# Scan IaC Security With Checkov Infrastructure teams need to catch cloud misconfigurations before they reach production. This skill guides Checkov scans, compliance mapping, CI gates, suppressions, and remediation reporting. ## Install ```bash npx skillstore add agentsecops/iac-checkov ``` ## Metadata - - Slug: agentsecops-iac-checkov - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/devsecops/iac-checkov - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: network, filesystem, env\_access, external\_commands - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-iac-checkov - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-iac-checkov/manifest ## Capabilities - Provides Checkov commands for Terraform, Kubernetes, CloudFormation, Dockerfile, Helm, and serverless templates. - Explains how to generate CLI, JSON, SARIF, JUnit, and CycloneDX scan outputs. - Shows GitHub Actions, GitLab CI, and pre-commit examples for IaC security gates. - Maps common Checkov checks to CIS, PCI-DSS, HIPAA, SOC 2, NIST, and GDPR control areas. - Guides custom Checkov policy creation with Python and YAML examples. - Documents suppression practices with justifications, expiration dates, and compensating controls. ## Use Cases - Pre-Merge IaC Security Gate: Add Checkov scans to pull requests and fail builds when critical or high severity findings appear. - Compliance Evidence Preparation: Generate Checkov reports and map findings to common cloud security control families. - Custom Policy Rollout: Create organization-specific Checkov policies and load them through an external checks directory. ## Prompt Templates ### Run a Basic IaC Scan ``` Use the iac-checkov skill to scan my Terraform directory and explain the main security findings in plain language. ``` ### Add a Pull Request Gate ``` Use the iac-checkov skill to design a CI gate that fails on critical and high Checkov findings for Terraform and Kubernetes files. ``` ### Prepare Compliance Reporting ``` Use the iac-checkov skill to generate a Checkov reporting workflow for CIS AWS and PCI-DSS evidence collection. ``` ### Build a Custom Policy ``` Use the iac-checkov skill to draft a custom Checkov policy that enforces required tags across AWS resources and explain how to test it. ``` ## Limitations - It depends on Checkov and related command-line tools being installed or available in CI. - It cannot prove cloud resources are safe after deployment without runtime or cloud account validation. - Compliance mappings are guidance and do not replace a formal audit. - Some examples need local path, framework, and severity tuning before production use. ## Best Practices - Run scans on the smallest useful IaC scope and keep generated reports access controlled. - Fail CI on critical and high findings while tracking medium findings for remediation planning. - Require written justification, owner, and expiration for every Checkov suppression. ## Anti Patterns - Do not copy broad suppressions into production without security approval. - Do not enable external module downloads in CI without reviewing module source trust. - Do not publish raw Checkov reports if they include resource names, paths, or secret-like values. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T05:37:27.035\+00:00 - - Summary: Static analysis flagged many command, network, secret, and blocker keywords, but review found they are primarily Checkov usage examples, CI templates, and security policy terminology. No prompt injection attempt or malicious exfiltration intent was found. The skill still carries medium operational risk because it instructs users to run external scanners, read IaC files and reports, optionally download external modules, and use cloud security integrations. ## Stats - - Views: 416 - - Downloads: 6 - - Favorites: 0 - - Popularity score: 0