context: A DevOps team deploys infrastructure via Terraform in GitHub Actions but has no security scanning. Recent audit findings show multiple S3 buckets without encryption and security groups allowing SSH from the internet.
Approach:
- Add Checkov as the first security gate in the GitHub Actions workflow
- Run
checkov -d ./terraform/to establish the current baseline of findings - Triage existing findings: fix CRITICAL issues, create tickets for HIGH, suppress accepted risks
- Add tfsec as a secondary scanner for Terraform-specific checks
- Write custom OPA policies for organization standards (required tags, naming conventions)
- Configure the pipeline to block PRs with CRITICAL or HIGH findings
- Generate SARIF reports for GitHub Security tab integration
Pitfalls: Adding security scanning to an existing project will initially produce hundreds of findings. Implement gradually by starting with CRITICAL-only blocking, then expanding to HIGH. Use inline suppression comments (#checkov:skip=CKV_AWS_18:Public bucket for static website) for intentional exceptions with documented justification.
Output Format
Terraform Security Audit Report
==================================
Repository: acme-corp/infrastructure
Branch: main
Scan Date: 2026-02-23
Tools: Checkov 3.x, tfsec 1.x, OPA custom policies
SCAN RESULTS:
Checkov checks passed: 187
Checkov checks failed: 34
tfsec checks passed: 156
tfsec checks failed: 28
OPA custom policies: 12 passed, 3 failed
CRITICAL FINDINGS:
[TF-001] S3 Bucket Without Encryption
File: modules/storage/main.tf:24
Resource: aws_s3_bucket.data_lake
Check: CKV_AWS_19
Fix: Add server_side_encryption_configuration block
[TF-002] Security Group Allows SSH from 0.0.0.0/0
File: modules/network/security.tf:45
Resource: aws_security_group_rule.ssh_access
Check: CKV_AWS_24
Fix: Restrict cidr_blocks to bastion subnet
[TF-003] IAM Policy with Wildcard Actions
File: modules/iam/policies.tf:12
Resource: aws_iam_policy.developer_policy
Check: CKV_AWS_1
Fix: Scope actions to specific services required
SUMMARY BY SEVERITY:
Critical: 6 findings
High: 14 findings
Medium: 28 findings
Low: 18 findings
Info: 12 findings
安全使用建议
Install only if you want local Terraform security scanning. Run it against repositories and state files you are authorized to audit, keep generated reports private because they may contain infrastructure details, and use scoped credentials if enabling optional third-party integrations.
能力标签
能力评估
Purpose & Capability
The artifacts consistently focus on Terraform IaC security review using Checkov, tfsec, Terrascan, OPA/Rego, and a local Python helper that scans user-specified Terraform directories or plan JSON files.
Instruction Scope
Instructions are scoped to audit workflows, CI examples, and local report generation; they do not tell the agent to apply, destroy, or modify cloud infrastructure.
Install Mechanism
The skill asks users to install third-party security tools such as Checkov, tfsec, Terrascan, Terraform, and OPA, which is expected for this purpose but should be done from trusted package sources.
Credentials
The workflow may read Terraform code, plan files, state output, and optional Bridgecrew API credentials; this is proportionate to security auditing but can expose sensitive infrastructure details in reports or CI logs.
Persistence & Privilege
No persistence, privilege escalation, background execution, credential harvesting, or automatic network exfiltration was found; the helper script writes only a local JSON audit report to a user-selected path.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install auditing-terraform-security - 安装完成后,直接呼叫该 Skill 的名称或使用
/auditing-terraform-security触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release! Provides a comprehensive workflow for auditing Terraform infrastructure-as-code for security misconfigurations using leading open source tools.
- Guides users to scan Terraform code with Checkov, tfsec, and Terrascan for security and compliance issues.
- Explains how to write and enforce custom OPA/Rego policies for organization-specific requirements.
- Includes CI/CD pipeline integration examples for automated security scanning.
- Covers auditing deployed infrastructure by scanning Terraform state files.
- Lists prerequisites, use cases, and clear step-by-step commands for practical usage.
元数据
常见问题
Terraform Security Audit 是什么?
Auditing Terraform infrastructure-as-code for security misconfigurations using Checkov, tfsec, Terrascan, and OPA/Rego policies to detect overly permissive I... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 49 次。
如何安装 Terraform Security Audit?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install auditing-terraform-security」即可一键安装,无需额外配置。
Terraform Security Audit 是免费的吗?
是的,Terraform Security Audit 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Terraform Security Audit 支持哪些平台?
Terraform Security Audit 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Terraform Security Audit?
由 Chace(@ling-qian)开发并维护,当前版本 v1.0.0。
推荐 Skills