| name | infra-config-analyzer |
| description | Use this skill to review and analyze infrastructure configuration files.
MANDATORY TRIGGERS: Dockerfile, docker-compose, Kubernetes, k8s, Terraform,
Helm chart, infrastructure review, container config, deployment config,
YAML config, infra audit, cloud config, IaC.
Also use when: reviewing Docker multi-stage builds, checking k8s resource limits,
auditing Terraform security groups, optimizing container images, checking
environment variable management.
Do NOT use for: CI/CD pipeline files (use pipeline-auditor) or application
architecture (use architecture-analyzer). |
| metadata | {"author":"N.V","version":"1.0"} |
| context | fork |
| agent | Explore |
| allowed-tools | Read, Grep, Glob, Bash |
Overview
Analyzes infrastructure-as-code and container configurations (Docker, Kubernetes,
Terraform, Helm) for security, performance, and best practices. Produces a
structured audit with severity-rated findings and fix suggestions.
When to Use This Skill
- Reviewing Dockerfiles for image size, security, and build efficiency
- Auditing Kubernetes manifests for resource limits, security contexts, probes
- Checking Terraform configs for security groups, IAM, state management
- Validating docker-compose setups for production readiness
- Reviewing Helm charts for templatization and defaults
- General infra config health check before deploying
Workflow
Quick Version (single config file)
- Read the config file
- Check against the relevant checklist (Docker / K8s / Terraform)
- Output findings with severity
Full Version (complete infra audit)
- Discover —
Glob for infra files: Dockerfile*, docker-compose*.yml, k8s/, terraform/, helm/, *.tf, deployment.yaml, etc.
- Categorize — group configs by type (container, orchestration, IaC, secrets)
- Docker audit — image base, multi-stage, layer caching, security
- K8s audit — resource limits, probes, security contexts, networking
- Terraform audit — state management, modules, security, drift risk
- Secrets audit — env vars, secret management, hardcoded values
- Generate report — infra inventory + findings + recommendations
Audit Checklists
Docker
□ Uses specific base image tag (not :latest)
□ Multi-stage build to minimize final image
□ Non-root user configured (USER directive)
□ .dockerignore present and covers node_modules, .git, etc.
□ COPY before RUN for layer cache efficiency
□ No secrets in build args or layers
□ HEALTHCHECK defined
□ Minimal final image (alpine/distroless where possible)
Kubernetes
□ Resource requests AND limits set for CPU and memory
□ Liveness and readiness probes configured
□ Security context: runAsNonRoot, readOnlyRootFilesystem
□ No :latest image tags
□ Namespace specified (not default)
□ Pod disruption budget set for HA
□ Horizontal Pod Autoscaler configured (if applicable)
□ Secrets managed via external store (not plain k8s secrets)
□ Network policies defined
□ Service accounts with minimal RBAC
Terraform
□ State stored remotely with locking (S3+DynamoDB, GCS, etc.)
□ State file encrypted
□ Variables have descriptions and type constraints
□ Sensitive variables marked as sensitive = true
□ Modules used for reusable components
□ Provider versions pinned
□ No hardcoded credentials
□ Outputs defined for cross-module references
□ terraform fmt and validate pass
Environment & Secrets
□ No hardcoded secrets in config files
□ .env files excluded from version control (.gitignore)
□ Secret management solution in place (Vault, AWS Secrets Manager, etc.)
□ Environment-specific configs separated (dev/staging/prod)
□ Sensitive env vars not logged or exposed
Critical Rules
- Check ALL infra files — don't miss docker-compose.override.yml or Terraform modules
- Rate every finding — ⛔ Critical / ⚠️ Warning / 💡 Suggestion
- Show the fix — provide corrected config snippets, not just descriptions
- Consider the environment — dev configs have different standards than production
- NEVER modify any files — read-only analysis only
Output Format
# Infrastructure Config Audit: [Project Name]
## Infra Inventory
| File | Type | Environment | Status |
|------|------|-------------|--------|
| Dockerfile | Container | All | ⚠️ 3 findings |
| k8s/deployment.yaml | Kubernetes | Production | ⛔ 1 critical |
| terraform/main.tf | IaC | All | ✅ Clean |
## Architecture Overview
\`\`\`mermaid
graph TD
LB[Load Balancer] --> SVC[K8s Service]
SVC --> POD1[Pod: API]
SVC --> POD2[Pod: API]
POD1 --> DB[(RDS)]
POD1 --> CACHE[(Redis)]
\`\`\`
## Findings
### ⛔ Critical
- **[Finding]** — file:line — [explanation + fix snippet]
### ⚠️ Warning
- **[Finding]** — file:line — [explanation + fix snippet]
### 💡 Suggestion
- **[Finding]** — file:line — [explanation + fix snippet]
## Score: X/10