Scans Infrastructure as Code for security misconfigurations. Wraps tfsec for Terraform and Checkov for multi-cloud IaC. Use when user asks to "scan Terraform", "IaC security", "infrastructure scan", "tfsec", "checkov", "Terraformセキュリティ", "インフラスキャン".
/plugin marketplace add naporin0624/claude-web-audit-plugins/plugin install web-audit-tools@web-audit-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
dist/index.jspackage.jsonsrc/index.tssrc/types.tstsconfig.jsonWrapper for tfsec and Checkov to scan Infrastructure as Code.
# tfsec (Terraform focused)
brew install tfsec
# or
go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
# Checkov (multi-cloud)
pip install checkov
# or
brew install checkov
# Scan with auto-detection
npx iac-scanner .
# Force specific scanner
npx iac-scanner . --scanner tfsec
npx iac-scanner . --scanner checkov
# JSON output
npx iac-scanner . --json
# Check available scanners
npx iac-scanner --check
# Scan specific framework
npx iac-scanner . --framework terraform
npx iac-scanner . --framework kubernetes
npx iac-scanner . --framework cloudformation
| Scanner | Frameworks |
|---|---|
| tfsec | Terraform |
| Checkov | Terraform, CloudFormation, Kubernetes, ARM, Serverless, Helm |
{
"tool": "tfsec",
"scanPath": ".",
"scanDate": "2024-01-15T10:30:00Z",
"findings": [
{
"id": "aws-s3-enable-bucket-encryption",
"severity": "high",
"message": "Bucket does not have encryption enabled",
"resource": "aws_s3_bucket.data",
"file": "main.tf",
"line": 15,
"resolution": "Enable bucket encryption"
}
],
"summary": {
"total": 5,
"critical": 1,
"high": 2,
"medium": 1,
"low": 1
}
}
| Category | Example |
|---|---|
| Encryption | S3 bucket without encryption |
| Access Control | Public S3 bucket, open security groups |
| Logging | Missing CloudTrail, no access logs |
| Network | VPC without flow logs, open CIDR |
| IAM | Overly permissive policies, wildcard actions |
| Secrets | Hardcoded credentials in config |
0: No issues found1: Issues detected2: Tool not installed or errorThis skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.